publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/breach-response
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
440 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Breach Response | CMS Information Security &amp; Privacy Group</title><meta name="description" content="The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)"/><link rel="canonical" href="https://security.cms.gov/learn/breach-response"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Breach Response | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)"/><meta property="og:url" content="https://security.cms.gov/learn/breach-response"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/breach-response/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Breach Response | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/breach-response/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Breach Response</h1><p class="hero__description">The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">Incident Management Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:IMT@cms.hhs.gov">IMT@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-sec_privacy-policy</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>Protecting sensitive information at CMS</h2><p>CMS systems contain the personal and health information of millions of people in order to provide benefits and services. It is critical that we protect this sensitive information by making sure it is accessed only by the right people and only when necessary. When the safety of CMS information or information systems is threatened or compromised, we follow the steps prescribed by federal policies and guidelines to assess the risk and mitigate any resulting harm to individuals.</p><h3>Incidents and breaches</h3><p>Anytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an<strong> incident</strong>. All security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk, so they can be assessed and mitigated by incident responders.</p><ul><li>Phone: 410-786-2580 or 800-562-1963</li><li>Email: <a href="mailto:CMS_IT_Service_Desk@cms.hhs.gov">CMS_IT_Service_Desk@cms.hhs.gov</a></li></ul><p>If an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a <strong>breach</strong>. Breaches begin as incidents until incident responders determine that PII has been affected. The compromise of other types of sensitive data, such as Personal Health Information (PHI) and Federal Tax Information (FTI), can also constitute a breach because they are (or can contain) PII.</p><p>Breach response activities will often take place alongside incident response activities such as containment, eradication, and recovery. Detailed information about incident response at CMS can be found in the <a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir">CMS Risk Management Handbook Chapter 8: Incident Response</a>.</p><h2>Who participates in breach response?</h2><p>Breach response has its own protocol separate from (but related to) incident response. It requires coordination among various stakeholders across CMS and HHS:</p><ul><li>Personnel at the <a href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic">CMS Cybersecurity Integration Center</a> who support CMS Incident Response (IR)</li><li>People within CMS responsible for ensuring system security and privacy such as System and Business Owners (SO / BO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)</li><li>People at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)</li><li>CMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services</li></ul><h2>Breach response steps</h2><p>Breach response activities go through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Reporting</h4><div class="margin-top-05 usa-process-list__description"><p>The incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial <strong>incident report</strong> as a deliverable to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Risk assessment</h4><div class="margin-top-05 usa-process-list__description"><p>IMT works with the affected systems officials and operators to investigate the incident. They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. IMT conducts a formal risk assessment and convenes a Breach Analysis Team if necessary, providing the team with the<strong> IMT Risk Assessment</strong> as a deliverable.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Breach analysis</h4><div class="margin-top-05 usa-process-list__description"><p>The Breach Analysis Team (BAT) convenes to review the risk assessment and categorizes the risk represented by the breach as low, moderate, or high. The BAT consists of stakeholders in leadership positions and security / privacy subject matter experts for the affected system. The team determines if the conditions of the breach warrant notifying the affected individuals. If so, the team drafts a <strong>Notification and Mitigation Plan </strong>to the HHS Privacy Incident Response Team (PIRT). The Business Owner of the system has the final decision on whether notification and mitigation will go forward.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Notification and mitigation</h4><div class="margin-top-05 usa-process-list__description"><p>HHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.</p></div></li></ol></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-breach-response-handbook">CMS Breach Response Handbook</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Procedures for handling a breach of sensitive data at CMS, including roles, responsibilities, and reporting requirements</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-breach-analysis-team-bat-handbook">CMS Breach Analysis Team (BAT) Handbook</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Procedures for the Breach Analysis Team (BAT) to follow when a team is convened to address a breach of PII at CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-security-and-privacy-handbooks">CMS Security and Privacy Handbooks</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"breach-response\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"breach-response\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"breach-response\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"breach-response\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:Tbf8,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eProtecting sensitive information at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS systems contain the personal and health information of millions of people in order to provide benefits and services. It is critical that we protect this sensitive information by making sure it is accessed only by the right people and only when necessary. When the safety of CMS information or information systems is threatened or compromised, we follow the steps prescribed by federal policies and guidelines to assess the risk and mitigate any resulting harm to individuals.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncidents and breaches\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAnytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an\u003cstrong\u003e incident\u003c/strong\u003e. All security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk, so they can be assessed and mitigated by incident responders.\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a \u003cstrong\u003ebreach\u003c/strong\u003e. Breaches begin as incidents until incident responders determine that PII has been affected. The compromise of other types of sensitive data, such as Personal Health Information (PHI) and Federal Tax Information (FTI), can also constitute a breach because they are (or can contain) PII.\u003c/p\u003e\u003cp\u003eBreach response activities will often take place alongside incident response activities such as containment, eradication, and recovery. Detailed information about incident response at CMS can be found in the \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eCMS Risk Management Handbook Chapter 8: Incident Response\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho participates in breach response?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response has its own protocol separate from (but related to) incident response. It requires coordination among various stakeholders across CMS and HHS:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonnel at the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center\u003c/a\u003e who support CMS Incident Response (IR)\u003c/li\u003e\u003cli\u003ePeople within CMS responsible for ensuring system security and privacy such as System and Business Owners (SO / BO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)\u003c/li\u003e\u003cli\u003ePeople at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)\u003c/li\u003e\u003cli\u003eCMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eBreach response steps\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response activities go through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Tbf8,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eProtecting sensitive information at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS systems contain the personal and health information of millions of people in order to provide benefits and services. It is critical that we protect this sensitive information by making sure it is accessed only by the right people and only when necessary. When the safety of CMS information or information systems is threatened or compromised, we follow the steps prescribed by federal policies and guidelines to assess the risk and mitigate any resulting harm to individuals.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncidents and breaches\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAnytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an\u003cstrong\u003e incident\u003c/strong\u003e. All security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk, so they can be assessed and mitigated by incident responders.\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a \u003cstrong\u003ebreach\u003c/strong\u003e. Breaches begin as incidents until incident responders determine that PII has been affected. The compromise of other types of sensitive data, such as Personal Health Information (PHI) and Federal Tax Information (FTI), can also constitute a breach because they are (or can contain) PII.\u003c/p\u003e\u003cp\u003eBreach response activities will often take place alongside incident response activities such as containment, eradication, and recovery. Detailed information about incident response at CMS can be found in the \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eCMS Risk Management Handbook Chapter 8: Incident Response\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho participates in breach response?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response has its own protocol separate from (but related to) incident response. It requires coordination among various stakeholders across CMS and HHS:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonnel at the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center\u003c/a\u003e who support CMS Incident Response (IR)\u003c/li\u003e\u003cli\u003ePeople within CMS responsible for ensuring system security and privacy such as System and Business Owners (SO / BO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)\u003c/li\u003e\u003cli\u003ePeople at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)\u003c/li\u003e\u003cli\u003eCMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eBreach response steps\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response activities go through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T7b99,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook defines actions that must be taken in response to a suspected breach of Personally Identifiable Information (PII) / Protected Health Information (PHI) / Federal Tax Information (FTI) at the CMS to meet federal requirements for breach response. The handbook includes roles and responsibilities, breach response deliverables and lines of communication, triggers for federal reporting requirements, and resources from HHS and other authorities.\u003c/p\u003e\u003cp\u003eThese procedures help to ensure a coordinated response from all entities responsible for investigating and mitigating a breach, including organizations internal and external to CMS, as well as those responsible for remediating any identified process shortfalls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThese procedures apply to federal information and information systems, as defined in the \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Modernization Act (FISMA)\u003c/a\u003e but not to national security systems.\u003c/p\u003e\u003cp\u003eThis handbook covers breach response activities at CMS as an Operating Division (OpDiv) of the U.S. Department of Health and Human Services (HHS). It applies to CMS employees, contractors, grant recipients, interns, and affiliates supporting CMS. All organizations collecting or maintaining information or using or operating information systems on behalf of CMS also need to follow these procedures in accordance with such organizations contractual requirements to report to and cooperate with CMS during a breach.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOut-of-scope entities\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMedicare Advantage (Plans C and D) and State Medicaid programs are not CMS FISMA entities but are HIPAA-covered entities. These entities must honor their own reporting requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs this handbook?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis handbook is for all CMS stakeholders who may need to participate in or approve of breach response activities, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonnel at the CMS Cybersecurity Integration Center who support CMS Incident Response (IR)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003ePeople within CMS responsible for ensuring system security and privacy such as System Owners (SO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003ePeople at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eDefinitions for incidents and breaches\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eExact reporting requirements during a breach depend on the nature of the data affected by the breach. The Office of Management and Budget (OMB) has defined multiple types of security and privacy incidents within the scope of the Executive Branch. This section presents definitions of types of sensitive data and breach categories for use at CMS.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat counts as sensitive data?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB Memorandum M-17-12 prescribes that \u003cstrong\u003ePersonally Identifiable Information\u003c/strong\u003e refers to information that can be used to distinguish or trace an individuals identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can distinguish or trace an individuals identity, the term PII is necessarily broad.\u003c/p\u003e\u003cp\u003eThe Health Insurance Portability and Accountability Act (HIPAA) provides that \u003cstrong\u003eProtected Health Information\u003c/strong\u003e is personally identifiable health information. PHI is also PII.\u003c/p\u003e\u003cp\u003eInternal Revenue Service Publication 1075 prescribes that \u003cstrong\u003eFederal Tax Information\u003c/strong\u003e consists of federal tax returns and return information (and information derived from it) that is in an agencys possession or control. FTI may contain PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is an incident?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccording to the CMS Risk Management Handbook, an\u003cstrong\u003e incident\u003c/strong\u003e is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is a breach?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB Memorandum M-17-12 stipulates that a \u003cstrong\u003ebreach\u003c/strong\u003e is a type of incident in which there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where either of these occurs:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA person other than an authorized user accesses or potentially accesses PII\u003c/li\u003e\u003cli\u003eAn authorized user accesses PII for an other-than-authorized purpose\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBreaches begin as incidents until incident responders determine that PII has been affected. Breach activities will often take place concurrently to ongoing incident response activities, such as containment, eradication, and recovery activities. For more information about Incident Response process, see the CMS Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003cp\u003eCMS will assess suspected breaches of PII to determine if they represent enough risk of harm to individuals whose data was compromised to require notification and mitigation.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMajor incidents\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePer OMB Memorandum M-20-04, a \u003cstrong\u003emajor incident\u003c/strong\u003e is an incident that compromises U.S. national security. CMS does not store any data that, if breached, may impact national security. OMB also defines any unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to the PII of 100,000 or more people as a major incident. Major incidents must be reported to Congress within seven days.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReporting incidents and breaches\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eIncident responders may determine during the incident response process, as more information about an incident is discovered, that the incident falls into other incident categories that trigger additional reporting requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTable of reporting triggers\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTrigger\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eRequirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOutcome\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAll Incidents\u003c/td\u003e\u003ctd\u003eNotify HHS, notify US-CERT (Computer Emergency Response Team)\u003c/td\u003e\u003ctd\u003eHHS is automatically notified by the CMS incident ticketing system; HHS handles reporting to US-CERT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll Suspected or Confirmed Breaches\u003c/td\u003e\u003ctd\u003eConduct Risk Assessment\u003c/td\u003e\u003ctd\u003eIf the breach is not in a predefined low-risk category, the CMS Breach Analysis Team must convene.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGreater than 500 individuals within same jurisdiction are affected by a breach\u003c/td\u003e\u003ctd\u003eNotify media in affected jurisdiction\u003c/td\u003e\u003ctd\u003eContact CMS Media Relations Group (MRG)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach indicates illegal activity\u003c/td\u003e\u003ctd\u003eContact Law Enforcement via HHS oversight body\u003c/td\u003e\u003ctd\u003eContact HHS Office of Inspector General (OIG) Computer Crimes Unit (CCU)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach affects FTI\u003c/td\u003e\u003ctd\u003eNotify IRS and Treasury Inspector General for Tax Administration\u003c/td\u003e\u003ctd\u003eContact CMS-IRS Liaison\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGreater than 100,000 individuals are affected by the breach (Major Incident)\u003c/td\u003e\u003ctd\u003eNotify Congress within seven days\u003c/td\u003e\u003ctd\u003eContact Office of Legislation\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eAll incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk.\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe report should be made immediately upon discovery to start the CMS incident response process. The IT Service Desk instructs the reporter to fill out an incident report using the Incident Report Template which is then sent to the Incident Management Team (IMT). Incidents must be reported whether they are confirmed to have occurred or are only suspected to have occurred. The Helpdesk refers security and privacy incidents to IMT, which then coordinates efforts to analyze, contain, and eradicate the incident.\u003c/p\u003e\u003cp\u003eAll incidents involving CMS must be reported to HHS to ensure that HHS can provide accurate incident statistics for its OpDivs as per FISMA requirements. By integrating CMSs incident ticketing system with HHS, CMS automatically notifies HHS of incidents. More details on the CMS Incident Response capability and reporting requirements for incidents other than breaches can be found in the Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAll breaches\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Incident Management Team (IMT) investigates reported security and privacy incidents to determine if they meet the definition of a breach. The team does not need confirmation of a breach to begin the breach response process they should treat incidents as breaches as soon as the investigation reveals that PII, PHI, or FTI was jeopardized by an incident.\u003c/p\u003e\u003cp\u003eIf an incident reaches the status of a suspected breach, IMT conducts a risk assessment on the suspected breach using the Risk Assessment Checklist. Then they notify the CMS Breach Analysis Team (BAT) that a suspected breach has occurred and provide the BAT with the results of the risk assessment.\u003c/p\u003e\u003cp\u003eThe BAT convenes to review the risk assessment and determine the likelihood of sensitive data compromise according to the CMS Breach Analysis Team Handbook. The team assigns the breach a risk rating of Low, Moderate, or High, and advises the affected systems Business Owner (BO) on whether CMS must notify the affected individuals. Should notification be necessary, the Senior Official for Privacy (SOP) at CMS works with the following people to develop a notification and mitigation plan:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBusiness Owner of the CMS system affected by the breach\u003c/li\u003e\u003cli\u003eContracting Officers Representative (COR) for any affected contractors\u003c/li\u003e\u003cli\u003eIncident responders\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDepending on the nature and quantity of the sensitive data compromised by the breach, different reporting requirements apply:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf a breach compromises \u003cstrong\u003ePHI/PII\u003c/strong\u003e, the HIPAA Breach Notification Rule applies.\u003c/li\u003e\u003cli\u003eIf a breach compromises \u003cstrong\u003eFTI\u003c/strong\u003e, the IRS requires that the U.S. Treasury Inspector General for Tax Administration (TIGTA) be notified.\u003c/li\u003e\u003cli\u003eIf a breach compromises any data that may impact U.S. national security or otherwise meets the definition of a \u003cstrong\u003emajor incident\u003c/strong\u003e, then Congress must be notified.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eLow risk scenarios\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSome privacy incidents are considered low risk and do not rise to the threshold of a breach. The Data Governance Board (DGB) has defined a set of criteria for such incidents in the Data Governance Board Guidelines. The IMT can close out these breaches automatically if they represent a sufficiently low risk to not require convening a full Breach Analysis Team.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreaches of PHI\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMSs administration of Medicare and Medicaid make the agency a covered entity under HIPAA and subject to the laws reporting and notification requirements when PHI is breached. This includes reporting to the HHS Office of Civil Rights (OCR) of all breaches of Protected Health Information (PHI) for each calendar year \u0026nbsp; including those that occur with a business associate.\u003c/p\u003e\u003cp\u003eAny compromise of PHI requires CMS to notify the affected individual(s) within 60 days. If a breach affects the PHI of more than 500 residents of a U.S. state or jurisdiction, CMS is also “required to provide notice to prominent media outlets serving the State or jurisdiction,” and notify OCR within 60 days. The Breach Analysis Team must work with the CMS Office of Communications Media Relations Group to complete this notification step.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreaches of FTI\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Internal Revenue Service (IRS) requires organizations handling FTI (federal tax returns and return information, including information derived from a return) to report any unauthorized access to or disclosure of FTI to the Treasury Inspector General for Tax Administration and the IRS Office of Safeguards within 24 hours of identifying the incident.\u003c/p\u003e\u003cp\u003eIf the Incident Management Team (IMT)\u0026nbsp; determines that there is a possibility that FTI has been compromised by an incident, they should immediately notify the CMS IRS Liaison to begin the process for reporting to the IRS and TIGTA. Breach response stakeholders should be aware that IRS may request additional data and updates from CMS as the incident response process continues.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMajor incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB requires agencies to report major incidents to Congress within seven days. The threshold for a major incident is a breach that affects more than 100,000 individuals. As an HHS OpDiv, CMS will report major incidents to the HHS Computer Security Incident Response Center (CSIRC) to assist HHS in making a report to Congress. CMS will also report major incidents to the CMS Office of Legislation to ensure that the Office can coordinate with HHS on any participation by CMS in the report.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBreach response steps and deliverables\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response activities at CMS require robust lines of communication and clearly defined deliverables between multiple organizations and components, including CMS groups, contractors and associates, and HHS entities.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn general, the communication responsibilities of CMS, HHS, and entities are:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS will be responsible for collecting data pertaining to the breach, developing a plan for notifying persons affected by the breach and mitigating any resulting harm, and reporting all breach response activities to HHS.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eHHS will be responsible for coordinating between CMS and external federal agencies, as well as approving any notification and mitigation plans developed by CMS.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eEntities operating on behalf of CMS (contractors and associates) are responsible for implementing notification and mitigation plans created by CMS and approved by HHS.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBreach response activities take place in tandem with incident response activities. Discovery of new data about a breach should be reported as soon as possible to HHS Computer Security Incident Response Center (CSIRC), to ensure that HHS can meet its own reporting requirements. (HHS CSIRC is the primary communication pathway between CMS and external organizations such as other federal agencies.)\u0026nbsp;\u003c/p\u003e\u003cp\u003eCMS maintains an incident ticketing system that automatically sends ticket updates to a mirrored ticket in the equivalent HHS CSIRC ticketing system. Incident responders must maintain this integration and ensure that tickets are promptly updated to communicate with HHS.\u003c/p\u003e\u003cp\u003eThe Incident Management Team, in keeping with its role during incident response, is the primary communication pathway between organizations within CMS and its contractors and associates. For more details on IMTs role and process during incidents, see the CMS Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003cp\u003eBreach response activities are accomplished through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReporting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial \u003cstrong\u003eincident report as a deliverable\u003c/strong\u003e to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIMT works with the affected systems officials and operators to investigate the incident. They assess the incident to determine if any categories of sensitive data may be compromised. If there is a possibility of compromise, the incident is considered a suspected breach. IMT conducts a risk assessment using the “Factors for Assessing the Risk of Harm to Potentially Affected Individuals” prescribed by OMB and defined in the CMS Risk Assessment for Breach Notification Determination form. Then they formally convene the Breach Analysis Team and provide the team with the\u003cstrong\u003e IMT Risk Assessment as a deliverable.\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreach analysis\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Breach Analysis Team convenes to review the IMT Risk Assessment and categorizes the risk represented by the breach as low, moderate, or high, as described in the CMS Breach Analysis Team Handbook.\u003c/p\u003e\u003cp\u003eThe BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system, including the Business Owner, ISSOs, COR (if the affected system is a contractor system), Senior Official for Privacy, and the DCTSO Incident Commander.\u003c/p\u003e\u003cp\u003eThe BAT determines if the conditions of the breach warrant notifying the affected individuals. If so, the BAT drafts a \u003cstrong\u003eNotification and Mitigation Plan as a deliverable\u003c/strong\u003e to the HHS Privacy Incident Response Team (PIRT), using the HHS PIRT Response Plan Template. The Business Owner of the affected system has the final decision on whether notification and mitigation will go forward.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNotification and mitigation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eHHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTable of breach response deliverables\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eBreach Response Deliverable\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eResponsible\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDelivered To\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIncident Report Ticket\u003c/td\u003e\u003ctd\u003eCMS IT Helpdesk\u003c/td\u003e\u003ctd\u003eIncident Management Team (IMT). IMT continues to update the ticket with information about the breach as the response proceeds.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk Assessment\u003c/td\u003e\u003ctd\u003eIncident Management Team\u003c/td\u003e\u003ctd\u003eBreach Analysis Team (BAT)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNotification and Mitigation Plan\u003c/td\u003e\u003ctd\u003eBreach Analysis Team\u003c/td\u003e\u003ctd\u003eHHS Privacy Incident Response Team (PIRT)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach Notification to Affected Individuals\u003c/td\u003e\u003ctd\u003eSystem Business Owner / Contracting Officers Representative\u003c/td\u003e\u003ctd\u003eAffected individuals\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eBreach notification and mitigation\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe goal of breach response activities is to reduce the risk of harm to individuals that is created by a breach of sensitive data. If the Breach Analysis Team determines that a breach represents enough risk to individuals, they develop a Notification and Mitigation Plan.\u003c/p\u003e\u003cp\u003eThe CMS Senior Official for Privacy, in cooperation with the Business Owner of the affected system and with support from the full BAT, is responsible for developing the Notification and Mitigation Plan. CMS will receive approval to implement the plan from the HHS PIRT, using the HHS PIRT Response Plan Template as the formal deliverable. The Notification and Mitigation Plan must consider the nature and scope of the breach to determine if media organizations must be notified as per the HIPAA requirements.\u003c/p\u003e\u003cp\u003eOnce approved, the Notification and Mitigation Plan is implemented, with responsibility for implementation assigned to the Business Owner of the affected system (or the COR, if the affected system is a contractor system). If media notification is required, the BAT should coordinate with the CMS Media Relations Group (MRG).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNotification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf the Breach Analysis Team determines that a breach of PII represents a risk of harm to the affected individuals, then CMS must notify individuals whose PII is compromised in a breach. The team will develop a Notification and Mitigation Plan to describe the actions CMS will take to protect the affected individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIndividual notification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs prescribed by the \u003ca href=\"/policy-guidance/breach-analysis-team-bat-handbook\"\u003eCMS Breach Analysis Team Handbook\u003c/a\u003e, the CMS Senior Official for Privacy works with the Business Owner of an affected CMS system to develop a notification letter describing the breach for individuals and submit it to HHS PIRT for approval.\u003c/p\u003e\u003cp\u003eOMB M-17-12 provides direction to federal agencies on what information should be included in breach notifications:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA brief description of what happened, including the date(s) of the breach and of its discovery\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA description of the types of sensitive data compromised by the breach (e.g., full name, Social Security Number, date of birth, home address, account number, and disability code), to the extent possible\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA statement of whether the information was encrypted or protected by other means, when it is determined that disclosing such information would be beneficial to potentially affected individuals and would not compromise the security of the information system\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eGuidance to potentially affected individuals on how they can mitigate their own risk of harm, the countermeasures undertaken, and any services provided to potentially affected individuals\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eAny steps being taken to investigate the breach, to mitigate losses, and to protect against a future breach\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA description of how potentially affected individuals can learn more information about the breach, including a telephone number (preferably toll-free), email address, and postal address\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHHS PIRT has oversight over CMS breach notification plans. After developing the notification letter and a plan to contact the affected individuals, the BAT should meet with HHS PIRT to gain approval to implement the plan. This meeting should also be attended by the Business Owner(s) of any affected CMS systems, the Contracting Officers of any CMS contractor partners who were involved in the breach, and the incident response personnel who investigated the breach to ensure that HHS PIRT can receive timely answers to any questions related to the breach.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMedia notification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn addition to individual notification, HIPAA requires CMS to notify local media outlets if a breach of PHI affects more than 500 individuals within a single locality.\u0026nbsp; The Breach Analysis Team should contact CMS Media Relations Group if a breach of PII/PHI affects more than 500 individuals to make certain that any plans to contact media outlets are included in the notification plan submitted to HHS PIRT for approval.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNotification through public CMS resources\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS must also consider that a widely publicized breach may cause members of the public to attempt to contact CMS with questions about the breach and inquire whether their own information was affected. As part of the notification plan, the Breach Analysis Team may determine that CMS should provide a public notification message on its public resources, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePosting on the cms.gov homepage to inform the public of the breach, with a link to further details\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eProviding CMS call centers with a message to play at the start of calls to inform callers how they can determine if they were affected by a breach\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eMitigation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs part of its notification plan, the Breach Analysis Team must determine and document the actions that CMS will take to mitigate the risk of harm. If the breach puts the affected individuals at risk for identity theft, CMS will offer credit monitoring as prescribed by the CMS Breach Analysis Team Handbook.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBudgeting considerations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThere may be costs associated with implementing a notification and mitigation plan, such as providing a credit monitoring service free of charge to the affected individuals. If a contractor system is breached, the contractor should cover the costs of notification and mitigation. CMS contracts should establish this responsibility.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRoles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response stakeholders have direct or supporting roles and responsibilities during a breach. Some stakeholders in this group are associated with the FISMA system undergoing a breach and some are part of the CMS incident response capability. The breach response stakeholders have the following roles and responsibilities:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS FISMA System Stakeholders\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns decision to notify individuals affected by a breach and provide mitigation, with advisement from the BAT.\u003c/li\u003e\u003cli\u003eOwns decision to take major actions impacting system availability in response to a breach (such as shutting down a breached system).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrimary Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePrimary system stakeholder in charge of providing data to IMT, BAT, and other breach response stakeholders about the affected system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOperations Teams (to include General Support System [GSS] support)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eTakes incident response actions on the system affected by the breach. May escalate decision to take major action impacting availability to the BO.\u003c/li\u003e\u003cli\u003eProvides system data to IMT, BAT and other breach response stakeholders at the direction of the ISSO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCyber Risk Adviser (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides guidance to breach response stakeholders on risk and compliance for the affected system.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eISPG Breach Response and Coordination\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS CISO\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the breach response process.\u003c/li\u003e\u003cli\u003eIs kept apprised of all developments during breach response, analysis, notification, and mitigation.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS Senior Official for Privacy (SOP)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the Breach Analysis Team process.\u003c/li\u003e\u003cli\u003eOwns and oversees the Notification and Mitigation Plan, in cooperation with the system BO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDCTSO Incident Coordinator\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the incident response process.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIncident Management Team (IMT)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePrimary coordination entity for breach response. Works to provide leadership (BAT, senior officials) with data about the breach to make decisions.\u003c/li\u003e\u003cli\u003eConducts initial analysis and risk assessment of breaches to provide to the BAT.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS Security Operations Center (SOC)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides technical support and security subject matter expertise to the BAT during a breach.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Subject Matter Expert Support\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS Office of Communications/Media Relations Group\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides notification to media outlets in the event of a breach affecting the PHI of more than 500 individuals.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOffice of General Counsel\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides support to the BAT in the event of a major incident to help CMS prepare for congressional notification.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eBreach Analysis Team (BAT)\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eOwns the risk decision (low/moderate/high) after IMT conducts a risk assessment.\u003c/li\u003e\u003cli\u003eWorks with the SOP and BO to advise on the Notification and Mitigation Plan.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eLaws and guidance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eUse this list of applicable laws and guidance to learn more about the processes described in this handbook.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal laws\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf\"\u003eFederal Information Security Modernization Act\u003c/a\u003e (FISMA) of 2014, Pub. L. 113-283, 128 Stat. 3073 (Dec. 18, 2014) (primarily codified at 44 U.S.C. chapter 35, subchapter 11).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf\"\u003eHealth Insurance Portability and Accountability Act\u003c/a\u003e (HIPAA) of 1996, Pub. L. 104-191 (Aug. 21, 1996).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eExecutive orders, memoranda, and directives\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf\"\u003eOMB Memorandum M-17-12\u003c/a\u003e, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04\u003c/a\u003e, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements (November 19, 2019).\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e (July 28, 2016).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident\"\u003ePPD-41, Annex for Presidential Policy Directive\u003c/a\u003e United States Cyber Incident Coordination (July 26, 2016).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-14.pdf\"\u003eOMB Memorandum M-16-14, Category Management Policy 16-2\u003c/a\u003e: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS / HHS policy and procedures\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eCMS Risk Management Handbook (RMH) Chapter 8: Incident Response\u003c/li\u003e\u003cli\u003eCMS Breach Analysis Team Handbook\u003c/li\u003e\u003cli\u003eData Governance Guidelines\u003c/li\u003e\u003cli\u003eHHS PIRT Response Plan Template\u003c/li\u003e\u003cli\u003eCMS Risk Assessment for Breach Notification Determination\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAdditional guidance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDepartment of Commerce / National Institute of Standards and Technology (NIST)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNIST Special Publication 800-34 (Revision 1), \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf\"\u003eContingency Planning Guide for Federal Information Systems and Organizations\u003c/a\u003e (Apr. 2013).\u0026nbsp;\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-61 (Revision 2), \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf\"\u003eComputer Security Incident Handling Guide\u003c/a\u003e (Aug. 2012).\u0026nbsp;\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-122, \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf\"\u003eGuide to Protecting the Confidentiality of PII\u003c/a\u003e (Apr. 2010).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDepartment of Homeland Security (DHS) / United States Computer Emergency Readiness Team (US-CERT)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/uscert/incident-notification-guidelines\"\u003eUS-CERT Federal Incident Notification Guidelines\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNational Cybersecurity and Communications Integration Center (NCCIC) \u003ca href=\"https://www.cisa.gov/uscert/CISA-National-Cyber-Incident-Scoring-System\"\u003eCyber Incident Scoring System\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eGeneral Services Administration (GSA)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.gsa.gov/buy-through-us/products-services/professional-services/buy-services/identity-protection-services-ips\"\u003eIdentity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1b:T7b99,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook defines actions that must be taken in response to a suspected breach of Personally Identifiable Information (PII) / Protected Health Information (PHI) / Federal Tax Information (FTI) at the CMS to meet federal requirements for breach response. The handbook includes roles and responsibilities, breach response deliverables and lines of communication, triggers for federal reporting requirements, and resources from HHS and other authorities.\u003c/p\u003e\u003cp\u003eThese procedures help to ensure a coordinated response from all entities responsible for investigating and mitigating a breach, including organizations internal and external to CMS, as well as those responsible for remediating any identified process shortfalls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThese procedures apply to federal information and information systems, as defined in the \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Modernization Act (FISMA)\u003c/a\u003e but not to national security systems.\u003c/p\u003e\u003cp\u003eThis handbook covers breach response activities at CMS as an Operating Division (OpDiv) of the U.S. Department of Health and Human Services (HHS). It applies to CMS employees, contractors, grant recipients, interns, and affiliates supporting CMS. All organizations collecting or maintaining information or using or operating information systems on behalf of CMS also need to follow these procedures in accordance with such organizations contractual requirements to report to and cooperate with CMS during a breach.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOut-of-scope entities\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMedicare Advantage (Plans C and D) and State Medicaid programs are not CMS FISMA entities but are HIPAA-covered entities. These entities must honor their own reporting requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs this handbook?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis handbook is for all CMS stakeholders who may need to participate in or approve of breach response activities, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonnel at the CMS Cybersecurity Integration Center who support CMS Incident Response (IR)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003ePeople within CMS responsible for ensuring system security and privacy such as System Owners (SO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003ePeople at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eDefinitions for incidents and breaches\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eExact reporting requirements during a breach depend on the nature of the data affected by the breach. The Office of Management and Budget (OMB) has defined multiple types of security and privacy incidents within the scope of the Executive Branch. This section presents definitions of types of sensitive data and breach categories for use at CMS.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat counts as sensitive data?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB Memorandum M-17-12 prescribes that \u003cstrong\u003ePersonally Identifiable Information\u003c/strong\u003e refers to information that can be used to distinguish or trace an individuals identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can distinguish or trace an individuals identity, the term PII is necessarily broad.\u003c/p\u003e\u003cp\u003eThe Health Insurance Portability and Accountability Act (HIPAA) provides that \u003cstrong\u003eProtected Health Information\u003c/strong\u003e is personally identifiable health information. PHI is also PII.\u003c/p\u003e\u003cp\u003eInternal Revenue Service Publication 1075 prescribes that \u003cstrong\u003eFederal Tax Information\u003c/strong\u003e consists of federal tax returns and return information (and information derived from it) that is in an agencys possession or control. FTI may contain PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is an incident?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccording to the CMS Risk Management Handbook, an\u003cstrong\u003e incident\u003c/strong\u003e is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is a breach?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB Memorandum M-17-12 stipulates that a \u003cstrong\u003ebreach\u003c/strong\u003e is a type of incident in which there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where either of these occurs:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA person other than an authorized user accesses or potentially accesses PII\u003c/li\u003e\u003cli\u003eAn authorized user accesses PII for an other-than-authorized purpose\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBreaches begin as incidents until incident responders determine that PII has been affected. Breach activities will often take place concurrently to ongoing incident response activities, such as containment, eradication, and recovery activities. For more information about Incident Response process, see the CMS Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003cp\u003eCMS will assess suspected breaches of PII to determine if they represent enough risk of harm to individuals whose data was compromised to require notification and mitigation.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMajor incidents\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePer OMB Memorandum M-20-04, a \u003cstrong\u003emajor incident\u003c/strong\u003e is an incident that compromises U.S. national security. CMS does not store any data that, if breached, may impact national security. OMB also defines any unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to the PII of 100,000 or more people as a major incident. Major incidents must be reported to Congress within seven days.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReporting incidents and breaches\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eIncident responders may determine during the incident response process, as more information about an incident is discovered, that the incident falls into other incident categories that trigger additional reporting requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTable of reporting triggers\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTrigger\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eRequirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOutcome\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAll Incidents\u003c/td\u003e\u003ctd\u003eNotify HHS, notify US-CERT (Computer Emergency Response Team)\u003c/td\u003e\u003ctd\u003eHHS is automatically notified by the CMS incident ticketing system; HHS handles reporting to US-CERT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll Suspected or Confirmed Breaches\u003c/td\u003e\u003ctd\u003eConduct Risk Assessment\u003c/td\u003e\u003ctd\u003eIf the breach is not in a predefined low-risk category, the CMS Breach Analysis Team must convene.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGreater than 500 individuals within same jurisdiction are affected by a breach\u003c/td\u003e\u003ctd\u003eNotify media in affected jurisdiction\u003c/td\u003e\u003ctd\u003eContact CMS Media Relations Group (MRG)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach indicates illegal activity\u003c/td\u003e\u003ctd\u003eContact Law Enforcement via HHS oversight body\u003c/td\u003e\u003ctd\u003eContact HHS Office of Inspector General (OIG) Computer Crimes Unit (CCU)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach affects FTI\u003c/td\u003e\u003ctd\u003eNotify IRS and Treasury Inspector General for Tax Administration\u003c/td\u003e\u003ctd\u003eContact CMS-IRS Liaison\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGreater than 100,000 individuals are affected by the breach (Major Incident)\u003c/td\u003e\u003ctd\u003eNotify Congress within seven days\u003c/td\u003e\u003ctd\u003eContact Office of Legislation\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eAll incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk.\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe report should be made immediately upon discovery to start the CMS incident response process. The IT Service Desk instructs the reporter to fill out an incident report using the Incident Report Template which is then sent to the Incident Management Team (IMT). Incidents must be reported whether they are confirmed to have occurred or are only suspected to have occurred. The Helpdesk refers security and privacy incidents to IMT, which then coordinates efforts to analyze, contain, and eradicate the incident.\u003c/p\u003e\u003cp\u003eAll incidents involving CMS must be reported to HHS to ensure that HHS can provide accurate incident statistics for its OpDivs as per FISMA requirements. By integrating CMSs incident ticketing system with HHS, CMS automatically notifies HHS of incidents. More details on the CMS Incident Response capability and reporting requirements for incidents other than breaches can be found in the Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAll breaches\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Incident Management Team (IMT) investigates reported security and privacy incidents to determine if they meet the definition of a breach. The team does not need confirmation of a breach to begin the breach response process they should treat incidents as breaches as soon as the investigation reveals that PII, PHI, or FTI was jeopardized by an incident.\u003c/p\u003e\u003cp\u003eIf an incident reaches the status of a suspected breach, IMT conducts a risk assessment on the suspected breach using the Risk Assessment Checklist. Then they notify the CMS Breach Analysis Team (BAT) that a suspected breach has occurred and provide the BAT with the results of the risk assessment.\u003c/p\u003e\u003cp\u003eThe BAT convenes to review the risk assessment and determine the likelihood of sensitive data compromise according to the CMS Breach Analysis Team Handbook. The team assigns the breach a risk rating of Low, Moderate, or High, and advises the affected systems Business Owner (BO) on whether CMS must notify the affected individuals. Should notification be necessary, the Senior Official for Privacy (SOP) at CMS works with the following people to develop a notification and mitigation plan:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBusiness Owner of the CMS system affected by the breach\u003c/li\u003e\u003cli\u003eContracting Officers Representative (COR) for any affected contractors\u003c/li\u003e\u003cli\u003eIncident responders\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDepending on the nature and quantity of the sensitive data compromised by the breach, different reporting requirements apply:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf a breach compromises \u003cstrong\u003ePHI/PII\u003c/strong\u003e, the HIPAA Breach Notification Rule applies.\u003c/li\u003e\u003cli\u003eIf a breach compromises \u003cstrong\u003eFTI\u003c/strong\u003e, the IRS requires that the U.S. Treasury Inspector General for Tax Administration (TIGTA) be notified.\u003c/li\u003e\u003cli\u003eIf a breach compromises any data that may impact U.S. national security or otherwise meets the definition of a \u003cstrong\u003emajor incident\u003c/strong\u003e, then Congress must be notified.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eLow risk scenarios\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSome privacy incidents are considered low risk and do not rise to the threshold of a breach. The Data Governance Board (DGB) has defined a set of criteria for such incidents in the Data Governance Board Guidelines. The IMT can close out these breaches automatically if they represent a sufficiently low risk to not require convening a full Breach Analysis Team.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreaches of PHI\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMSs administration of Medicare and Medicaid make the agency a covered entity under HIPAA and subject to the laws reporting and notification requirements when PHI is breached. This includes reporting to the HHS Office of Civil Rights (OCR) of all breaches of Protected Health Information (PHI) for each calendar year \u0026nbsp; including those that occur with a business associate.\u003c/p\u003e\u003cp\u003eAny compromise of PHI requires CMS to notify the affected individual(s) within 60 days. If a breach affects the PHI of more than 500 residents of a U.S. state or jurisdiction, CMS is also “required to provide notice to prominent media outlets serving the State or jurisdiction,” and notify OCR within 60 days. The Breach Analysis Team must work with the CMS Office of Communications Media Relations Group to complete this notification step.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreaches of FTI\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Internal Revenue Service (IRS) requires organizations handling FTI (federal tax returns and return information, including information derived from a return) to report any unauthorized access to or disclosure of FTI to the Treasury Inspector General for Tax Administration and the IRS Office of Safeguards within 24 hours of identifying the incident.\u003c/p\u003e\u003cp\u003eIf the Incident Management Team (IMT)\u0026nbsp; determines that there is a possibility that FTI has been compromised by an incident, they should immediately notify the CMS IRS Liaison to begin the process for reporting to the IRS and TIGTA. Breach response stakeholders should be aware that IRS may request additional data and updates from CMS as the incident response process continues.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMajor incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB requires agencies to report major incidents to Congress within seven days. The threshold for a major incident is a breach that affects more than 100,000 individuals. As an HHS OpDiv, CMS will report major incidents to the HHS Computer Security Incident Response Center (CSIRC) to assist HHS in making a report to Congress. CMS will also report major incidents to the CMS Office of Legislation to ensure that the Office can coordinate with HHS on any participation by CMS in the report.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBreach response steps and deliverables\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response activities at CMS require robust lines of communication and clearly defined deliverables between multiple organizations and components, including CMS groups, contractors and associates, and HHS entities.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn general, the communication responsibilities of CMS, HHS, and entities are:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS will be responsible for collecting data pertaining to the breach, developing a plan for notifying persons affected by the breach and mitigating any resulting harm, and reporting all breach response activities to HHS.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eHHS will be responsible for coordinating between CMS and external federal agencies, as well as approving any notification and mitigation plans developed by CMS.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eEntities operating on behalf of CMS (contractors and associates) are responsible for implementing notification and mitigation plans created by CMS and approved by HHS.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBreach response activities take place in tandem with incident response activities. Discovery of new data about a breach should be reported as soon as possible to HHS Computer Security Incident Response Center (CSIRC), to ensure that HHS can meet its own reporting requirements. (HHS CSIRC is the primary communication pathway between CMS and external organizations such as other federal agencies.)\u0026nbsp;\u003c/p\u003e\u003cp\u003eCMS maintains an incident ticketing system that automatically sends ticket updates to a mirrored ticket in the equivalent HHS CSIRC ticketing system. Incident responders must maintain this integration and ensure that tickets are promptly updated to communicate with HHS.\u003c/p\u003e\u003cp\u003eThe Incident Management Team, in keeping with its role during incident response, is the primary communication pathway between organizations within CMS and its contractors and associates. For more details on IMTs role and process during incidents, see the CMS Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003cp\u003eBreach response activities are accomplished through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReporting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial \u003cstrong\u003eincident report as a deliverable\u003c/strong\u003e to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIMT works with the affected systems officials and operators to investigate the incident. They assess the incident to determine if any categories of sensitive data may be compromised. If there is a possibility of compromise, the incident is considered a suspected breach. IMT conducts a risk assessment using the “Factors for Assessing the Risk of Harm to Potentially Affected Individuals” prescribed by OMB and defined in the CMS Risk Assessment for Breach Notification Determination form. Then they formally convene the Breach Analysis Team and provide the team with the\u003cstrong\u003e IMT Risk Assessment as a deliverable.\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreach analysis\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Breach Analysis Team convenes to review the IMT Risk Assessment and categorizes the risk represented by the breach as low, moderate, or high, as described in the CMS Breach Analysis Team Handbook.\u003c/p\u003e\u003cp\u003eThe BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system, including the Business Owner, ISSOs, COR (if the affected system is a contractor system), Senior Official for Privacy, and the DCTSO Incident Commander.\u003c/p\u003e\u003cp\u003eThe BAT determines if the conditions of the breach warrant notifying the affected individuals. If so, the BAT drafts a \u003cstrong\u003eNotification and Mitigation Plan as a deliverable\u003c/strong\u003e to the HHS Privacy Incident Response Team (PIRT), using the HHS PIRT Response Plan Template. The Business Owner of the affected system has the final decision on whether notification and mitigation will go forward.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNotification and mitigation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eHHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTable of breach response deliverables\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eBreach Response Deliverable\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eResponsible\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDelivered To\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIncident Report Ticket\u003c/td\u003e\u003ctd\u003eCMS IT Helpdesk\u003c/td\u003e\u003ctd\u003eIncident Management Team (IMT). IMT continues to update the ticket with information about the breach as the response proceeds.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk Assessment\u003c/td\u003e\u003ctd\u003eIncident Management Team\u003c/td\u003e\u003ctd\u003eBreach Analysis Team (BAT)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNotification and Mitigation Plan\u003c/td\u003e\u003ctd\u003eBreach Analysis Team\u003c/td\u003e\u003ctd\u003eHHS Privacy Incident Response Team (PIRT)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach Notification to Affected Individuals\u003c/td\u003e\u003ctd\u003eSystem Business Owner / Contracting Officers Representative\u003c/td\u003e\u003ctd\u003eAffected individuals\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eBreach notification and mitigation\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe goal of breach response activities is to reduce the risk of harm to individuals that is created by a breach of sensitive data. If the Breach Analysis Team determines that a breach represents enough risk to individuals, they develop a Notification and Mitigation Plan.\u003c/p\u003e\u003cp\u003eThe CMS Senior Official for Privacy, in cooperation with the Business Owner of the affected system and with support from the full BAT, is responsible for developing the Notification and Mitigation Plan. CMS will receive approval to implement the plan from the HHS PIRT, using the HHS PIRT Response Plan Template as the formal deliverable. The Notification and Mitigation Plan must consider the nature and scope of the breach to determine if media organizations must be notified as per the HIPAA requirements.\u003c/p\u003e\u003cp\u003eOnce approved, the Notification and Mitigation Plan is implemented, with responsibility for implementation assigned to the Business Owner of the affected system (or the COR, if the affected system is a contractor system). If media notification is required, the BAT should coordinate with the CMS Media Relations Group (MRG).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNotification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf the Breach Analysis Team determines that a breach of PII represents a risk of harm to the affected individuals, then CMS must notify individuals whose PII is compromised in a breach. The team will develop a Notification and Mitigation Plan to describe the actions CMS will take to protect the affected individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIndividual notification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs prescribed by the \u003ca href=\"/policy-guidance/breach-analysis-team-bat-handbook\"\u003eCMS Breach Analysis Team Handbook\u003c/a\u003e, the CMS Senior Official for Privacy works with the Business Owner of an affected CMS system to develop a notification letter describing the breach for individuals and submit it to HHS PIRT for approval.\u003c/p\u003e\u003cp\u003eOMB M-17-12 provides direction to federal agencies on what information should be included in breach notifications:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA brief description of what happened, including the date(s) of the breach and of its discovery\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA description of the types of sensitive data compromised by the breach (e.g., full name, Social Security Number, date of birth, home address, account number, and disability code), to the extent possible\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA statement of whether the information was encrypted or protected by other means, when it is determined that disclosing such information would be beneficial to potentially affected individuals and would not compromise the security of the information system\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eGuidance to potentially affected individuals on how they can mitigate their own risk of harm, the countermeasures undertaken, and any services provided to potentially affected individuals\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eAny steps being taken to investigate the breach, to mitigate losses, and to protect against a future breach\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA description of how potentially affected individuals can learn more information about the breach, including a telephone number (preferably toll-free), email address, and postal address\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHHS PIRT has oversight over CMS breach notification plans. After developing the notification letter and a plan to contact the affected individuals, the BAT should meet with HHS PIRT to gain approval to implement the plan. This meeting should also be attended by the Business Owner(s) of any affected CMS systems, the Contracting Officers of any CMS contractor partners who were involved in the breach, and the incident response personnel who investigated the breach to ensure that HHS PIRT can receive timely answers to any questions related to the breach.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMedia notification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn addition to individual notification, HIPAA requires CMS to notify local media outlets if a breach of PHI affects more than 500 individuals within a single locality.\u0026nbsp; The Breach Analysis Team should contact CMS Media Relations Group if a breach of PII/PHI affects more than 500 individuals to make certain that any plans to contact media outlets are included in the notification plan submitted to HHS PIRT for approval.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNotification through public CMS resources\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS must also consider that a widely publicized breach may cause members of the public to attempt to contact CMS with questions about the breach and inquire whether their own information was affected. As part of the notification plan, the Breach Analysis Team may determine that CMS should provide a public notification message on its public resources, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePosting on the cms.gov homepage to inform the public of the breach, with a link to further details\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eProviding CMS call centers with a message to play at the start of calls to inform callers how they can determine if they were affected by a breach\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eMitigation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs part of its notification plan, the Breach Analysis Team must determine and document the actions that CMS will take to mitigate the risk of harm. If the breach puts the affected individuals at risk for identity theft, CMS will offer credit monitoring as prescribed by the CMS Breach Analysis Team Handbook.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBudgeting considerations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThere may be costs associated with implementing a notification and mitigation plan, such as providing a credit monitoring service free of charge to the affected individuals. If a contractor system is breached, the contractor should cover the costs of notification and mitigation. CMS contracts should establish this responsibility.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRoles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response stakeholders have direct or supporting roles and responsibilities during a breach. Some stakeholders in this group are associated with the FISMA system undergoing a breach and some are part of the CMS incident response capability. The breach response stakeholders have the following roles and responsibilities:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS FISMA System Stakeholders\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns decision to notify individuals affected by a breach and provide mitigation, with advisement from the BAT.\u003c/li\u003e\u003cli\u003eOwns decision to take major actions impacting system availability in response to a breach (such as shutting down a breached system).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrimary Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePrimary system stakeholder in charge of providing data to IMT, BAT, and other breach response stakeholders about the affected system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOperations Teams (to include General Support System [GSS] support)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eTakes incident response actions on the system affected by the breach. May escalate decision to take major action impacting availability to the BO.\u003c/li\u003e\u003cli\u003eProvides system data to IMT, BAT and other breach response stakeholders at the direction of the ISSO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCyber Risk Adviser (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides guidance to breach response stakeholders on risk and compliance for the affected system.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eISPG Breach Response and Coordination\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS CISO\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the breach response process.\u003c/li\u003e\u003cli\u003eIs kept apprised of all developments during breach response, analysis, notification, and mitigation.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS Senior Official for Privacy (SOP)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the Breach Analysis Team process.\u003c/li\u003e\u003cli\u003eOwns and oversees the Notification and Mitigation Plan, in cooperation with the system BO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDCTSO Incident Coordinator\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the incident response process.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIncident Management Team (IMT)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePrimary coordination entity for breach response. Works to provide leadership (BAT, senior officials) with data about the breach to make decisions.\u003c/li\u003e\u003cli\u003eConducts initial analysis and risk assessment of breaches to provide to the BAT.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS Security Operations Center (SOC)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides technical support and security subject matter expertise to the BAT during a breach.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Subject Matter Expert Support\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS Office of Communications/Media Relations Group\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides notification to media outlets in the event of a breach affecting the PHI of more than 500 individuals.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOffice of General Counsel\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides support to the BAT in the event of a major incident to help CMS prepare for congressional notification.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eBreach Analysis Team (BAT)\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eOwns the risk decision (low/moderate/high) after IMT conducts a risk assessment.\u003c/li\u003e\u003cli\u003eWorks with the SOP and BO to advise on the Notification and Mitigation Plan.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eLaws and guidance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eUse this list of applicable laws and guidance to learn more about the processes described in this handbook.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal laws\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf\"\u003eFederal Information Security Modernization Act\u003c/a\u003e (FISMA) of 2014, Pub. L. 113-283, 128 Stat. 3073 (Dec. 18, 2014) (primarily codified at 44 U.S.C. chapter 35, subchapter 11).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf\"\u003eHealth Insurance Portability and Accountability Act\u003c/a\u003e (HIPAA) of 1996, Pub. L. 104-191 (Aug. 21, 1996).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eExecutive orders, memoranda, and directives\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf\"\u003eOMB Memorandum M-17-12\u003c/a\u003e, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04\u003c/a\u003e, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements (November 19, 2019).\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e (July 28, 2016).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident\"\u003ePPD-41, Annex for Presidential Policy Directive\u003c/a\u003e United States Cyber Incident Coordination (July 26, 2016).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-14.pdf\"\u003eOMB Memorandum M-16-14, Category Management Policy 16-2\u003c/a\u003e: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS / HHS policy and procedures\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eCMS Risk Management Handbook (RMH) Chapter 8: Incident Response\u003c/li\u003e\u003cli\u003eCMS Breach Analysis Team Handbook\u003c/li\u003e\u003cli\u003eData Governance Guidelines\u003c/li\u003e\u003cli\u003eHHS PIRT Response Plan Template\u003c/li\u003e\u003cli\u003eCMS Risk Assessment for Breach Notification Determination\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAdditional guidance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDepartment of Commerce / National Institute of Standards and Technology (NIST)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNIST Special Publication 800-34 (Revision 1), \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf\"\u003eContingency Planning Guide for Federal Information Systems and Organizations\u003c/a\u003e (Apr. 2013).\u0026nbsp;\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-61 (Revision 2), \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf\"\u003eComputer Security Incident Handling Guide\u003c/a\u003e (Aug. 2012).\u0026nbsp;\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-122, \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf\"\u003eGuide to Protecting the Confidentiality of PII\u003c/a\u003e (Apr. 2010).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDepartment of Homeland Security (DHS) / United States Computer Emergency Readiness Team (US-CERT)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/uscert/incident-notification-guidelines\"\u003eUS-CERT Federal Incident Notification Guidelines\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNational Cybersecurity and Communications Integration Center (NCCIC) \u003ca href=\"https://www.cisa.gov/uscert/CISA-National-Cyber-Incident-Scoring-System\"\u003eCyber Incident Scoring System\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eGeneral Services Administration (GSA)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.gsa.gov/buy-through-us/products-services/professional-services/buy-services/identity-protection-services-ips\"\u003eIdentity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1c:T2412,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhenever there is an incident that has potentially compromised the security or privacy of CMS information or information systems, it is investigated by the Incident Management Team (IMT). They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected \u003cstrong\u003ebreach\u003c/strong\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt this point (in collaboration with the Business Owner and the Information System Security Officer), the IMT may decide that a Breach Analysis Team should be convened, and notifies ISPG. This handbook is a guide for members of the Breach Analysis Team (BAT) to follow as they work to assess and mitigate the risks caused by a suspected breach.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho is on the BAT?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system. This may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRepresentatives from the Incident Management Team (IMT) within the CMS Cybersecurity Integration Center (CCIC)\u003c/li\u003e\u003cli\u003eRepresentatives from ISPG (which may include the DCTSO Incident Commander and Senior Official for Privacy)\u003c/li\u003e\u003cli\u003eBusiness and/or System Owner of the affected system\u003c/li\u003e\u003cli\u003eOther people as needed:\u003cul\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eSystem Maintainer\u003c/li\u003e\u003cli\u003eContracting Officer Representative (COR) if the affected system is a contractor system\u003c/li\u003e\u003cli\u003eCPI point of contact\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eBAT responsibilities and steps\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOnce convened, the Breach Analysis Team is responsible for the following:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct risk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe BAT conducts a risk assessment (using the \u003cstrong\u003eRisk Assessment for Breach Notification\u003c/strong\u003e worksheet) to determine the risk of harm to the affected individuals whose PII/PHI has been compromised. The assessment also helps determine who should be notified of the breach, and to what extent (if any).\u003c/p\u003e\u003cp\u003eWhen conducting the Risk Assessment, consider the following elements:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHow sensitive is the PII?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine the nature and sensitivity of the PII potentially compromised by the breach, including the potential harms that an individual could experience from the compromise of that type of PII. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eData Elements\u003c/strong\u003e analysis of the sensitivity of each individual data element as well as the sensitivity of all the data elements together\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eContext\u003c/strong\u003e purpose for which the PII was collected, maintained, and used\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePrivate Information\u003c/strong\u003e extent to which the PII, in a given context, may reveal particularly private information about an individual\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eVulnerable Populations\u003c/strong\u003e extent to which the PII identifies or disproportionately impacts a particularly vulnerable population\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePermanence \u003c/strong\u003e the continued relevance and utility of the PII over time and whether it is easily replaced or substituted\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eHow likely is the PII to be accessed and used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine the likelihood of access and use of the compromised PII, including whether it was properly encrypted or rendered partially or completely inaccessible by other means. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eSecurity Safeguards\u003c/strong\u003e whether the PII was properly encrypted or rendered partially or completely inaccessible by other means\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eFormat and Media \u003c/strong\u003e whether the format of the PII may make it difficult and resource-intensive to use\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDuration of Exposure\u003c/strong\u003e how long the PII was exposed\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEvidence of Misuse\u003c/strong\u003e any evidence confirming that the PII is being misused or that it was never accessed\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat kind of breach and who is involved?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine and document the type of breach, including the circumstances of the breach, as well as the actors involved and their intent. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIntent whether the PII was compromised intentionally or unintentionally (or if the intent is unknown)\u003c/li\u003e\u003cli\u003eRecipient whether the PII was disclosed to a known or unknown recipient, and the trustworthiness of a known recipient\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is CMS ability to mitigate risk?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eWithin an information system, the risk of harm will depend on how CMS is able to mitigate further compromise of the system(s) affected by a breach.\u003c/p\u003e\u003cp\u003eConsider how best to mitigate the identified risks and whether to notify individuals potentially affected by breach (including whether to offer credit monitoring services).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDocument risk assessment results\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDocument the results of the above risk assessment on the \u003cstrong\u003eRisk Assessment for Breach Notification\u003c/strong\u003e worksheet, and submit the completed form to the CMS Senior Official for Privacy: \u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003elow probability\u003c/strong\u003e that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eLow risk determination\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003elow probability\u003c/strong\u003e that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMedium or high risk determination\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003emedium or high probability\u003c/strong\u003e that the PII has been compromised, coordinate with the HHS Privacy Incident Response Team (PIRT) to perform the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNotification measures for PII\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Senior Official for Privacy and Business Owner coordinate to notify, without unreasonable delay, the individuals affected.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNotification measures for PHI\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis step does not apply unless PHI (as defined by HIPAA) is involved. If the data is only PII (as defined by the Privacy Act), then proceed to the next step: Recommendations to HHS PIRT.\u003c/p\u003e\u003cp\u003eIf the PHI breach involves 500 or more individuals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) of the breach via the \u003ca href=\"http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html\"\u003eOCR website\u003c/a\u003e using the form: “\u003ca href=\"https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true\"\u003eSubmit a notice for a breach affecting 500 or more individuals\u003c/a\u003e”. This provides the Secretary with notice of the breach without unreasonable delay and \u003cstrong\u003enever later than 60 days from discovery of the breach\u003c/strong\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the PHI breach involves fewer than 500 individuals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) within the deadline via the \u003ca href=\"http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html\"\u003eOCR website\u003c/a\u003e using the form “\u003ca href=\"https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true\"\u003eSubmit a notice for a breach affecting fewer than 500 individuals\u003c/a\u003e”.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the PHI breach involves more than 500 residents of a State or Jurisdiction:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe CMS Senior Official for Privacy and Business Owner coordinate to notify prominent media outlets serving the applicable State or Jurisdiction of the breach.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRecommendations to HHS PIRT\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe last step is to make a recommendation about breach notification to the HHS Privacy Incident Response Team (PIRT). Do this by creating a draft plan for notification and mitigation using the HHS PIRT Response Plan Template. Submit this draft to HHS PIRT so they can review it.\u003c/p\u003e\u003cp\u003eThe PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eClosing breach response activities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eVerify all of the above steps have been completed fully (as necessary, depending on the type of breach, type of sensitive information, level of risk, and so on.) Then, coordinate with the Incident Management Team to update and close the applicable ticket.\u003c/p\u003e\u003cp\u003eFor more details on breach notification responsibilities and procedures, see the CMS Breach Response Handbook.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1d:T2412,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhenever there is an incident that has potentially compromised the security or privacy of CMS information or information systems, it is investigated by the Incident Management Team (IMT). They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected \u003cstrong\u003ebreach\u003c/strong\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt this point (in collaboration with the Business Owner and the Information System Security Officer), the IMT may decide that a Breach Analysis Team should be convened, and notifies ISPG. This handbook is a guide for members of the Breach Analysis Team (BAT) to follow as they work to assess and mitigate the risks caused by a suspected breach.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho is on the BAT?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system. This may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRepresentatives from the Incident Management Team (IMT) within the CMS Cybersecurity Integration Center (CCIC)\u003c/li\u003e\u003cli\u003eRepresentatives from ISPG (which may include the DCTSO Incident Commander and Senior Official for Privacy)\u003c/li\u003e\u003cli\u003eBusiness and/or System Owner of the affected system\u003c/li\u003e\u003cli\u003eOther people as needed:\u003cul\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eSystem Maintainer\u003c/li\u003e\u003cli\u003eContracting Officer Representative (COR) if the affected system is a contractor system\u003c/li\u003e\u003cli\u003eCPI point of contact\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eBAT responsibilities and steps\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOnce convened, the Breach Analysis Team is responsible for the following:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct risk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe BAT conducts a risk assessment (using the \u003cstrong\u003eRisk Assessment for Breach Notification\u003c/strong\u003e worksheet) to determine the risk of harm to the affected individuals whose PII/PHI has been compromised. The assessment also helps determine who should be notified of the breach, and to what extent (if any).\u003c/p\u003e\u003cp\u003eWhen conducting the Risk Assessment, consider the following elements:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHow sensitive is the PII?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine the nature and sensitivity of the PII potentially compromised by the breach, including the potential harms that an individual could experience from the compromise of that type of PII. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eData Elements\u003c/strong\u003e analysis of the sensitivity of each individual data element as well as the sensitivity of all the data elements together\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eContext\u003c/strong\u003e purpose for which the PII was collected, maintained, and used\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePrivate Information\u003c/strong\u003e extent to which the PII, in a given context, may reveal particularly private information about an individual\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eVulnerable Populations\u003c/strong\u003e extent to which the PII identifies or disproportionately impacts a particularly vulnerable population\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePermanence \u003c/strong\u003e the continued relevance and utility of the PII over time and whether it is easily replaced or substituted\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eHow likely is the PII to be accessed and used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine the likelihood of access and use of the compromised PII, including whether it was properly encrypted or rendered partially or completely inaccessible by other means. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eSecurity Safeguards\u003c/strong\u003e whether the PII was properly encrypted or rendered partially or completely inaccessible by other means\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eFormat and Media \u003c/strong\u003e whether the format of the PII may make it difficult and resource-intensive to use\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDuration of Exposure\u003c/strong\u003e how long the PII was exposed\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEvidence of Misuse\u003c/strong\u003e any evidence confirming that the PII is being misused or that it was never accessed\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat kind of breach and who is involved?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine and document the type of breach, including the circumstances of the breach, as well as the actors involved and their intent. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIntent whether the PII was compromised intentionally or unintentionally (or if the intent is unknown)\u003c/li\u003e\u003cli\u003eRecipient whether the PII was disclosed to a known or unknown recipient, and the trustworthiness of a known recipient\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is CMS ability to mitigate risk?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eWithin an information system, the risk of harm will depend on how CMS is able to mitigate further compromise of the system(s) affected by a breach.\u003c/p\u003e\u003cp\u003eConsider how best to mitigate the identified risks and whether to notify individuals potentially affected by breach (including whether to offer credit monitoring services).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDocument risk assessment results\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDocument the results of the above risk assessment on the \u003cstrong\u003eRisk Assessment for Breach Notification\u003c/strong\u003e worksheet, and submit the completed form to the CMS Senior Official for Privacy: \u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003elow probability\u003c/strong\u003e that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eLow risk determination\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003elow probability\u003c/strong\u003e that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMedium or high risk determination\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003emedium or high probability\u003c/strong\u003e that the PII has been compromised, coordinate with the HHS Privacy Incident Response Team (PIRT) to perform the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNotification measures for PII\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Senior Official for Privacy and Business Owner coordinate to notify, without unreasonable delay, the individuals affected.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNotification measures for PHI\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis step does not apply unless PHI (as defined by HIPAA) is involved. If the data is only PII (as defined by the Privacy Act), then proceed to the next step: Recommendations to HHS PIRT.\u003c/p\u003e\u003cp\u003eIf the PHI breach involves 500 or more individuals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) of the breach via the \u003ca href=\"http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html\"\u003eOCR website\u003c/a\u003e using the form: “\u003ca href=\"https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true\"\u003eSubmit a notice for a breach affecting 500 or more individuals\u003c/a\u003e”. This provides the Secretary with notice of the breach without unreasonable delay and \u003cstrong\u003enever later than 60 days from discovery of the breach\u003c/strong\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the PHI breach involves fewer than 500 individuals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) within the deadline via the \u003ca href=\"http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html\"\u003eOCR website\u003c/a\u003e using the form “\u003ca href=\"https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true\"\u003eSubmit a notice for a breach affecting fewer than 500 individuals\u003c/a\u003e”.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the PHI breach involves more than 500 residents of a State or Jurisdiction:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe CMS Senior Official for Privacy and Business Owner coordinate to notify prominent media outlets serving the applicable State or Jurisdiction of the breach.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRecommendations to HHS PIRT\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe last step is to make a recommendation about breach notification to the HHS Privacy Incident Response Team (PIRT). Do this by creating a draft plan for notification and mitigation using the HHS PIRT Response Plan Template. Submit this draft to HHS PIRT so they can review it.\u003c/p\u003e\u003cp\u003eThe PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eClosing breach response activities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eVerify all of the above steps have been completed fully (as necessary, depending on the type of breach, type of sensitive information, level of risk, and so on.) Then, coordinate with the Incident Management Team to update and close the applicable ticket.\u003c/p\u003e\u003cp\u003eFor more details on breach notification responsibilities and procedures, see the CMS Breach Response Handbook.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1f:{\"self\":\"$20\"}\n23:[\"menu_ui\",\"scheduler\"]\n22:{\"module\":\"$23\"}\n26:[]\n25:{\"available_menus\":\"$26\",\"parent\":\"\"}\n27:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n24:{\"menu_ui\":\"$25\",\"scheduler\":\"$27\"}\n21:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$22\",\"third_party_settings\":\"$24\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1f\",\"attributes\":\"$21\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/663db243-0ec9-4d3f-9589-5a0ed308fbbc\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"alex.kerr\"}\n28:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n2d:{\"self\":\"$2e\"}\n2f:{\"display_name\":\"mburgess\"}\n2c:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$2d\",\"attributes\":\"$2f\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n31:{\"self\":\"$32\"}\n34:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n33:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"d"])</script><script>self.__next_f.push([1,"efault_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$34\"}\n38:{\"drupal_internal__target_id\":\"resource_type\"}\n37:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$38\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n36:{\"data\":\"$37\",\"links\":\"$39\"}\n3e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3d:{\"related\":\"$3e\",\"self\":\"$3f\"}\n3c:{\"data\":null,\"links\":\"$3d\"}\n46:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n45:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$46\"}\n44:{\"help\":\"$45\"}\n43:{\"links\":\"$44\"}\n42:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$43\"}\n41:[\"$42\"]\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n49:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n47:{\"related\":\"$48\",\"self\":\"$49\"}\n40:{\"data\":\"$41\",\"links\":\"$47\"}\n35:{\"vid\":\"$36\",\"revision_user\":\"$3c\",\"parent\":\"$40\"}\n30:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$31\",\"attributes\":\"$33\",\"relationships\":\"$35\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n4b:{\"self\":\"$4c\"}\n4e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4d:{\"drupal_internal__"])</script><script>self.__next_f.push([1,"tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4e\"}\n52:{\"drupal_internal__target_id\":\"roles\"}\n51:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$52\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n50:{\"data\":\"$51\",\"links\":\"$53\"}\n58:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n59:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n57:{\"related\":\"$58\",\"self\":\"$59\"}\n56:{\"data\":null,\"links\":\"$57\"}\n60:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$60\"}\n5e:{\"help\":\"$5f\"}\n5d:{\"links\":\"$5e\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5d\"}\n5b:[\"$5c\"]\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n63:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n61:{\"related\":\"$62\",\"self\":\"$63\"}\n5a:{\"data\":\"$5b\",\"links\":\"$61\"}\n4f:{\"vid\":\"$50\",\"revision_user\":\"$56\",\"parent\":\"$5a\"}\n4a:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$4b\",\"attributes\":\"$4d\",\"relationships\":\"$4f\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a1"])</script><script>self.__next_f.push([1,"8463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n65:{\"self\":\"$66\"}\n68:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n67:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$68\"}\n6c:{\"drupal_internal__target_id\":\"roles\"}\n6b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6c\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6a:{\"data\":\"$6b\",\"links\":\"$6d\"}\n72:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n71:{\"related\":\"$72\",\"self\":\"$73\"}\n70:{\"data\":null,\"links\":\"$71\"}\n7a:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n79:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7a\"}\n78:{\"help\":\"$79\"}\n77:{\"links\":\"$78\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$77\"}\n75:[\"$76\"]\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n7b:{\"related\":\"$7c\",\"self\":\"$7d\"}\n74:{\"data\":\"$75\",\"links\":\"$7b\"}\n69:{\"vid\":\"$6a\",\"revision_user\":\"$70\",\"parent\":\"$74\"}\n64:{\"type\":\"taxonomy_term--roles\",\"id\":\""])</script><script>self.__next_f.push([1,"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$65\",\"attributes\":\"$67\",\"relationships\":\"$69\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7f:{\"self\":\"$80\"}\n82:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n81:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$82\"}\n86:{\"drupal_internal__target_id\":\"roles\"}\n85:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$86\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n84:{\"data\":\"$85\",\"links\":\"$87\"}\n8c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n8b:{\"related\":\"$8c\",\"self\":\"$8d\"}\n8a:{\"data\":null,\"links\":\"$8b\"}\n94:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n93:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$94\"}\n92:{\"help\":\"$93\"}\n91:{\"links\":\"$92\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$91\"}\n8f:[\"$90\"]\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n95:{\"related\":\"$"])</script><script>self.__next_f.push([1,"96\",\"self\":\"$97\"}\n8e:{\"data\":\"$8f\",\"links\":\"$95\"}\n83:{\"vid\":\"$84\",\"revision_user\":\"$8a\",\"parent\":\"$8e\"}\n7e:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7f\",\"attributes\":\"$81\",\"relationships\":\"$83\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf?resourceVersion=id%3A31\"}\n99:{\"self\":\"$9a\"}\n9c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9b:{\"drupal_internal__tid\":31,\"drupal_internal__revision_id\":31,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:48+00:00\",\"status\":true,\"name\":\"Privacy\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9c\"}\na0:{\"drupal_internal__target_id\":\"topics\"}\n9f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$a0\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/vid?resourceVersion=id%3A31\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/vid?resourceVersion=id%3A31\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\n9e:{\"data\":\"$9f\",\"links\":\"$a1\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/revision_user?resourceVersion=id%3A31\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/revision_user?resourceVersion=id%3A31\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na4:{\"data\":null,\"links\":\"$a5\"}\nae:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nad:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ae\"}\nac:{\"help\":\"$ad\"}\nab:{\"links\":\"$ac\"}\naa:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$ab\"}\na9:[\"$aa\"]\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/parent?resourceVersion=id%3A31\"}\nb1:{\"href\":\"https://cybergeek."])</script><script>self.__next_f.push([1,"cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/parent?resourceVersion=id%3A31\"}\naf:{\"related\":\"$b0\",\"self\":\"$b1\"}\na8:{\"data\":\"$a9\",\"links\":\"$af\"}\n9d:{\"vid\":\"$9e\",\"revision_user\":\"$a4\",\"parent\":\"$a8\"}\n98:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"links\":\"$99\",\"attributes\":\"$9b\",\"relationships\":\"$9d\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5?resourceVersion=id%3A46\"}\nb3:{\"self\":\"$b4\"}\nb6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb5:{\"drupal_internal__tid\":46,\"drupal_internal__revision_id\":46,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:13+00:00\",\"status\":true,\"name\":\"Security Operations\",\"description\":null,\"weight\":6,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b6\"}\nba:{\"drupal_internal__target_id\":\"topics\"}\nb9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ba\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/vid?resourceVersion=id%3A46\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/vid?resourceVersion=id%3A46\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nb8:{\"data\":\"$b9\",\"links\":\"$bb\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/revision_user?resourceVersion=id%3A46\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/revision_user?resourceVersion=id%3A46\"}\nbf:{\"related\":\"$c0\",\"self\":\"$c1\"}\nbe:{\"data\":null,\"links\":\"$bf\"}\nc8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c8\"}\nc6:{\"help\":\"$c7\"}\nc5:{\"links\":\"$c6\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c5\"}\nc3:[\"$c4\"]\nca:{\"href\":\"https"])</script><script>self.__next_f.push([1,"://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/parent?resourceVersion=id%3A46\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/parent?resourceVersion=id%3A46\"}\nc9:{\"related\":\"$ca\",\"self\":\"$cb\"}\nc2:{\"data\":\"$c3\",\"links\":\"$c9\"}\nb7:{\"vid\":\"$b8\",\"revision_user\":\"$be\",\"parent\":\"$c2\"}\nb2:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"links\":\"$b3\",\"attributes\":\"$b5\",\"relationships\":\"$b7\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808?resourceVersion=id%3A16657\"}\ncd:{\"self\":\"$ce\"}\nd0:[]\nd2:Tbf8,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eProtecting sensitive information at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS systems contain the personal and health information of millions of people in order to provide benefits and services. It is critical that we protect this sensitive information by making sure it is accessed only by the right people and only when necessary. When the safety of CMS information or information systems is threatened or compromised, we follow the steps prescribed by federal policies and guidelines to assess the risk and mitigate any resulting harm to individuals.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncidents and breaches\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAnytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an\u003cstrong\u003e incident\u003c/strong\u003e. All security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk, so they can be assessed and mitigated by incident responders.\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a \u003cstrong\u003ebreach\u003c/strong\u003e. Breaches begin as incidents until incident responders determine that PII has been affected. The compromise of other types of sensitive data, such as Personal Health Information (PHI) and Federal Tax Information (FTI), can also constitute a breach because they are (or can contain) PII.\u003c/p\u003e\u003cp\u003eBreach response activities will often take place alongside incident response activities such as containment, eradication, and recovery. Detailed information about incident response at CMS can be found in the \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eCMS Risk Management Handbook Chapter 8: Incident Response\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho participates in breach response?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response has its own protocol separate from (but related to) incident response. It requires coordination among various stakeholders across CMS and HHS:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonnel at the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center\u003c/a\u003e who support CMS Incident Response (IR)\u003c/li\u003e\u003cli\u003ePeople within CMS responsible for ensuring system security and privacy such as System and Business Owners (SO / BO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)\u003c/li\u003e\u003cli\u003ePeople at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)\u003c/li\u003e\u003cli\u003eCMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eBreach response steps\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response activities go through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"d3:Tbf8,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eProtecting sensitive information at CMS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS systems contain the personal and health information of millions of people in order to provide benefits and services. It is critical that we protect this sensitive information by making sure it is accessed only by the right people and only when necessary. When the safety of CMS information or information systems is threatened or compromised, we follow the steps prescribed by federal policies and guidelines to assess the risk and mitigate any resulting harm to individuals.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncidents and breaches\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAnytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an\u003cstrong\u003e incident\u003c/strong\u003e. All security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk, so they can be assessed and mitigated by incident responders.\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a \u003cstrong\u003ebreach\u003c/strong\u003e. Breaches begin as incidents until incident responders determine that PII has been affected. The compromise of other types of sensitive data, such as Personal Health Information (PHI) and Federal Tax Information (FTI), can also constitute a breach because they are (or can contain) PII.\u003c/p\u003e\u003cp\u003eBreach response activities will often take place alongside incident response activities such as containment, eradication, and recovery. Detailed information about incident response at CMS can be found in the \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eCMS Risk Management Handbook Chapter 8: Incident Response\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho participates in breach response?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response has its own protocol separate from (but related to) incident response. It requires coordination among various stakeholders across CMS and HHS:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonnel at the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center\u003c/a\u003e who support CMS Incident Response (IR)\u003c/li\u003e\u003cli\u003ePeople within CMS responsible for ensuring system security and privacy such as System and Business Owners (SO / BO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)\u003c/li\u003e\u003cli\u003ePeople at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)\u003c/li\u003e\u003cli\u003eCMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eBreach response steps\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response activities go through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"d1:{\"value\":\"$d2\",\"format\":\"body_text\",\"processed\":\"$d3\"}\ncf:{\"drupal_internal__id\":981,\"drupal_internal__revision_id\":16657,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:58:18+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$d0\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$d1\"}\nd7:{\"drupal_internal__target_id\":\"page_section\"}\nd6:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$d7\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808/paragraph_type?resourceVersion=id%3A16657\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808/relationships/paragraph_type?resourceVersion=id%3A16657\"}\nd8:{\"related\":\"$d9\",\"self\":\"$da\"}\nd5:{\"data\":\"$d6\",\"links\":\"$d8\"}\ndd:{\"target_revision_id\":16656,\"drupal_internal__target_id\":976}\ndc:{\"type\":\"paragraph--process_list\",\"id\":\"1f538793-a3ed-4ea1-97ab-7c2366dd1bd8\",\"meta\":\"$dd\"}\ndf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808/field_specialty_item?resourceVersion=id%3A16657\"}\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808/relationships/field_specialty_item?resourceVersion=id%3A16657\"}\nde:{\"related\":\"$df\",\"self\":\"$e0\"}\ndb:{\"data\":\"$dc\",\"links\":\"$de\"}\nd4:{\"paragraph_type\":\"$d5\",\"field_specialty_item\":\"$db\"}\ncc:{\"type\":\"paragraph--page_section\",\"id\":\"5736196d-d894-4ce0-bd41-be12b2dc4808\",\"links\":\"$cd\",\"attributes\":\"$cf\",\"relationships\":\"$d4\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8?resourceVersion=id%3A16656\"}\ne2:{\"self\":\"$e3\"}\ne5:[]\ne4:{\"drupal_internal__id\":976,\"drupal_internal__revision_id\":16656,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:58:18+00:00\",\"parent_id\":\"981\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"b"])</script><script>self.__next_f.push([1,"ehavior_settings\":\"$e5\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null}\ne9:{\"drupal_internal__target_id\":\"process_list\"}\ne8:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$e9\"}\neb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8/paragraph_type?resourceVersion=id%3A16656\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8/relationships/paragraph_type?resourceVersion=id%3A16656\"}\nea:{\"related\":\"$eb\",\"self\":\"$ec\"}\ne7:{\"data\":\"$e8\",\"links\":\"$ea\"}\nf0:{\"target_revision_id\":16652,\"drupal_internal__target_id\":956}\nef:{\"type\":\"paragraph--process_list_item\",\"id\":\"f73e0562-7f5f-4cf8-b3fd-f6c85972d464\",\"meta\":\"$f0\"}\nf2:{\"target_revision_id\":16653,\"drupal_internal__target_id\":961}\nf1:{\"type\":\"paragraph--process_list_item\",\"id\":\"f8509430-8ab7-4bf7-ae90-8f2f7fce9015\",\"meta\":\"$f2\"}\nf4:{\"target_revision_id\":16654,\"drupal_internal__target_id\":966}\nf3:{\"type\":\"paragraph--process_list_item\",\"id\":\"f384dee5-31b6-44db-b0e8-491651d2721f\",\"meta\":\"$f4\"}\nf6:{\"target_revision_id\":16655,\"drupal_internal__target_id\":971}\nf5:{\"type\":\"paragraph--process_list_item\",\"id\":\"e8d8f9e8-1439-4436-964c-ab587c98442b\",\"meta\":\"$f6\"}\nee:[\"$ef\",\"$f1\",\"$f3\",\"$f5\"]\nf8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8/field_process_list_item?resourceVersion=id%3A16656\"}\nf9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8/relationships/field_process_list_item?resourceVersion=id%3A16656\"}\nf7:{\"related\":\"$f8\",\"self\":\"$f9\"}\ned:{\"data\":\"$ee\",\"links\":\"$f7\"}\ne6:{\"paragraph_type\":\"$e7\",\"field_process_list_item\":\"$ed\"}\ne1:{\"type\":\"paragraph--process_list\",\"id\":\"1f538793-a3ed-4ea1-97ab-7c2366dd1bd8\",\"links\":\"$e2\",\"attributes\":\"$e4\",\"relationships\":\"$e6\"}\nfc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f73e0562-7f5f-4cf8-b3fd-f6c85972d4"])</script><script>self.__next_f.push([1,"64?resourceVersion=id%3A16652\"}\nfb:{\"self\":\"$fc\"}\nfe:[]\nff:{\"value\":\"\u003cp\u003eThe incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial \u003cstrong\u003eincident report\u003c/strong\u003e as a deliverable to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial \u003cstrong\u003eincident report\u003c/strong\u003e as a deliverable to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.\u003c/p\u003e\"}\nfd:{\"drupal_internal__id\":956,\"drupal_internal__revision_id\":16652,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:58:18+00:00\",\"parent_id\":\"976\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$fe\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$ff\",\"field_list_item_title\":\"Reporting\"}\n103:{\"drupal_internal__target_id\":\"process_list_item\"}\n102:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$103\"}\n105:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f73e0562-7f5f-4cf8-b3fd-f6c85972d464/paragraph_type?resourceVersion=id%3A16652\"}\n106:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f73e0562-7f5f-4cf8-b3fd-f6c85972d464/relationships/paragraph_type?resourceVersion=id%3A16652\"}\n104:{\"related\":\"$105\",\"self\":\"$106\"}\n101:{\"data\":\"$102\",\"links\":\"$104\"}\n100:{\"paragraph_type\":\"$101\"}\nfa:{\"type\":\"paragraph--process_list_item\",\"id\":\"f73e0562-7f5f-4cf8-b3fd-f6c85972d464\",\"links\":\"$fb\",\"attributes\":\"$fd\",\"relationships\":\"$100\"}\n109:{\"href\":\"https:"])</script><script>self.__next_f.push([1,"//cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f8509430-8ab7-4bf7-ae90-8f2f7fce9015?resourceVersion=id%3A16653\"}\n108:{\"self\":\"$109\"}\n10b:[]\n10c:{\"value\":\"\u003cp\u003eIMT works with the affected systems officials and operators to investigate the incident. They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. IMT conducts a formal risk assessment and convenes a Breach Analysis Team if necessary, providing the team with the\u003cstrong\u003e IMT Risk Assessment\u003c/strong\u003e as a deliverable.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIMT works with the affected systems officials and operators to investigate the incident. They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. IMT conducts a formal risk assessment and convenes a Breach Analysis Team if necessary, providing the team with the\u003cstrong\u003e IMT Risk Assessment\u003c/strong\u003e as a deliverable.\u003c/p\u003e\"}\n10a:{\"drupal_internal__id\":961,\"drupal_internal__revision_id\":16653,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:58:40+00:00\",\"parent_id\":\"976\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$10b\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$10c\",\"field_list_item_title\":\"Risk assessment\"}\n110:{\"drupal_internal__target_id\":\"process_list_item\"}\n10f:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$110\"}\n112:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f8509430-8ab7-4bf7-ae90-8f2f7fce9015/paragraph_type?resourceVersion=id%3A16653\"}\n113:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f8509430-8ab7-4bf7-ae90-8f2f7fce9015/relationships/paragraph_type?resourceVersion=id%3A16653\"}\n111:{\"related\":\"$112\",\"self\":\"$113\"}\n10e:{\"data\":\"$10f\",\"links\":\"$111\"}\n10d:{\"paragraph_type\":\"$10e\"}\n107:{\"type\":\"paragraph--process_list_item\",\"id\":\"f8509430-8ab"])</script><script>self.__next_f.push([1,"7-4bf7-ae90-8f2f7fce9015\",\"links\":\"$108\",\"attributes\":\"$10a\",\"relationships\":\"$10d\"}\n116:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f384dee5-31b6-44db-b0e8-491651d2721f?resourceVersion=id%3A16654\"}\n115:{\"self\":\"$116\"}\n118:[]\n119:{\"value\":\"\u003cp\u003eThe Breach Analysis Team (BAT) convenes to review the risk assessment and categorizes the risk represented by the breach as low, moderate, or high. The BAT consists of stakeholders in leadership positions and security / privacy subject matter experts for the affected system. The team determines if the conditions of the breach warrant notifying the affected individuals. If so, the team drafts a \u003cstrong\u003eNotification and Mitigation Plan \u003c/strong\u003eto the HHS Privacy Incident Response Team (PIRT). The Business Owner of the system has the final decision on whether notification and mitigation will go forward.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe Breach Analysis Team (BAT) convenes to review the risk assessment and categorizes the risk represented by the breach as low, moderate, or high. The BAT consists of stakeholders in leadership positions and security / privacy subject matter experts for the affected system. The team determines if the conditions of the breach warrant notifying the affected individuals. If so, the team drafts a \u003cstrong\u003eNotification and Mitigation Plan \u003c/strong\u003eto the HHS Privacy Incident Response Team (PIRT). The Business Owner of the system has the final decision on whether notification and mitigation will go forward.\u003c/p\u003e\"}\n117:{\"drupal_internal__id\":966,\"drupal_internal__revision_id\":16654,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:59:18+00:00\",\"parent_id\":\"976\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$118\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$119\",\"field_list_item_title\":\"Breach analysis\"}\n11d:{\"drupal_internal__target_id\":\"process_list_item\"}\n11c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\""])</script><script>self.__next_f.push([1,"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$11d\"}\n11f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f384dee5-31b6-44db-b0e8-491651d2721f/paragraph_type?resourceVersion=id%3A16654\"}\n120:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f384dee5-31b6-44db-b0e8-491651d2721f/relationships/paragraph_type?resourceVersion=id%3A16654\"}\n11e:{\"related\":\"$11f\",\"self\":\"$120\"}\n11b:{\"data\":\"$11c\",\"links\":\"$11e\"}\n11a:{\"paragraph_type\":\"$11b\"}\n114:{\"type\":\"paragraph--process_list_item\",\"id\":\"f384dee5-31b6-44db-b0e8-491651d2721f\",\"links\":\"$115\",\"attributes\":\"$117\",\"relationships\":\"$11a\"}\n123:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e8d8f9e8-1439-4436-964c-ab587c98442b?resourceVersion=id%3A16655\"}\n122:{\"self\":\"$123\"}\n125:[]\n126:{\"value\":\"\u003cp\u003eHHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eHHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\"}\n124:{\"drupal_internal__id\":971,\"drupal_internal__revision_id\":16655,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T21:08:20+00:00\",\"parent_id\":\"976\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$125\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$126\",\"field_list_item_title\":\"Notification and mitigation\"}\n12a:{\"drupal_internal__target_id\":\"process_list_item\"}\n129:{\"type\":\""])</script><script>self.__next_f.push([1,"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$12a\"}\n12c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e8d8f9e8-1439-4436-964c-ab587c98442b/paragraph_type?resourceVersion=id%3A16655\"}\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e8d8f9e8-1439-4436-964c-ab587c98442b/relationships/paragraph_type?resourceVersion=id%3A16655\"}\n12b:{\"related\":\"$12c\",\"self\":\"$12d\"}\n128:{\"data\":\"$129\",\"links\":\"$12b\"}\n127:{\"paragraph_type\":\"$128\"}\n121:{\"type\":\"paragraph--process_list_item\",\"id\":\"e8d8f9e8-1439-4436-964c-ab587c98442b\",\"links\":\"$122\",\"attributes\":\"$124\",\"relationships\":\"$127\"}\n130:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93?resourceVersion=id%3A16658\"}\n12f:{\"self\":\"$130\"}\n132:[]\n131:{\"drupal_internal__id\":1401,\"drupal_internal__revision_id\":16658,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T19:50:56+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$132\",\"default_langcode\":true,\"revision_translation_affected\":true}\n136:{\"drupal_internal__target_id\":\"internal_link\"}\n135:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$136\"}\n138:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93/paragraph_type?resourceVersion=id%3A16658\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93/relationships/paragraph_type?resourceVersion=id%3A16658\"}\n137:{\"related\":\"$138\",\"self\":\"$139\"}\n134:{\"data\":\"$135\",\"links\":\"$137\"}\n13c:{\"drupal_internal__target_id\":621}\n13b:{\"type\":\"node--library\",\"id\":\"4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e\",\"meta\":\"$13c\"}\n13e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93/field_link?resourceVersion=id%3A16658\"}\n13f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4"])</script><script>self.__next_f.push([1,"-44ad-889c-dc6361470f93/relationships/field_link?resourceVersion=id%3A16658\"}\n13d:{\"related\":\"$13e\",\"self\":\"$13f\"}\n13a:{\"data\":\"$13b\",\"links\":\"$13d\"}\n133:{\"paragraph_type\":\"$134\",\"field_link\":\"$13a\"}\n12e:{\"type\":\"paragraph--internal_link\",\"id\":\"578aded8-f5f4-44ad-889c-dc6361470f93\",\"links\":\"$12f\",\"attributes\":\"$131\",\"relationships\":\"$133\"}\n142:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66?resourceVersion=id%3A16659\"}\n141:{\"self\":\"$142\"}\n144:[]\n143:{\"drupal_internal__id\":1406,\"drupal_internal__revision_id\":16659,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T19:50:46+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$144\",\"default_langcode\":true,\"revision_translation_affected\":true}\n148:{\"drupal_internal__target_id\":\"internal_link\"}\n147:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$148\"}\n14a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66/paragraph_type?resourceVersion=id%3A16659\"}\n14b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66/relationships/paragraph_type?resourceVersion=id%3A16659\"}\n149:{\"related\":\"$14a\",\"self\":\"$14b\"}\n146:{\"data\":\"$147\",\"links\":\"$149\"}\n14e:{\"drupal_internal__target_id\":701}\n14d:{\"type\":\"node--library\",\"id\":\"8a4a46d2-953a-45b9-8143-0a7f26e526e9\",\"meta\":\"$14e\"}\n150:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66/field_link?resourceVersion=id%3A16659\"}\n151:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66/relationships/field_link?resourceVersion=id%3A16659\"}\n14f:{\"related\":\"$150\",\"self\":\"$151\"}\n14c:{\"data\":\"$14d\",\"links\":\"$14f\"}\n145:{\"paragraph_type\":\"$146\",\"field_link\":\"$14c\"}\n140:{\"type\":\"paragraph--internal_link\",\"id\":\"98d03f5a-69fe-4161-a229-edbda422bc66\",\"links\":\"$141\",\"attributes\":\"$143\",\"relati"])</script><script>self.__next_f.push([1,"onships\":\"$145\"}\n154:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d?resourceVersion=id%3A16660\"}\n153:{\"self\":\"$154\"}\n156:[]\n155:{\"drupal_internal__id\":1411,\"drupal_internal__revision_id\":16660,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T19:51:06+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$156\",\"default_langcode\":true,\"revision_translation_affected\":true}\n15a:{\"drupal_internal__target_id\":\"internal_link\"}\n159:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$15a\"}\n15c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d/paragraph_type?resourceVersion=id%3A16660\"}\n15d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d/relationships/paragraph_type?resourceVersion=id%3A16660\"}\n15b:{\"related\":\"$15c\",\"self\":\"$15d\"}\n158:{\"data\":\"$159\",\"links\":\"$15b\"}\n160:{\"drupal_internal__target_id\":681}\n15f:{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"meta\":\"$160\"}\n162:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d/field_link?resourceVersion=id%3A16660\"}\n163:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d/relationships/field_link?resourceVersion=id%3A16660\"}\n161:{\"related\":\"$162\",\"self\":\"$163\"}\n15e:{\"data\":\"$15f\",\"links\":\"$161\"}\n157:{\"paragraph_type\":\"$158\",\"field_link\":\"$15e\"}\n152:{\"type\":\"paragraph--internal_link\",\"id\":\"898f22a8-2374-47bb-b702-364229dc6b1d\",\"links\":\"$153\",\"attributes\":\"$155\",\"relationships\":\"$157\"}\n166:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58?resourceVersion=id%3A16661\"}\n165:{\"self\":\"$166\"}\n168:[]\n167:{\"drupal_internal__id\":1416,\"drupal_internal__revision_id\":16661,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T19:51:32+00:00\",\"pare"])</script><script>self.__next_f.push([1,"nt_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$168\",\"default_langcode\":true,\"revision_translation_affected\":true}\n16c:{\"drupal_internal__target_id\":\"internal_link\"}\n16b:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$16c\"}\n16e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58/paragraph_type?resourceVersion=id%3A16661\"}\n16f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58/relationships/paragraph_type?resourceVersion=id%3A16661\"}\n16d:{\"related\":\"$16e\",\"self\":\"$16f\"}\n16a:{\"data\":\"$16b\",\"links\":\"$16d\"}\n172:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58/field_link?resourceVersion=id%3A16661\"}\n173:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58/relationships/field_link?resourceVersion=id%3A16661\"}\n171:{\"related\":\"$172\",\"self\":\"$173\"}\n170:{\"data\":null,\"links\":\"$171\"}\n169:{\"paragraph_type\":\"$16a\",\"field_link\":\"$170\"}\n164:{\"type\":\"paragraph--internal_link\",\"id\":\"5d6eed26-779b-4619-9b43-9c37552afd58\",\"links\":\"$165\",\"attributes\":\"$167\",\"relationships\":\"$169\"}\n176:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e?resourceVersion=id%3A4913\"}\n175:{\"self\":\"$176\"}\n178:{\"alias\":\"/policy-guidance/cms-breach-response-handbook\",\"pid\":611,\"langcode\":\"en\"}\n17a:T7b99,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook defines actions that must be taken in response to a suspected breach of Personally Identifiable Information (PII) / Protected Health Information (PHI) / Federal Tax Information (FTI) at the CMS to meet federal requirements for breach response. The handbook includes roles and responsibilities, breach response deliverables and lines of communication, triggers for federal reporting requirements, and resources from HHS and other authorities.\u003c/p\u003e\u003cp\u003eThese procedures help to ensure a coordinated response from all entities responsible for investigating and mitigating a breach, including organizations internal and external to CMS, as well as those responsible for remediating any identified process shortfalls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThese procedures apply to federal information and information systems, as defined in the \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Modernization Act (FISMA)\u003c/a\u003e but not to national security systems.\u003c/p\u003e\u003cp\u003eThis handbook covers breach response activities at CMS as an Operating Division (OpDiv) of the U.S. Department of Health and Human Services (HHS). It applies to CMS employees, contractors, grant recipients, interns, and affiliates supporting CMS. All organizations collecting or maintaining information or using or operating information systems on behalf of CMS also need to follow these procedures in accordance with such organizations contractual requirements to report to and cooperate with CMS during a breach.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOut-of-scope entities\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMedicare Advantage (Plans C and D) and State Medicaid programs are not CMS FISMA entities but are HIPAA-covered entities. These entities must honor their own reporting requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs this handbook?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis handbook is for all CMS stakeholders who may need to participate in or approve of breach response activities, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonnel at the CMS Cybersecurity Integration Center who support CMS Incident Response (IR)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003ePeople within CMS responsible for ensuring system security and privacy such as System Owners (SO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003ePeople at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eDefinitions for incidents and breaches\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eExact reporting requirements during a breach depend on the nature of the data affected by the breach. The Office of Management and Budget (OMB) has defined multiple types of security and privacy incidents within the scope of the Executive Branch. This section presents definitions of types of sensitive data and breach categories for use at CMS.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat counts as sensitive data?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB Memorandum M-17-12 prescribes that \u003cstrong\u003ePersonally Identifiable Information\u003c/strong\u003e refers to information that can be used to distinguish or trace an individuals identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can distinguish or trace an individuals identity, the term PII is necessarily broad.\u003c/p\u003e\u003cp\u003eThe Health Insurance Portability and Accountability Act (HIPAA) provides that \u003cstrong\u003eProtected Health Information\u003c/strong\u003e is personally identifiable health information. PHI is also PII.\u003c/p\u003e\u003cp\u003eInternal Revenue Service Publication 1075 prescribes that \u003cstrong\u003eFederal Tax Information\u003c/strong\u003e consists of federal tax returns and return information (and information derived from it) that is in an agencys possession or control. FTI may contain PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is an incident?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccording to the CMS Risk Management Handbook, an\u003cstrong\u003e incident\u003c/strong\u003e is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is a breach?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB Memorandum M-17-12 stipulates that a \u003cstrong\u003ebreach\u003c/strong\u003e is a type of incident in which there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where either of these occurs:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA person other than an authorized user accesses or potentially accesses PII\u003c/li\u003e\u003cli\u003eAn authorized user accesses PII for an other-than-authorized purpose\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBreaches begin as incidents until incident responders determine that PII has been affected. Breach activities will often take place concurrently to ongoing incident response activities, such as containment, eradication, and recovery activities. For more information about Incident Response process, see the CMS Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003cp\u003eCMS will assess suspected breaches of PII to determine if they represent enough risk of harm to individuals whose data was compromised to require notification and mitigation.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMajor incidents\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePer OMB Memorandum M-20-04, a \u003cstrong\u003emajor incident\u003c/strong\u003e is an incident that compromises U.S. national security. CMS does not store any data that, if breached, may impact national security. OMB also defines any unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to the PII of 100,000 or more people as a major incident. Major incidents must be reported to Congress within seven days.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReporting incidents and breaches\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eIncident responders may determine during the incident response process, as more information about an incident is discovered, that the incident falls into other incident categories that trigger additional reporting requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTable of reporting triggers\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTrigger\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eRequirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOutcome\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAll Incidents\u003c/td\u003e\u003ctd\u003eNotify HHS, notify US-CERT (Computer Emergency Response Team)\u003c/td\u003e\u003ctd\u003eHHS is automatically notified by the CMS incident ticketing system; HHS handles reporting to US-CERT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll Suspected or Confirmed Breaches\u003c/td\u003e\u003ctd\u003eConduct Risk Assessment\u003c/td\u003e\u003ctd\u003eIf the breach is not in a predefined low-risk category, the CMS Breach Analysis Team must convene.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGreater than 500 individuals within same jurisdiction are affected by a breach\u003c/td\u003e\u003ctd\u003eNotify media in affected jurisdiction\u003c/td\u003e\u003ctd\u003eContact CMS Media Relations Group (MRG)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach indicates illegal activity\u003c/td\u003e\u003ctd\u003eContact Law Enforcement via HHS oversight body\u003c/td\u003e\u003ctd\u003eContact HHS Office of Inspector General (OIG) Computer Crimes Unit (CCU)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach affects FTI\u003c/td\u003e\u003ctd\u003eNotify IRS and Treasury Inspector General for Tax Administration\u003c/td\u003e\u003ctd\u003eContact CMS-IRS Liaison\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGreater than 100,000 individuals are affected by the breach (Major Incident)\u003c/td\u003e\u003ctd\u003eNotify Congress within seven days\u003c/td\u003e\u003ctd\u003eContact Office of Legislation\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eAll incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk.\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe report should be made immediately upon discovery to start the CMS incident response process. The IT Service Desk instructs the reporter to fill out an incident report using the Incident Report Template which is then sent to the Incident Management Team (IMT). Incidents must be reported whether they are confirmed to have occurred or are only suspected to have occurred. The Helpdesk refers security and privacy incidents to IMT, which then coordinates efforts to analyze, contain, and eradicate the incident.\u003c/p\u003e\u003cp\u003eAll incidents involving CMS must be reported to HHS to ensure that HHS can provide accurate incident statistics for its OpDivs as per FISMA requirements. By integrating CMSs incident ticketing system with HHS, CMS automatically notifies HHS of incidents. More details on the CMS Incident Response capability and reporting requirements for incidents other than breaches can be found in the Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAll breaches\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Incident Management Team (IMT) investigates reported security and privacy incidents to determine if they meet the definition of a breach. The team does not need confirmation of a breach to begin the breach response process they should treat incidents as breaches as soon as the investigation reveals that PII, PHI, or FTI was jeopardized by an incident.\u003c/p\u003e\u003cp\u003eIf an incident reaches the status of a suspected breach, IMT conducts a risk assessment on the suspected breach using the Risk Assessment Checklist. Then they notify the CMS Breach Analysis Team (BAT) that a suspected breach has occurred and provide the BAT with the results of the risk assessment.\u003c/p\u003e\u003cp\u003eThe BAT convenes to review the risk assessment and determine the likelihood of sensitive data compromise according to the CMS Breach Analysis Team Handbook. The team assigns the breach a risk rating of Low, Moderate, or High, and advises the affected systems Business Owner (BO) on whether CMS must notify the affected individuals. Should notification be necessary, the Senior Official for Privacy (SOP) at CMS works with the following people to develop a notification and mitigation plan:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBusiness Owner of the CMS system affected by the breach\u003c/li\u003e\u003cli\u003eContracting Officers Representative (COR) for any affected contractors\u003c/li\u003e\u003cli\u003eIncident responders\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDepending on the nature and quantity of the sensitive data compromised by the breach, different reporting requirements apply:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf a breach compromises \u003cstrong\u003ePHI/PII\u003c/strong\u003e, the HIPAA Breach Notification Rule applies.\u003c/li\u003e\u003cli\u003eIf a breach compromises \u003cstrong\u003eFTI\u003c/strong\u003e, the IRS requires that the U.S. Treasury Inspector General for Tax Administration (TIGTA) be notified.\u003c/li\u003e\u003cli\u003eIf a breach compromises any data that may impact U.S. national security or otherwise meets the definition of a \u003cstrong\u003emajor incident\u003c/strong\u003e, then Congress must be notified.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eLow risk scenarios\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSome privacy incidents are considered low risk and do not rise to the threshold of a breach. The Data Governance Board (DGB) has defined a set of criteria for such incidents in the Data Governance Board Guidelines. The IMT can close out these breaches automatically if they represent a sufficiently low risk to not require convening a full Breach Analysis Team.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreaches of PHI\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMSs administration of Medicare and Medicaid make the agency a covered entity under HIPAA and subject to the laws reporting and notification requirements when PHI is breached. This includes reporting to the HHS Office of Civil Rights (OCR) of all breaches of Protected Health Information (PHI) for each calendar year \u0026nbsp; including those that occur with a business associate.\u003c/p\u003e\u003cp\u003eAny compromise of PHI requires CMS to notify the affected individual(s) within 60 days. If a breach affects the PHI of more than 500 residents of a U.S. state or jurisdiction, CMS is also “required to provide notice to prominent media outlets serving the State or jurisdiction,” and notify OCR within 60 days. The Breach Analysis Team must work with the CMS Office of Communications Media Relations Group to complete this notification step.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreaches of FTI\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Internal Revenue Service (IRS) requires organizations handling FTI (federal tax returns and return information, including information derived from a return) to report any unauthorized access to or disclosure of FTI to the Treasury Inspector General for Tax Administration and the IRS Office of Safeguards within 24 hours of identifying the incident.\u003c/p\u003e\u003cp\u003eIf the Incident Management Team (IMT)\u0026nbsp; determines that there is a possibility that FTI has been compromised by an incident, they should immediately notify the CMS IRS Liaison to begin the process for reporting to the IRS and TIGTA. Breach response stakeholders should be aware that IRS may request additional data and updates from CMS as the incident response process continues.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMajor incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB requires agencies to report major incidents to Congress within seven days. The threshold for a major incident is a breach that affects more than 100,000 individuals. As an HHS OpDiv, CMS will report major incidents to the HHS Computer Security Incident Response Center (CSIRC) to assist HHS in making a report to Congress. CMS will also report major incidents to the CMS Office of Legislation to ensure that the Office can coordinate with HHS on any participation by CMS in the report.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBreach response steps and deliverables\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response activities at CMS require robust lines of communication and clearly defined deliverables between multiple organizations and components, including CMS groups, contractors and associates, and HHS entities.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn general, the communication responsibilities of CMS, HHS, and entities are:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS will be responsible for collecting data pertaining to the breach, developing a plan for notifying persons affected by the breach and mitigating any resulting harm, and reporting all breach response activities to HHS.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eHHS will be responsible for coordinating between CMS and external federal agencies, as well as approving any notification and mitigation plans developed by CMS.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eEntities operating on behalf of CMS (contractors and associates) are responsible for implementing notification and mitigation plans created by CMS and approved by HHS.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBreach response activities take place in tandem with incident response activities. Discovery of new data about a breach should be reported as soon as possible to HHS Computer Security Incident Response Center (CSIRC), to ensure that HHS can meet its own reporting requirements. (HHS CSIRC is the primary communication pathway between CMS and external organizations such as other federal agencies.)\u0026nbsp;\u003c/p\u003e\u003cp\u003eCMS maintains an incident ticketing system that automatically sends ticket updates to a mirrored ticket in the equivalent HHS CSIRC ticketing system. Incident responders must maintain this integration and ensure that tickets are promptly updated to communicate with HHS.\u003c/p\u003e\u003cp\u003eThe Incident Management Team, in keeping with its role during incident response, is the primary communication pathway between organizations within CMS and its contractors and associates. For more details on IMTs role and process during incidents, see the CMS Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003cp\u003eBreach response activities are accomplished through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReporting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial \u003cstrong\u003eincident report as a deliverable\u003c/strong\u003e to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIMT works with the affected systems officials and operators to investigate the incident. They assess the incident to determine if any categories of sensitive data may be compromised. If there is a possibility of compromise, the incident is considered a suspected breach. IMT conducts a risk assessment using the “Factors for Assessing the Risk of Harm to Potentially Affected Individuals” prescribed by OMB and defined in the CMS Risk Assessment for Breach Notification Determination form. Then they formally convene the Breach Analysis Team and provide the team with the\u003cstrong\u003e IMT Risk Assessment as a deliverable.\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreach analysis\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Breach Analysis Team convenes to review the IMT Risk Assessment and categorizes the risk represented by the breach as low, moderate, or high, as described in the CMS Breach Analysis Team Handbook.\u003c/p\u003e\u003cp\u003eThe BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system, including the Business Owner, ISSOs, COR (if the affected system is a contractor system), Senior Official for Privacy, and the DCTSO Incident Commander.\u003c/p\u003e\u003cp\u003eThe BAT determines if the conditions of the breach warrant notifying the affected individuals. If so, the BAT drafts a \u003cstrong\u003eNotification and Mitigation Plan as a deliverable\u003c/strong\u003e to the HHS Privacy Incident Response Team (PIRT), using the HHS PIRT Response Plan Template. The Business Owner of the affected system has the final decision on whether notification and mitigation will go forward.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNotification and mitigation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eHHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTable of breach response deliverables\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eBreach Response Deliverable\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eResponsible\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDelivered To\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIncident Report Ticket\u003c/td\u003e\u003ctd\u003eCMS IT Helpdesk\u003c/td\u003e\u003ctd\u003eIncident Management Team (IMT). IMT continues to update the ticket with information about the breach as the response proceeds.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk Assessment\u003c/td\u003e\u003ctd\u003eIncident Management Team\u003c/td\u003e\u003ctd\u003eBreach Analysis Team (BAT)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNotification and Mitigation Plan\u003c/td\u003e\u003ctd\u003eBreach Analysis Team\u003c/td\u003e\u003ctd\u003eHHS Privacy Incident Response Team (PIRT)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach Notification to Affected Individuals\u003c/td\u003e\u003ctd\u003eSystem Business Owner / Contracting Officers Representative\u003c/td\u003e\u003ctd\u003eAffected individuals\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eBreach notification and mitigation\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe goal of breach response activities is to reduce the risk of harm to individuals that is created by a breach of sensitive data. If the Breach Analysis Team determines that a breach represents enough risk to individuals, they develop a Notification and Mitigation Plan.\u003c/p\u003e\u003cp\u003eThe CMS Senior Official for Privacy, in cooperation with the Business Owner of the affected system and with support from the full BAT, is responsible for developing the Notification and Mitigation Plan. CMS will receive approval to implement the plan from the HHS PIRT, using the HHS PIRT Response Plan Template as the formal deliverable. The Notification and Mitigation Plan must consider the nature and scope of the breach to determine if media organizations must be notified as per the HIPAA requirements.\u003c/p\u003e\u003cp\u003eOnce approved, the Notification and Mitigation Plan is implemented, with responsibility for implementation assigned to the Business Owner of the affected system (or the COR, if the affected system is a contractor system). If media notification is required, the BAT should coordinate with the CMS Media Relations Group (MRG).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNotification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf the Breach Analysis Team determines that a breach of PII represents a risk of harm to the affected individuals, then CMS must notify individuals whose PII is compromised in a breach. The team will develop a Notification and Mitigation Plan to describe the actions CMS will take to protect the affected individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIndividual notification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs prescribed by the \u003ca href=\"/policy-guidance/breach-analysis-team-bat-handbook\"\u003eCMS Breach Analysis Team Handbook\u003c/a\u003e, the CMS Senior Official for Privacy works with the Business Owner of an affected CMS system to develop a notification letter describing the breach for individuals and submit it to HHS PIRT for approval.\u003c/p\u003e\u003cp\u003eOMB M-17-12 provides direction to federal agencies on what information should be included in breach notifications:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA brief description of what happened, including the date(s) of the breach and of its discovery\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA description of the types of sensitive data compromised by the breach (e.g., full name, Social Security Number, date of birth, home address, account number, and disability code), to the extent possible\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA statement of whether the information was encrypted or protected by other means, when it is determined that disclosing such information would be beneficial to potentially affected individuals and would not compromise the security of the information system\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eGuidance to potentially affected individuals on how they can mitigate their own risk of harm, the countermeasures undertaken, and any services provided to potentially affected individuals\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eAny steps being taken to investigate the breach, to mitigate losses, and to protect against a future breach\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA description of how potentially affected individuals can learn more information about the breach, including a telephone number (preferably toll-free), email address, and postal address\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHHS PIRT has oversight over CMS breach notification plans. After developing the notification letter and a plan to contact the affected individuals, the BAT should meet with HHS PIRT to gain approval to implement the plan. This meeting should also be attended by the Business Owner(s) of any affected CMS systems, the Contracting Officers of any CMS contractor partners who were involved in the breach, and the incident response personnel who investigated the breach to ensure that HHS PIRT can receive timely answers to any questions related to the breach.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMedia notification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn addition to individual notification, HIPAA requires CMS to notify local media outlets if a breach of PHI affects more than 500 individuals within a single locality.\u0026nbsp; The Breach Analysis Team should contact CMS Media Relations Group if a breach of PII/PHI affects more than 500 individuals to make certain that any plans to contact media outlets are included in the notification plan submitted to HHS PIRT for approval.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNotification through public CMS resources\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS must also consider that a widely publicized breach may cause members of the public to attempt to contact CMS with questions about the breach and inquire whether their own information was affected. As part of the notification plan, the Breach Analysis Team may determine that CMS should provide a public notification message on its public resources, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePosting on the cms.gov homepage to inform the public of the breach, with a link to further details\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eProviding CMS call centers with a message to play at the start of calls to inform callers how they can determine if they were affected by a breach\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eMitigation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs part of its notification plan, the Breach Analysis Team must determine and document the actions that CMS will take to mitigate the risk of harm. If the breach puts the affected individuals at risk for identity theft, CMS will offer credit monitoring as prescribed by the CMS Breach Analysis Team Handbook.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBudgeting considerations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThere may be costs associated with implementing a notification and mitigation plan, such as providing a credit monitoring service free of charge to the affected individuals. If a contractor system is breached, the contractor should cover the costs of notification and mitigation. CMS contracts should establish this responsibility.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRoles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response stakeholders have direct or supporting roles and responsibilities during a breach. Some stakeholders in this group are associated with the FISMA system undergoing a breach and some are part of the CMS incident response capability. The breach response stakeholders have the following roles and responsibilities:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS FISMA System Stakeholders\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns decision to notify individuals affected by a breach and provide mitigation, with advisement from the BAT.\u003c/li\u003e\u003cli\u003eOwns decision to take major actions impacting system availability in response to a breach (such as shutting down a breached system).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrimary Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePrimary system stakeholder in charge of providing data to IMT, BAT, and other breach response stakeholders about the affected system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOperations Teams (to include General Support System [GSS] support)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eTakes incident response actions on the system affected by the breach. May escalate decision to take major action impacting availability to the BO.\u003c/li\u003e\u003cli\u003eProvides system data to IMT, BAT and other breach response stakeholders at the direction of the ISSO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCyber Risk Adviser (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides guidance to breach response stakeholders on risk and compliance for the affected system.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eISPG Breach Response and Coordination\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS CISO\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the breach response process.\u003c/li\u003e\u003cli\u003eIs kept apprised of all developments during breach response, analysis, notification, and mitigation.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS Senior Official for Privacy (SOP)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the Breach Analysis Team process.\u003c/li\u003e\u003cli\u003eOwns and oversees the Notification and Mitigation Plan, in cooperation with the system BO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDCTSO Incident Coordinator\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the incident response process.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIncident Management Team (IMT)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePrimary coordination entity for breach response. Works to provide leadership (BAT, senior officials) with data about the breach to make decisions.\u003c/li\u003e\u003cli\u003eConducts initial analysis and risk assessment of breaches to provide to the BAT.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS Security Operations Center (SOC)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides technical support and security subject matter expertise to the BAT during a breach.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Subject Matter Expert Support\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS Office of Communications/Media Relations Group\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides notification to media outlets in the event of a breach affecting the PHI of more than 500 individuals.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOffice of General Counsel\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides support to the BAT in the event of a major incident to help CMS prepare for congressional notification.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eBreach Analysis Team (BAT)\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eOwns the risk decision (low/moderate/high) after IMT conducts a risk assessment.\u003c/li\u003e\u003cli\u003eWorks with the SOP and BO to advise on the Notification and Mitigation Plan.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eLaws and guidance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eUse this list of applicable laws and guidance to learn more about the processes described in this handbook.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal laws\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf\"\u003eFederal Information Security Modernization Act\u003c/a\u003e (FISMA) of 2014, Pub. L. 113-283, 128 Stat. 3073 (Dec. 18, 2014) (primarily codified at 44 U.S.C. chapter 35, subchapter 11).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf\"\u003eHealth Insurance Portability and Accountability Act\u003c/a\u003e (HIPAA) of 1996, Pub. L. 104-191 (Aug. 21, 1996).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eExecutive orders, memoranda, and directives\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf\"\u003eOMB Memorandum M-17-12\u003c/a\u003e, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04\u003c/a\u003e, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements (November 19, 2019).\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e (July 28, 2016).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident\"\u003ePPD-41, Annex for Presidential Policy Directive\u003c/a\u003e United States Cyber Incident Coordination (July 26, 2016).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-14.pdf\"\u003eOMB Memorandum M-16-14, Category Management Policy 16-2\u003c/a\u003e: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS / HHS policy and procedures\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eCMS Risk Management Handbook (RMH) Chapter 8: Incident Response\u003c/li\u003e\u003cli\u003eCMS Breach Analysis Team Handbook\u003c/li\u003e\u003cli\u003eData Governance Guidelines\u003c/li\u003e\u003cli\u003eHHS PIRT Response Plan Template\u003c/li\u003e\u003cli\u003eCMS Risk Assessment for Breach Notification Determination\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAdditional guidance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDepartment of Commerce / National Institute of Standards and Technology (NIST)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNIST Special Publication 800-34 (Revision 1), \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf\"\u003eContingency Planning Guide for Federal Information Systems and Organizations\u003c/a\u003e (Apr. 2013).\u0026nbsp;\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-61 (Revision 2), \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf\"\u003eComputer Security Incident Handling Guide\u003c/a\u003e (Aug. 2012).\u0026nbsp;\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-122, \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf\"\u003eGuide to Protecting the Confidentiality of PII\u003c/a\u003e (Apr. 2010).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDepartment of Homeland Security (DHS) / United States Computer Emergency Readiness Team (US-CERT)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/uscert/incident-notification-guidelines\"\u003eUS-CERT Federal Incident Notification Guidelines\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNational Cybersecurity and Communications Integration Center (NCCIC) \u003ca href=\"https://www.cisa.gov/uscert/CISA-National-Cyber-Incident-Scoring-System\"\u003eCyber Incident Scoring System\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eGeneral Services Administration (GSA)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.gsa.gov/buy-through-us/products-services/professional-services/buy-services/identity-protection-services-ips\"\u003eIdentity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"17b:T7b99,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook defines actions that must be taken in response to a suspected breach of Personally Identifiable Information (PII) / Protected Health Information (PHI) / Federal Tax Information (FTI) at the CMS to meet federal requirements for breach response. The handbook includes roles and responsibilities, breach response deliverables and lines of communication, triggers for federal reporting requirements, and resources from HHS and other authorities.\u003c/p\u003e\u003cp\u003eThese procedures help to ensure a coordinated response from all entities responsible for investigating and mitigating a breach, including organizations internal and external to CMS, as well as those responsible for remediating any identified process shortfalls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThese procedures apply to federal information and information systems, as defined in the \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFederal Information Security Modernization Act (FISMA)\u003c/a\u003e but not to national security systems.\u003c/p\u003e\u003cp\u003eThis handbook covers breach response activities at CMS as an Operating Division (OpDiv) of the U.S. Department of Health and Human Services (HHS). It applies to CMS employees, contractors, grant recipients, interns, and affiliates supporting CMS. All organizations collecting or maintaining information or using or operating information systems on behalf of CMS also need to follow these procedures in accordance with such organizations contractual requirements to report to and cooperate with CMS during a breach.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOut-of-scope entities\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eMedicare Advantage (Plans C and D) and State Medicaid programs are not CMS FISMA entities but are HIPAA-covered entities. These entities must honor their own reporting requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs this handbook?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis handbook is for all CMS stakeholders who may need to participate in or approve of breach response activities, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonnel at the CMS Cybersecurity Integration Center who support CMS Incident Response (IR)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003ePeople within CMS responsible for ensuring system security and privacy such as System Owners (SO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003ePeople at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eDefinitions for incidents and breaches\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eExact reporting requirements during a breach depend on the nature of the data affected by the breach. The Office of Management and Budget (OMB) has defined multiple types of security and privacy incidents within the scope of the Executive Branch. This section presents definitions of types of sensitive data and breach categories for use at CMS.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat counts as sensitive data?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB Memorandum M-17-12 prescribes that \u003cstrong\u003ePersonally Identifiable Information\u003c/strong\u003e refers to information that can be used to distinguish or trace an individuals identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can distinguish or trace an individuals identity, the term PII is necessarily broad.\u003c/p\u003e\u003cp\u003eThe Health Insurance Portability and Accountability Act (HIPAA) provides that \u003cstrong\u003eProtected Health Information\u003c/strong\u003e is personally identifiable health information. PHI is also PII.\u003c/p\u003e\u003cp\u003eInternal Revenue Service Publication 1075 prescribes that \u003cstrong\u003eFederal Tax Information\u003c/strong\u003e consists of federal tax returns and return information (and information derived from it) that is in an agencys possession or control. FTI may contain PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is an incident?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAccording to the CMS Risk Management Handbook, an\u003cstrong\u003e incident\u003c/strong\u003e is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is a breach?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB Memorandum M-17-12 stipulates that a \u003cstrong\u003ebreach\u003c/strong\u003e is a type of incident in which there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where either of these occurs:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA person other than an authorized user accesses or potentially accesses PII\u003c/li\u003e\u003cli\u003eAn authorized user accesses PII for an other-than-authorized purpose\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBreaches begin as incidents until incident responders determine that PII has been affected. Breach activities will often take place concurrently to ongoing incident response activities, such as containment, eradication, and recovery activities. For more information about Incident Response process, see the CMS Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003cp\u003eCMS will assess suspected breaches of PII to determine if they represent enough risk of harm to individuals whose data was compromised to require notification and mitigation.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMajor incidents\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePer OMB Memorandum M-20-04, a \u003cstrong\u003emajor incident\u003c/strong\u003e is an incident that compromises U.S. national security. CMS does not store any data that, if breached, may impact national security. OMB also defines any unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to the PII of 100,000 or more people as a major incident. Major incidents must be reported to Congress within seven days.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eReporting incidents and breaches\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eIncident responders may determine during the incident response process, as more information about an incident is discovered, that the incident falls into other incident categories that trigger additional reporting requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTable of reporting triggers\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTrigger\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eRequirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOutcome\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAll Incidents\u003c/td\u003e\u003ctd\u003eNotify HHS, notify US-CERT (Computer Emergency Response Team)\u003c/td\u003e\u003ctd\u003eHHS is automatically notified by the CMS incident ticketing system; HHS handles reporting to US-CERT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll Suspected or Confirmed Breaches\u003c/td\u003e\u003ctd\u003eConduct Risk Assessment\u003c/td\u003e\u003ctd\u003eIf the breach is not in a predefined low-risk category, the CMS Breach Analysis Team must convene.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGreater than 500 individuals within same jurisdiction are affected by a breach\u003c/td\u003e\u003ctd\u003eNotify media in affected jurisdiction\u003c/td\u003e\u003ctd\u003eContact CMS Media Relations Group (MRG)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach indicates illegal activity\u003c/td\u003e\u003ctd\u003eContact Law Enforcement via HHS oversight body\u003c/td\u003e\u003ctd\u003eContact HHS Office of Inspector General (OIG) Computer Crimes Unit (CCU)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach affects FTI\u003c/td\u003e\u003ctd\u003eNotify IRS and Treasury Inspector General for Tax Administration\u003c/td\u003e\u003ctd\u003eContact CMS-IRS Liaison\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGreater than 100,000 individuals are affected by the breach (Major Incident)\u003c/td\u003e\u003ctd\u003eNotify Congress within seven days\u003c/td\u003e\u003ctd\u003eContact Office of Legislation\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eAll incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk.\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe report should be made immediately upon discovery to start the CMS incident response process. The IT Service Desk instructs the reporter to fill out an incident report using the Incident Report Template which is then sent to the Incident Management Team (IMT). Incidents must be reported whether they are confirmed to have occurred or are only suspected to have occurred. The Helpdesk refers security and privacy incidents to IMT, which then coordinates efforts to analyze, contain, and eradicate the incident.\u003c/p\u003e\u003cp\u003eAll incidents involving CMS must be reported to HHS to ensure that HHS can provide accurate incident statistics for its OpDivs as per FISMA requirements. By integrating CMSs incident ticketing system with HHS, CMS automatically notifies HHS of incidents. More details on the CMS Incident Response capability and reporting requirements for incidents other than breaches can be found in the Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAll breaches\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Incident Management Team (IMT) investigates reported security and privacy incidents to determine if they meet the definition of a breach. The team does not need confirmation of a breach to begin the breach response process they should treat incidents as breaches as soon as the investigation reveals that PII, PHI, or FTI was jeopardized by an incident.\u003c/p\u003e\u003cp\u003eIf an incident reaches the status of a suspected breach, IMT conducts a risk assessment on the suspected breach using the Risk Assessment Checklist. Then they notify the CMS Breach Analysis Team (BAT) that a suspected breach has occurred and provide the BAT with the results of the risk assessment.\u003c/p\u003e\u003cp\u003eThe BAT convenes to review the risk assessment and determine the likelihood of sensitive data compromise according to the CMS Breach Analysis Team Handbook. The team assigns the breach a risk rating of Low, Moderate, or High, and advises the affected systems Business Owner (BO) on whether CMS must notify the affected individuals. Should notification be necessary, the Senior Official for Privacy (SOP) at CMS works with the following people to develop a notification and mitigation plan:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBusiness Owner of the CMS system affected by the breach\u003c/li\u003e\u003cli\u003eContracting Officers Representative (COR) for any affected contractors\u003c/li\u003e\u003cli\u003eIncident responders\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDepending on the nature and quantity of the sensitive data compromised by the breach, different reporting requirements apply:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf a breach compromises \u003cstrong\u003ePHI/PII\u003c/strong\u003e, the HIPAA Breach Notification Rule applies.\u003c/li\u003e\u003cli\u003eIf a breach compromises \u003cstrong\u003eFTI\u003c/strong\u003e, the IRS requires that the U.S. Treasury Inspector General for Tax Administration (TIGTA) be notified.\u003c/li\u003e\u003cli\u003eIf a breach compromises any data that may impact U.S. national security or otherwise meets the definition of a \u003cstrong\u003emajor incident\u003c/strong\u003e, then Congress must be notified.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eLow risk scenarios\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSome privacy incidents are considered low risk and do not rise to the threshold of a breach. The Data Governance Board (DGB) has defined a set of criteria for such incidents in the Data Governance Board Guidelines. The IMT can close out these breaches automatically if they represent a sufficiently low risk to not require convening a full Breach Analysis Team.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreaches of PHI\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMSs administration of Medicare and Medicaid make the agency a covered entity under HIPAA and subject to the laws reporting and notification requirements when PHI is breached. This includes reporting to the HHS Office of Civil Rights (OCR) of all breaches of Protected Health Information (PHI) for each calendar year \u0026nbsp; including those that occur with a business associate.\u003c/p\u003e\u003cp\u003eAny compromise of PHI requires CMS to notify the affected individual(s) within 60 days. If a breach affects the PHI of more than 500 residents of a U.S. state or jurisdiction, CMS is also “required to provide notice to prominent media outlets serving the State or jurisdiction,” and notify OCR within 60 days. The Breach Analysis Team must work with the CMS Office of Communications Media Relations Group to complete this notification step.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreaches of FTI\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Internal Revenue Service (IRS) requires organizations handling FTI (federal tax returns and return information, including information derived from a return) to report any unauthorized access to or disclosure of FTI to the Treasury Inspector General for Tax Administration and the IRS Office of Safeguards within 24 hours of identifying the incident.\u003c/p\u003e\u003cp\u003eIf the Incident Management Team (IMT)\u0026nbsp; determines that there is a possibility that FTI has been compromised by an incident, they should immediately notify the CMS IRS Liaison to begin the process for reporting to the IRS and TIGTA. Breach response stakeholders should be aware that IRS may request additional data and updates from CMS as the incident response process continues.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMajor incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOMB requires agencies to report major incidents to Congress within seven days. The threshold for a major incident is a breach that affects more than 100,000 individuals. As an HHS OpDiv, CMS will report major incidents to the HHS Computer Security Incident Response Center (CSIRC) to assist HHS in making a report to Congress. CMS will also report major incidents to the CMS Office of Legislation to ensure that the Office can coordinate with HHS on any participation by CMS in the report.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBreach response steps and deliverables\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response activities at CMS require robust lines of communication and clearly defined deliverables between multiple organizations and components, including CMS groups, contractors and associates, and HHS entities.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn general, the communication responsibilities of CMS, HHS, and entities are:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS will be responsible for collecting data pertaining to the breach, developing a plan for notifying persons affected by the breach and mitigating any resulting harm, and reporting all breach response activities to HHS.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eHHS will be responsible for coordinating between CMS and external federal agencies, as well as approving any notification and mitigation plans developed by CMS.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eEntities operating on behalf of CMS (contractors and associates) are responsible for implementing notification and mitigation plans created by CMS and approved by HHS.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBreach response activities take place in tandem with incident response activities. Discovery of new data about a breach should be reported as soon as possible to HHS Computer Security Incident Response Center (CSIRC), to ensure that HHS can meet its own reporting requirements. (HHS CSIRC is the primary communication pathway between CMS and external organizations such as other federal agencies.)\u0026nbsp;\u003c/p\u003e\u003cp\u003eCMS maintains an incident ticketing system that automatically sends ticket updates to a mirrored ticket in the equivalent HHS CSIRC ticketing system. Incident responders must maintain this integration and ensure that tickets are promptly updated to communicate with HHS.\u003c/p\u003e\u003cp\u003eThe Incident Management Team, in keeping with its role during incident response, is the primary communication pathway between organizations within CMS and its contractors and associates. For more details on IMTs role and process during incidents, see the CMS Risk Management Handbook Chapter 8: Incident Response.\u003c/p\u003e\u003cp\u003eBreach response activities are accomplished through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eReporting\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial \u003cstrong\u003eincident report as a deliverable\u003c/strong\u003e to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIMT works with the affected systems officials and operators to investigate the incident. They assess the incident to determine if any categories of sensitive data may be compromised. If there is a possibility of compromise, the incident is considered a suspected breach. IMT conducts a risk assessment using the “Factors for Assessing the Risk of Harm to Potentially Affected Individuals” prescribed by OMB and defined in the CMS Risk Assessment for Breach Notification Determination form. Then they formally convene the Breach Analysis Team and provide the team with the\u003cstrong\u003e IMT Risk Assessment as a deliverable.\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBreach analysis\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Breach Analysis Team convenes to review the IMT Risk Assessment and categorizes the risk represented by the breach as low, moderate, or high, as described in the CMS Breach Analysis Team Handbook.\u003c/p\u003e\u003cp\u003eThe BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system, including the Business Owner, ISSOs, COR (if the affected system is a contractor system), Senior Official for Privacy, and the DCTSO Incident Commander.\u003c/p\u003e\u003cp\u003eThe BAT determines if the conditions of the breach warrant notifying the affected individuals. If so, the BAT drafts a \u003cstrong\u003eNotification and Mitigation Plan as a deliverable\u003c/strong\u003e to the HHS Privacy Incident Response Team (PIRT), using the HHS PIRT Response Plan Template. The Business Owner of the affected system has the final decision on whether notification and mitigation will go forward.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNotification and mitigation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eHHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTable of breach response deliverables\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eBreach Response Deliverable\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eResponsible\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDelivered To\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIncident Report Ticket\u003c/td\u003e\u003ctd\u003eCMS IT Helpdesk\u003c/td\u003e\u003ctd\u003eIncident Management Team (IMT). IMT continues to update the ticket with information about the breach as the response proceeds.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRisk Assessment\u003c/td\u003e\u003ctd\u003eIncident Management Team\u003c/td\u003e\u003ctd\u003eBreach Analysis Team (BAT)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNotification and Mitigation Plan\u003c/td\u003e\u003ctd\u003eBreach Analysis Team\u003c/td\u003e\u003ctd\u003eHHS Privacy Incident Response Team (PIRT)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreach Notification to Affected Individuals\u003c/td\u003e\u003ctd\u003eSystem Business Owner / Contracting Officers Representative\u003c/td\u003e\u003ctd\u003eAffected individuals\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eBreach notification and mitigation\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe goal of breach response activities is to reduce the risk of harm to individuals that is created by a breach of sensitive data. If the Breach Analysis Team determines that a breach represents enough risk to individuals, they develop a Notification and Mitigation Plan.\u003c/p\u003e\u003cp\u003eThe CMS Senior Official for Privacy, in cooperation with the Business Owner of the affected system and with support from the full BAT, is responsible for developing the Notification and Mitigation Plan. CMS will receive approval to implement the plan from the HHS PIRT, using the HHS PIRT Response Plan Template as the formal deliverable. The Notification and Mitigation Plan must consider the nature and scope of the breach to determine if media organizations must be notified as per the HIPAA requirements.\u003c/p\u003e\u003cp\u003eOnce approved, the Notification and Mitigation Plan is implemented, with responsibility for implementation assigned to the Business Owner of the affected system (or the COR, if the affected system is a contractor system). If media notification is required, the BAT should coordinate with the CMS Media Relations Group (MRG).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNotification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf the Breach Analysis Team determines that a breach of PII represents a risk of harm to the affected individuals, then CMS must notify individuals whose PII is compromised in a breach. The team will develop a Notification and Mitigation Plan to describe the actions CMS will take to protect the affected individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIndividual notification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs prescribed by the \u003ca href=\"/policy-guidance/breach-analysis-team-bat-handbook\"\u003eCMS Breach Analysis Team Handbook\u003c/a\u003e, the CMS Senior Official for Privacy works with the Business Owner of an affected CMS system to develop a notification letter describing the breach for individuals and submit it to HHS PIRT for approval.\u003c/p\u003e\u003cp\u003eOMB M-17-12 provides direction to federal agencies on what information should be included in breach notifications:\u003c/p\u003e\u003cul\u003e\u003cli\u003eA brief description of what happened, including the date(s) of the breach and of its discovery\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA description of the types of sensitive data compromised by the breach (e.g., full name, Social Security Number, date of birth, home address, account number, and disability code), to the extent possible\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA statement of whether the information was encrypted or protected by other means, when it is determined that disclosing such information would be beneficial to potentially affected individuals and would not compromise the security of the information system\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eGuidance to potentially affected individuals on how they can mitigate their own risk of harm, the countermeasures undertaken, and any services provided to potentially affected individuals\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eAny steps being taken to investigate the breach, to mitigate losses, and to protect against a future breach\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eA description of how potentially affected individuals can learn more information about the breach, including a telephone number (preferably toll-free), email address, and postal address\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHHS PIRT has oversight over CMS breach notification plans. After developing the notification letter and a plan to contact the affected individuals, the BAT should meet with HHS PIRT to gain approval to implement the plan. This meeting should also be attended by the Business Owner(s) of any affected CMS systems, the Contracting Officers of any CMS contractor partners who were involved in the breach, and the incident response personnel who investigated the breach to ensure that HHS PIRT can receive timely answers to any questions related to the breach.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMedia notification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn addition to individual notification, HIPAA requires CMS to notify local media outlets if a breach of PHI affects more than 500 individuals within a single locality.\u0026nbsp; The Breach Analysis Team should contact CMS Media Relations Group if a breach of PII/PHI affects more than 500 individuals to make certain that any plans to contact media outlets are included in the notification plan submitted to HHS PIRT for approval.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNotification through public CMS resources\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS must also consider that a widely publicized breach may cause members of the public to attempt to contact CMS with questions about the breach and inquire whether their own information was affected. As part of the notification plan, the Breach Analysis Team may determine that CMS should provide a public notification message on its public resources, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePosting on the cms.gov homepage to inform the public of the breach, with a link to further details\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eProviding CMS call centers with a message to play at the start of calls to inform callers how they can determine if they were affected by a breach\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eMitigation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs part of its notification plan, the Breach Analysis Team must determine and document the actions that CMS will take to mitigate the risk of harm. If the breach puts the affected individuals at risk for identity theft, CMS will offer credit monitoring as prescribed by the CMS Breach Analysis Team Handbook.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBudgeting considerations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThere may be costs associated with implementing a notification and mitigation plan, such as providing a credit monitoring service free of charge to the affected individuals. If a contractor system is breached, the contractor should cover the costs of notification and mitigation. CMS contracts should establish this responsibility.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRoles and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eBreach response stakeholders have direct or supporting roles and responsibilities during a breach. Some stakeholders in this group are associated with the FISMA system undergoing a breach and some are part of the CMS incident response capability. The breach response stakeholders have the following roles and responsibilities:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS FISMA System Stakeholders\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns decision to notify individuals affected by a breach and provide mitigation, with advisement from the BAT.\u003c/li\u003e\u003cli\u003eOwns decision to take major actions impacting system availability in response to a breach (such as shutting down a breached system).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrimary Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePrimary system stakeholder in charge of providing data to IMT, BAT, and other breach response stakeholders about the affected system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOperations Teams (to include General Support System [GSS] support)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eTakes incident response actions on the system affected by the breach. May escalate decision to take major action impacting availability to the BO.\u003c/li\u003e\u003cli\u003eProvides system data to IMT, BAT and other breach response stakeholders at the direction of the ISSO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCyber Risk Adviser (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides guidance to breach response stakeholders on risk and compliance for the affected system.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eISPG Breach Response and Coordination\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS CISO\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the breach response process.\u003c/li\u003e\u003cli\u003eIs kept apprised of all developments during breach response, analysis, notification, and mitigation.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS Senior Official for Privacy (SOP)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the Breach Analysis Team process.\u003c/li\u003e\u003cli\u003eOwns and oversees the Notification and Mitigation Plan, in cooperation with the system BO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDCTSO Incident Coordinator\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwns the incident response process.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIncident Management Team (IMT)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePrimary coordination entity for breach response. Works to provide leadership (BAT, senior officials) with data about the breach to make decisions.\u003c/li\u003e\u003cli\u003eConducts initial analysis and risk assessment of breaches to provide to the BAT.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS Security Operations Center (SOC)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides technical support and security subject matter expertise to the BAT during a breach.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Subject Matter Expert Support\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS Office of Communications/Media Relations Group\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides notification to media outlets in the event of a breach affecting the PHI of more than 500 individuals.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOffice of General Counsel\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides support to the BAT in the event of a major incident to help CMS prepare for congressional notification.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eBreach Analysis Team (BAT)\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eOwns the risk decision (low/moderate/high) after IMT conducts a risk assessment.\u003c/li\u003e\u003cli\u003eWorks with the SOP and BO to advise on the Notification and Mitigation Plan.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eLaws and guidance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eUse this list of applicable laws and guidance to learn more about the processes described in this handbook.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal laws\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf\"\u003eFederal Information Security Modernization Act\u003c/a\u003e (FISMA) of 2014, Pub. L. 113-283, 128 Stat. 3073 (Dec. 18, 2014) (primarily codified at 44 U.S.C. chapter 35, subchapter 11).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf\"\u003eHealth Insurance Portability and Accountability Act\u003c/a\u003e (HIPAA) of 1996, Pub. L. 104-191 (Aug. 21, 1996).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eExecutive orders, memoranda, and directives\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf\"\u003eOMB Memorandum M-17-12\u003c/a\u003e, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04\u003c/a\u003e, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements (November 19, 2019).\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e (July 28, 2016).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident\"\u003ePPD-41, Annex for Presidential Policy Directive\u003c/a\u003e United States Cyber Incident Coordination (July 26, 2016).\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-14.pdf\"\u003eOMB Memorandum M-16-14, Category Management Policy 16-2\u003c/a\u003e: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS / HHS policy and procedures\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eCMS Risk Management Handbook (RMH) Chapter 8: Incident Response\u003c/li\u003e\u003cli\u003eCMS Breach Analysis Team Handbook\u003c/li\u003e\u003cli\u003eData Governance Guidelines\u003c/li\u003e\u003cli\u003eHHS PIRT Response Plan Template\u003c/li\u003e\u003cli\u003eCMS Risk Assessment for Breach Notification Determination\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAdditional guidance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eDepartment of Commerce / National Institute of Standards and Technology (NIST)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eNIST Special Publication 800-34 (Revision 1), \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf\"\u003eContingency Planning Guide for Federal Information Systems and Organizations\u003c/a\u003e (Apr. 2013).\u0026nbsp;\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-61 (Revision 2), \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf\"\u003eComputer Security Incident Handling Guide\u003c/a\u003e (Aug. 2012).\u0026nbsp;\u003c/li\u003e\u003cli\u003eNIST Special Publication 800-122, \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf\"\u003eGuide to Protecting the Confidentiality of PII\u003c/a\u003e (Apr. 2010).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eDepartment of Homeland Security (DHS) / United States Computer Emergency Readiness Team (US-CERT)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/uscert/incident-notification-guidelines\"\u003eUS-CERT Federal Incident Notification Guidelines\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNational Cybersecurity and Communications Integration Center (NCCIC) \u003ca href=\"https://www.cisa.gov/uscert/CISA-National-Cyber-Incident-Scoring-System\"\u003eCyber Incident Scoring System\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eGeneral Services Administration (GSA)\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.gsa.gov/buy-through-us/products-services/professional-services/buy-services/identity-protection-services-ips\"\u003eIdentity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"179:{\"value\":\"$17a\",\"format\":\"body_text\",\"processed\":\"$17b\",\"summary\":\"\"}\n17e:[]\n17d:{\"uri\":\"entity:node/696\",\"title\":\"Breach Response \",\"options\":\"$17e\",\"url\":\"/learn/breach-response\"}\n180:[]\n17f:{\"uri\":\"entity:node/701\",\"title\":\"CMS Breach Analysis Team (BAT) Handbook \",\"options\":\"$180\",\"url\":\"/policy-guidance/cms-breach-analysis-team-bat-handbook\"}\n17c:[\"$17d\",\"$17f\"]\n181:{\"value\":\"Procedures for handling a breach of sensitive data at CMS, including roles, responsibilities, and reporting requirements\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures for handling a breach of sensitive data at CMS, including roles, responsibilities, and reporting requirements\u003c/p\u003e\\n\"}\n177:{\"drupal_internal__nid\":621,\"drupal_internal__vid\":4913,\"langcode\":\"en\",\"revision_timestamp\":\"2023-08-23T18:12:45+00:00\",\"status\":true,\"title\":\"CMS Breach Response Handbook\",\"created\":\"2022-12-30T21:49:21+00:00\",\"changed\":\"2023-08-23T18:12:45+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":null,\"moderation_state\":\"published\",\"path\":\"$178\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$179\",\"field_contact_email\":\"IMT@cms.hhs.gov\",\"field_contact_name\":\"Incident Management Team\",\"field_last_reviewed\":\"2022-11-07\",\"field_related_resources\":\"$17c\",\"field_short_description\":\"$181\"}\n185:{\"drupal_internal__target_id\":\"library\"}\n184:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$185\"}\n187:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/node_type?resourceVersion=id%3A4913\"}\n188:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/node_type?resourceVersion=id%3A4913\"}\n186:{\"related\":\"$187\",\"self\":\"$188\"}\n183:{\"data\":\"$184\",\"links\":\"$186\"}\n18b:{\"drupal_internal__target_id\":36}\n18a:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":\"$18b\"}\n18d:{\"href\":\"https://c"])</script><script>self.__next_f.push([1,"ybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/revision_uid?resourceVersion=id%3A4913\"}\n18e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/revision_uid?resourceVersion=id%3A4913\"}\n18c:{\"related\":\"$18d\",\"self\":\"$18e\"}\n189:{\"data\":\"$18a\",\"links\":\"$18c\"}\n191:{\"drupal_internal__target_id\":6}\n190:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$191\"}\n193:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/uid?resourceVersion=id%3A4913\"}\n194:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/uid?resourceVersion=id%3A4913\"}\n192:{\"related\":\"$193\",\"self\":\"$194\"}\n18f:{\"data\":\"$190\",\"links\":\"$192\"}\n197:{\"drupal_internal__target_id\":91}\n196:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":\"$197\"}\n199:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/field_resource_type?resourceVersion=id%3A4913\"}\n19a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/field_resource_type?resourceVersion=id%3A4913\"}\n198:{\"related\":\"$199\",\"self\":\"$19a\"}\n195:{\"data\":\"$196\",\"links\":\"$198\"}\n19e:{\"drupal_internal__target_id\":66}\n19d:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$19e\"}\n1a0:{\"drupal_internal__target_id\":61}\n19f:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1a0\"}\n1a2:{\"drupal_internal__target_id\":76}\n1a1:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1a2\"}\n19c:[\"$19d\",\"$19f\",\"$1a1\"]\n1a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/field_roles?resourceVersion=id%3A4913\"}\n1a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/field_roles?resourceVersion=id%3A4913\"}\n1a3:{\"related\":\""])</script><script>self.__next_f.push([1,"$1a4\",\"self\":\"$1a5\"}\n19b:{\"data\":\"$19c\",\"links\":\"$1a3\"}\n1a9:{\"drupal_internal__target_id\":31}\n1a8:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":\"$1a9\"}\n1a7:[\"$1a8\"]\n1ab:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/field_topics?resourceVersion=id%3A4913\"}\n1ac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/field_topics?resourceVersion=id%3A4913\"}\n1aa:{\"related\":\"$1ab\",\"self\":\"$1ac\"}\n1a6:{\"data\":\"$1a7\",\"links\":\"$1aa\"}\n182:{\"node_type\":\"$183\",\"revision_uid\":\"$189\",\"uid\":\"$18f\",\"field_resource_type\":\"$195\",\"field_roles\":\"$19b\",\"field_topics\":\"$1a6\"}\n174:{\"type\":\"node--library\",\"id\":\"4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e\",\"links\":\"$175\",\"attributes\":\"$177\",\"relationships\":\"$182\"}\n1af:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9?resourceVersion=id%3A4912\"}\n1ae:{\"self\":\"$1af\"}\n1b1:{\"alias\":\"/policy-guidance/cms-breach-analysis-team-bat-handbook\",\"pid\":691,\"langcode\":\"en\"}\n1b3:T2412,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhenever there is an incident that has potentially compromised the security or privacy of CMS information or information systems, it is investigated by the Incident Management Team (IMT). They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected \u003cstrong\u003ebreach\u003c/strong\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt this point (in collaboration with the Business Owner and the Information System Security Officer), the IMT may decide that a Breach Analysis Team should be convened, and notifies ISPG. This handbook is a guide for members of the Breach Analysis Team (BAT) to follow as they work to assess and mitigate the risks caused by a suspected breach.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho is on the BAT?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system. This may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRepresentatives from the Incident Management Team (IMT) within the CMS Cybersecurity Integration Center (CCIC)\u003c/li\u003e\u003cli\u003eRepresentatives from ISPG (which may include the DCTSO Incident Commander and Senior Official for Privacy)\u003c/li\u003e\u003cli\u003eBusiness and/or System Owner of the affected system\u003c/li\u003e\u003cli\u003eOther people as needed:\u003cul\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eSystem Maintainer\u003c/li\u003e\u003cli\u003eContracting Officer Representative (COR) if the affected system is a contractor system\u003c/li\u003e\u003cli\u003eCPI point of contact\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eBAT responsibilities and steps\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOnce convened, the Breach Analysis Team is responsible for the following:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct risk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe BAT conducts a risk assessment (using the \u003cstrong\u003eRisk Assessment for Breach Notification\u003c/strong\u003e worksheet) to determine the risk of harm to the affected individuals whose PII/PHI has been compromised. The assessment also helps determine who should be notified of the breach, and to what extent (if any).\u003c/p\u003e\u003cp\u003eWhen conducting the Risk Assessment, consider the following elements:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHow sensitive is the PII?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine the nature and sensitivity of the PII potentially compromised by the breach, including the potential harms that an individual could experience from the compromise of that type of PII. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eData Elements\u003c/strong\u003e analysis of the sensitivity of each individual data element as well as the sensitivity of all the data elements together\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eContext\u003c/strong\u003e purpose for which the PII was collected, maintained, and used\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePrivate Information\u003c/strong\u003e extent to which the PII, in a given context, may reveal particularly private information about an individual\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eVulnerable Populations\u003c/strong\u003e extent to which the PII identifies or disproportionately impacts a particularly vulnerable population\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePermanence \u003c/strong\u003e the continued relevance and utility of the PII over time and whether it is easily replaced or substituted\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eHow likely is the PII to be accessed and used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine the likelihood of access and use of the compromised PII, including whether it was properly encrypted or rendered partially or completely inaccessible by other means. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eSecurity Safeguards\u003c/strong\u003e whether the PII was properly encrypted or rendered partially or completely inaccessible by other means\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eFormat and Media \u003c/strong\u003e whether the format of the PII may make it difficult and resource-intensive to use\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDuration of Exposure\u003c/strong\u003e how long the PII was exposed\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEvidence of Misuse\u003c/strong\u003e any evidence confirming that the PII is being misused or that it was never accessed\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat kind of breach and who is involved?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine and document the type of breach, including the circumstances of the breach, as well as the actors involved and their intent. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIntent whether the PII was compromised intentionally or unintentionally (or if the intent is unknown)\u003c/li\u003e\u003cli\u003eRecipient whether the PII was disclosed to a known or unknown recipient, and the trustworthiness of a known recipient\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is CMS ability to mitigate risk?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eWithin an information system, the risk of harm will depend on how CMS is able to mitigate further compromise of the system(s) affected by a breach.\u003c/p\u003e\u003cp\u003eConsider how best to mitigate the identified risks and whether to notify individuals potentially affected by breach (including whether to offer credit monitoring services).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDocument risk assessment results\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDocument the results of the above risk assessment on the \u003cstrong\u003eRisk Assessment for Breach Notification\u003c/strong\u003e worksheet, and submit the completed form to the CMS Senior Official for Privacy: \u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003elow probability\u003c/strong\u003e that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eLow risk determination\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003elow probability\u003c/strong\u003e that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMedium or high risk determination\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003emedium or high probability\u003c/strong\u003e that the PII has been compromised, coordinate with the HHS Privacy Incident Response Team (PIRT) to perform the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNotification measures for PII\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Senior Official for Privacy and Business Owner coordinate to notify, without unreasonable delay, the individuals affected.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNotification measures for PHI\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis step does not apply unless PHI (as defined by HIPAA) is involved. If the data is only PII (as defined by the Privacy Act), then proceed to the next step: Recommendations to HHS PIRT.\u003c/p\u003e\u003cp\u003eIf the PHI breach involves 500 or more individuals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) of the breach via the \u003ca href=\"http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html\"\u003eOCR website\u003c/a\u003e using the form: “\u003ca href=\"https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true\"\u003eSubmit a notice for a breach affecting 500 or more individuals\u003c/a\u003e”. This provides the Secretary with notice of the breach without unreasonable delay and \u003cstrong\u003enever later than 60 days from discovery of the breach\u003c/strong\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the PHI breach involves fewer than 500 individuals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) within the deadline via the \u003ca href=\"http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html\"\u003eOCR website\u003c/a\u003e using the form “\u003ca href=\"https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true\"\u003eSubmit a notice for a breach affecting fewer than 500 individuals\u003c/a\u003e”.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the PHI breach involves more than 500 residents of a State or Jurisdiction:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe CMS Senior Official for Privacy and Business Owner coordinate to notify prominent media outlets serving the applicable State or Jurisdiction of the breach.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRecommendations to HHS PIRT\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe last step is to make a recommendation about breach notification to the HHS Privacy Incident Response Team (PIRT). Do this by creating a draft plan for notification and mitigation using the HHS PIRT Response Plan Template. Submit this draft to HHS PIRT so they can review it.\u003c/p\u003e\u003cp\u003eThe PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eClosing breach response activities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eVerify all of the above steps have been completed fully (as necessary, depending on the type of breach, type of sensitive information, level of risk, and so on.) Then, coordinate with the Incident Management Team to update and close the applicable ticket.\u003c/p\u003e\u003cp\u003eFor more details on breach notification responsibilities and procedures, see the CMS Breach Response Handbook.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b4:T2412,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhenever there is an incident that has potentially compromised the security or privacy of CMS information or information systems, it is investigated by the Incident Management Team (IMT). They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected \u003cstrong\u003ebreach\u003c/strong\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAt this point (in collaboration with the Business Owner and the Information System Security Officer), the IMT may decide that a Breach Analysis Team should be convened, and notifies ISPG. This handbook is a guide for members of the Breach Analysis Team (BAT) to follow as they work to assess and mitigate the risks caused by a suspected breach.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho is on the BAT?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system. This may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRepresentatives from the Incident Management Team (IMT) within the CMS Cybersecurity Integration Center (CCIC)\u003c/li\u003e\u003cli\u003eRepresentatives from ISPG (which may include the DCTSO Incident Commander and Senior Official for Privacy)\u003c/li\u003e\u003cli\u003eBusiness and/or System Owner of the affected system\u003c/li\u003e\u003cli\u003eOther people as needed:\u003cul\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eSystem Maintainer\u003c/li\u003e\u003cli\u003eContracting Officer Representative (COR) if the affected system is a contractor system\u003c/li\u003e\u003cli\u003eCPI point of contact\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eBAT responsibilities and steps\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eOnce convened, the Breach Analysis Team is responsible for the following:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct risk assessment\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe BAT conducts a risk assessment (using the \u003cstrong\u003eRisk Assessment for Breach Notification\u003c/strong\u003e worksheet) to determine the risk of harm to the affected individuals whose PII/PHI has been compromised. The assessment also helps determine who should be notified of the breach, and to what extent (if any).\u003c/p\u003e\u003cp\u003eWhen conducting the Risk Assessment, consider the following elements:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHow sensitive is the PII?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine the nature and sensitivity of the PII potentially compromised by the breach, including the potential harms that an individual could experience from the compromise of that type of PII. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eData Elements\u003c/strong\u003e analysis of the sensitivity of each individual data element as well as the sensitivity of all the data elements together\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eContext\u003c/strong\u003e purpose for which the PII was collected, maintained, and used\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePrivate Information\u003c/strong\u003e extent to which the PII, in a given context, may reveal particularly private information about an individual\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eVulnerable Populations\u003c/strong\u003e extent to which the PII identifies or disproportionately impacts a particularly vulnerable population\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePermanence \u003c/strong\u003e the continued relevance and utility of the PII over time and whether it is easily replaced or substituted\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eHow likely is the PII to be accessed and used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine the likelihood of access and use of the compromised PII, including whether it was properly encrypted or rendered partially or completely inaccessible by other means. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eSecurity Safeguards\u003c/strong\u003e whether the PII was properly encrypted or rendered partially or completely inaccessible by other means\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eFormat and Media \u003c/strong\u003e whether the format of the PII may make it difficult and resource-intensive to use\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eDuration of Exposure\u003c/strong\u003e how long the PII was exposed\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEvidence of Misuse\u003c/strong\u003e any evidence confirming that the PII is being misused or that it was never accessed\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat kind of breach and who is involved?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDetermine and document the type of breach, including the circumstances of the breach, as well as the actors involved and their intent. These are the minimum data points that must be considered at this step:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIntent whether the PII was compromised intentionally or unintentionally (or if the intent is unknown)\u003c/li\u003e\u003cli\u003eRecipient whether the PII was disclosed to a known or unknown recipient, and the trustworthiness of a known recipient\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is CMS ability to mitigate risk?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eWithin an information system, the risk of harm will depend on how CMS is able to mitigate further compromise of the system(s) affected by a breach.\u003c/p\u003e\u003cp\u003eConsider how best to mitigate the identified risks and whether to notify individuals potentially affected by breach (including whether to offer credit monitoring services).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDocument risk assessment results\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDocument the results of the above risk assessment on the \u003cstrong\u003eRisk Assessment for Breach Notification\u003c/strong\u003e worksheet, and submit the completed form to the CMS Senior Official for Privacy: \u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003elow probability\u003c/strong\u003e that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eLow risk determination\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003elow probability\u003c/strong\u003e that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMedium or high risk determination\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIf the above risk assessment indicates that there is a \u003cstrong\u003emedium or high probability\u003c/strong\u003e that the PII has been compromised, coordinate with the HHS Privacy Incident Response Team (PIRT) to perform the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNotification measures for PII\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Senior Official for Privacy and Business Owner coordinate to notify, without unreasonable delay, the individuals affected.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNotification measures for PHI\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis step does not apply unless PHI (as defined by HIPAA) is involved. If the data is only PII (as defined by the Privacy Act), then proceed to the next step: Recommendations to HHS PIRT.\u003c/p\u003e\u003cp\u003eIf the PHI breach involves 500 or more individuals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) of the breach via the \u003ca href=\"http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html\"\u003eOCR website\u003c/a\u003e using the form: “\u003ca href=\"https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true\"\u003eSubmit a notice for a breach affecting 500 or more individuals\u003c/a\u003e”. This provides the Secretary with notice of the breach without unreasonable delay and \u003cstrong\u003enever later than 60 days from discovery of the breach\u003c/strong\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the PHI breach involves fewer than 500 individuals:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) within the deadline via the \u003ca href=\"http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html\"\u003eOCR website\u003c/a\u003e using the form “\u003ca href=\"https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true\"\u003eSubmit a notice for a breach affecting fewer than 500 individuals\u003c/a\u003e”.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the PHI breach involves more than 500 residents of a State or Jurisdiction:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe CMS Senior Official for Privacy and Business Owner coordinate to notify prominent media outlets serving the applicable State or Jurisdiction of the breach.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRecommendations to HHS PIRT\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe last step is to make a recommendation about breach notification to the HHS Privacy Incident Response Team (PIRT). Do this by creating a draft plan for notification and mitigation using the HHS PIRT Response Plan Template. Submit this draft to HHS PIRT so they can review it.\u003c/p\u003e\u003cp\u003eThe PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eClosing breach response activities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eVerify all of the above steps have been completed fully (as necessary, depending on the type of breach, type of sensitive information, level of risk, and so on.) Then, coordinate with the Incident Management Team to update and close the applicable ticket.\u003c/p\u003e\u003cp\u003eFor more details on breach notification responsibilities and procedures, see the CMS Breach Response Handbook.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b2:{\"value\":\"$1b3\",\"format\":\"body_text\",\"processed\":\"$1b4\",\"summary\":\"\"}\n1b7:[]\n1b6:{\"uri\":\"entity:node/621\",\"title\":\"CMS Breach Response Handbook\",\"options\":\"$1b7\",\"url\":\"/policy-guidance/cms-breach-response-handbook\"}\n1b9:[]\n1b8:{\"uri\":\"entity:node/696\",\"title\":\"Breach Response\",\"options\":\"$1b9\",\"url\":\"/learn/breach-response\"}\n1bb:[]\n1ba:{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks (all)\",\"options\":\"$1bb\",\"url\":\"/learn/cms-security-and-privacy-handbooks\"}\n1b5:[\"$1b6\",\"$1b8\",\"$1ba\"]\n1bc:{\"value\":\"Procedures for the Breach Analysis Team (BAT) to follow when a team is convened to address a breach of PII at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures for the Breach Analysis Team (BAT) to follow when a team is convened to address a breach of PII at CMS\u003c/p\u003e\\n\"}\n1b0:{\"drupal_internal__nid\":701,\"drupal_internal__vid\":4912,\"langcode\":\"en\",\"revision_timestamp\":\"2023-08-23T18:11:24+00:00\",\"status\":true,\"title\":\"CMS Breach Analysis Team (BAT) Handbook\",\"created\":\"2023-02-08T21:40:58+00:00\",\"changed\":\"2023-08-23T18:11:24+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":null,\"moderation_state\":\"published\",\"path\":\"$1b1\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$1b2\",\"field_contact_email\":\"IMT@cms.hhs.gov\",\"field_contact_name\":\"Incident Management Team\",\"field_last_reviewed\":\"2022-11-08\",\"field_related_resources\":\"$1b5\",\"field_short_description\":\"$1bc\"}\n1c0:{\"drupal_internal__target_id\":\"library\"}\n1bf:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$1c0\"}\n1c2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/node_type?resourceVersion=id%3A4912\"}\n1c3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/node_type?resourceVersion=id%3A4912\"}\n1c1:{\"related\":\"$1c2\",\"self\":\"$1c3\"}\n1be:{\"data\":\"$1bf\",\"links\":\"$1c1\"}\n1c6:{\"d"])</script><script>self.__next_f.push([1,"rupal_internal__target_id\":36}\n1c5:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":\"$1c6\"}\n1c8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/revision_uid?resourceVersion=id%3A4912\"}\n1c9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/revision_uid?resourceVersion=id%3A4912\"}\n1c7:{\"related\":\"$1c8\",\"self\":\"$1c9\"}\n1c4:{\"data\":\"$1c5\",\"links\":\"$1c7\"}\n1cc:{\"drupal_internal__target_id\":6}\n1cb:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1cc\"}\n1ce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/uid?resourceVersion=id%3A4912\"}\n1cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/uid?resourceVersion=id%3A4912\"}\n1cd:{\"related\":\"$1ce\",\"self\":\"$1cf\"}\n1ca:{\"data\":\"$1cb\",\"links\":\"$1cd\"}\n1d2:{\"drupal_internal__target_id\":91}\n1d1:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":\"$1d2\"}\n1d4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/field_resource_type?resourceVersion=id%3A4912\"}\n1d5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/field_resource_type?resourceVersion=id%3A4912\"}\n1d3:{\"related\":\"$1d4\",\"self\":\"$1d5\"}\n1d0:{\"data\":\"$1d1\",\"links\":\"$1d3\"}\n1d9:{\"drupal_internal__target_id\":66}\n1d8:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1d9\"}\n1db:{\"drupal_internal__target_id\":61}\n1da:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1db\"}\n1dd:{\"drupal_internal__target_id\":76}\n1dc:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1dd\"}\n1d7:[\"$1d8\",\"$1da\",\"$1dc\"]\n1df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/field_roles?resourceVersion=id%3A4912\"}\n1e0:{\"href\":\"https://cybergeek"])</script><script>self.__next_f.push([1,".cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/field_roles?resourceVersion=id%3A4912\"}\n1de:{\"related\":\"$1df\",\"self\":\"$1e0\"}\n1d6:{\"data\":\"$1d7\",\"links\":\"$1de\"}\n1e4:{\"drupal_internal__target_id\":31}\n1e3:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":\"$1e4\"}\n1e2:[\"$1e3\"]\n1e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/field_topics?resourceVersion=id%3A4912\"}\n1e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/field_topics?resourceVersion=id%3A4912\"}\n1e5:{\"related\":\"$1e6\",\"self\":\"$1e7\"}\n1e1:{\"data\":\"$1e2\",\"links\":\"$1e5\"}\n1bd:{\"node_type\":\"$1be\",\"revision_uid\":\"$1c4\",\"uid\":\"$1ca\",\"field_resource_type\":\"$1d0\",\"field_roles\":\"$1d6\",\"field_topics\":\"$1e1\"}\n1ad:{\"type\":\"node--library\",\"id\":\"8a4a46d2-953a-45b9-8143-0a7f26e526e9\",\"links\":\"$1ae\",\"attributes\":\"$1b0\",\"relationships\":\"$1bd\"}\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675?resourceVersion=id%3A5970\"}\n1e9:{\"self\":\"$1ea\"}\n1ec:{\"alias\":\"/learn/cms-security-and-privacy-handbooks\",\"pid\":671,\"langcode\":\"en\"}\n1ed:{\"value\":\"Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\u003c/p\u003e\\n\"}\n1ee:[\"#ispg-sec_privacy-policy\"]\n1eb:{\"drupal_internal__nid\":681,\"drupal_internal__vid\":5970,\"langcode\":\"en\",\"revision_timestamp\":\"2024-11-21T20:30:37+00:00\",\"status\":true,\"title\":\"CMS Security and Privacy Handbooks\",\"created\":\"2023-02-04T16:50:42+00:00\",\"changed\":\"2024-11-21T20:30:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1ec\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null"])</script><script>self.__next_f.push([1,",\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$1ed\",\"field_slack_channel\":\"$1ee\"}\n1f2:{\"drupal_internal__target_id\":\"explainer\"}\n1f1:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1f2\"}\n1f4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/node_type?resourceVersion=id%3A5970\"}\n1f5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/node_type?resourceVersion=id%3A5970\"}\n1f3:{\"related\":\"$1f4\",\"self\":\"$1f5\"}\n1f0:{\"data\":\"$1f1\",\"links\":\"$1f3\"}\n1f8:{\"drupal_internal__target_id\":6}\n1f7:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1f8\"}\n1fa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/revision_uid?resourceVersion=id%3A5970\"}\n1fb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/revision_uid?resourceVersion=id%3A5970\"}\n1f9:{\"related\":\"$1fa\",\"self\":\"$1fb\"}\n1f6:{\"data\":\"$1f7\",\"links\":\"$1f9\"}\n1fe:{\"drupal_internal__target_id\":6}\n1fd:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1fe\"}\n200:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/uid?resourceVersion=id%3A5970\"}\n201:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/uid?resourceVersion=id%3A5970\"}\n1ff:{\"related\":\"$200\",\"self\":\"$201\"}\n1fc:{\"data\":\"$1fd\",\"links\":\"$1ff\"}\n205:{\"target_revision_id\":19550,\"drupal_internal__target_id\":556}\n204:{\"type\":\"paragraph--page_section\",\"id\":\"6348291e-48d1-4a0e-9a57-ac86d40af43e\",\"meta\":\"$205\"}\n207:{\"target_revision_id\":19551,\"drupal_internal__target_id\":1031}\n206:{\"type\":\"paragraph--page_section\",\"id\":\"f5048b9a-b22a-4e67-abde-e964ff928b22\",\"meta\":\"$207\"}\n203:[\"$204\",\"$206\"]\n209:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0"])</script><script>self.__next_f.push([1,"846-aa6a-43bf-a0a8-a40cfafe0675/field_page_section?resourceVersion=id%3A5970\"}\n20a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_page_section?resourceVersion=id%3A5970\"}\n208:{\"related\":\"$209\",\"self\":\"$20a\"}\n202:{\"data\":\"$203\",\"links\":\"$208\"}\n20e:{\"target_revision_id\":19552,\"drupal_internal__target_id\":566}\n20d:{\"type\":\"paragraph--internal_link\",\"id\":\"0f74c41a-2461-4cf5-b11e-ff7ce0b96f66\",\"meta\":\"$20e\"}\n210:{\"target_revision_id\":19553,\"drupal_internal__target_id\":571}\n20f:{\"type\":\"paragraph--internal_link\",\"id\":\"fe6656d7-9b88-4a4c-a27f-e41c610ab068\",\"meta\":\"$210\"}\n212:{\"target_revision_id\":19554,\"drupal_internal__target_id\":576}\n211:{\"type\":\"paragraph--internal_link\",\"id\":\"80d4e83c-5a1f-466b-9518-5400af425d7f\",\"meta\":\"$212\"}\n214:{\"target_revision_id\":19555,\"drupal_internal__target_id\":2776}\n213:{\"type\":\"paragraph--internal_link\",\"id\":\"9967f006-5e08-4568-b636-63e8e8050a8f\",\"meta\":\"$214\"}\n216:{\"target_revision_id\":19556,\"drupal_internal__target_id\":1871}\n215:{\"type\":\"paragraph--internal_link\",\"id\":\"e0709a54-90c1-4f0d-b02a-5e8dce6acc17\",\"meta\":\"$216\"}\n218:{\"target_revision_id\":19557,\"drupal_internal__target_id\":3512}\n217:{\"type\":\"paragraph--internal_link\",\"id\":\"9c79715c-bf72-4433-9d27-f6a64a297c18\",\"meta\":\"$218\"}\n20c:[\"$20d\",\"$20f\",\"$211\",\"$213\",\"$215\",\"$217\"]\n21a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_related_collection?resourceVersion=id%3A5970\"}\n21b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_related_collection?resourceVersion=id%3A5970\"}\n219:{\"related\":\"$21a\",\"self\":\"$21b\"}\n20b:{\"data\":\"$20c\",\"links\":\"$219\"}\n21e:{\"drupal_internal__target_id\":131}\n21d:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$21e\"}\n220:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_resource_type?resourceVersion=id%3A5970\"}\n221:{\"href\":\"https://cyb"])</script><script>self.__next_f.push([1,"ergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_resource_type?resourceVersion=id%3A5970\"}\n21f:{\"related\":\"$220\",\"self\":\"$221\"}\n21c:{\"data\":\"$21d\",\"links\":\"$21f\"}\n225:{\"drupal_internal__target_id\":66}\n224:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$225\"}\n227:{\"drupal_internal__target_id\":81}\n226:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$227\"}\n229:{\"drupal_internal__target_id\":61}\n228:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$229\"}\n22b:{\"drupal_internal__target_id\":76}\n22a:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$22b\"}\n22d:{\"drupal_internal__target_id\":71}\n22c:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$22d\"}\n223:[\"$224\",\"$226\",\"$228\",\"$22a\",\"$22c\"]\n22f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_roles?resourceVersion=id%3A5970\"}\n230:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_roles?resourceVersion=id%3A5970\"}\n22e:{\"related\":\"$22f\",\"self\":\"$230\"}\n222:{\"data\":\"$223\",\"links\":\"$22e\"}\n234:{\"drupal_internal__target_id\":16}\n233:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$234\"}\n232:[\"$233\"]\n236:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_topics?resourceVersion=id%3A5970\"}\n237:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_topics?resourceVersion=id%3A5970\"}\n235:{\"related\":\"$236\",\"self\":\"$237\"}\n231:{\"data\":\"$232\",\"links\":\"$235\"}\n1ef:{\"node_type\":\"$1f0\",\"revision_uid\":\"$1f6\",\"uid\":\"$1fc\",\"field_page_section\":\"$202\",\"field_related_collection\":\"$20b\",\"field_resource_type\":\"$21c\",\"field_roles\":\"$222\",\"field_topics\":\"$231\"}\n1e8:{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe"])</script><script>self.__next_f.push([1,"0675\",\"links\":\"$1e9\",\"attributes\":\"$1eb\",\"relationships\":\"$1ef\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"35c1a3a5-9206-46e8-83dc-298c411ab5c3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3?resourceVersion=id%3A5183\"}},\"attributes\":{\"drupal_internal__nid\":696,\"drupal_internal__vid\":5183,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T18:06:15+00:00\",\"status\":true,\"title\":\"Breach Response\",\"created\":\"2023-02-08T19:44:01+00:00\",\"changed\":\"2024-01-05T18:06:15+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/breach-response\",\"pid\":686,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"IMT@cms.hhs.gov\",\"field_contact_name\":\"Incident Management Team\",\"field_short_description\":{\"value\":\"The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe steps taken at CMS in response to a suspected breach of personally identifiable information (PII)\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/node_type?resourceVersion=id%3A5183\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/relationships/node_type?resourceVersion=id%3A5183\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/revision_uid?resourceVersion=id%3A5183\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/relationships/revision_uid?resourceVersion=id%3A5183\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/uid?resourceVersion=id%3A5183\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/relationships/uid?resourceVersion=id%3A5183\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"5736196d-d894-4ce0-bd41-be12b2dc4808\",\"meta\":{\"target_revision_id\":16657,\"drupal_internal__target_id\":981}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/field_page_section?resourceVersion=id%3A5183\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/relationships/field_page_section?resourceVersion=id%3A5183\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"578aded8-f5f4-44ad-889c-dc6361470f93\",\"meta\":{\"target_revision_id\":16658,\"drupal_internal__target_id\":1401}},{\"type\":\"paragraph--internal_link\",\"id\":\"98d03f5a-69fe-4161-a229-edbda422bc66\",\"meta\":{\"target_revision_id\":16659,\"drupal_internal__target_id\":1406}},{\"type\":\"paragraph--internal_link\",\"id\":\"898f22a8-2374-47bb-b702-364229dc6b1d\",\"meta\":{\"target_revision_id\":16660,\"drupal_internal__target_id\":1411}},{\"type\":\"paragraph--internal_link\",\"id\":\"5d6eed26-779b-4619-9b43-9c37552afd58\",\"meta\":{\"target_revision_id\":16661,\"drupal_internal__target_id\":1416}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/field_related_collection?resourceVersion=id%3A5183\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/relationships/field_related_collection?resourceVersion=id%3A5183\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/field_resource_type?resourceVersion=id%3A5183\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/relationships/field_resource_type?resourceVersion=id%3A5183\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/field_roles?resourceVersion=id%3A5183\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/relationships/field_roles?resourceVersion=id%3A5183\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/field_topics?resourceVersion=id%3A5183\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/35c1a3a5-9206-46e8-83dc-298c411ab5c3/relationships/field_topics?resourceVersion=id%3A5183\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/663db243-0ec9-4d3f-9589-5a0ed308fbbc\"}},\"attributes\":{\"display_name\":\"alex.kerr\"}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf?resourceVersion=id%3A31\"}},\"attributes\":{\"drupal_internal__tid\":31,\"drupal_internal__revision_id\":31,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:48+00:00\",\"status\":true,\"name\":\"Privacy\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/vid?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/vid?resourceVersion=id%3A31\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/revision_user?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/revision_user?resourceVersion=id%3A31\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/parent?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/parent?resourceVersion=id%3A31\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5?resourceVersion=id%3A46\"}},\"attributes\":{\"drupal_internal__tid\":46,\"drupal_internal__revision_id\":46,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:13+00:00\",\"status\":true,\"name\":\"Security Operations\",\"description\":null,\"weight\":6,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/vid?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/vid?resourceVersion=id%3A46\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/revision_user?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/revision_user?resourceVersion=id%3A46\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/parent?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/parent?resourceVersion=id%3A46\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"5736196d-d894-4ce0-bd41-be12b2dc4808\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808?resourceVersion=id%3A16657\"}},\"attributes\":{\"drupal_internal__id\":981,\"drupal_internal__revision_id\":16657,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:58:18+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808/paragraph_type?resourceVersion=id%3A16657\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808/relationships/paragraph_type?resourceVersion=id%3A16657\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"1f538793-a3ed-4ea1-97ab-7c2366dd1bd8\",\"meta\":{\"target_revision_id\":16656,\"drupal_internal__target_id\":976}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808/field_specialty_item?resourceVersion=id%3A16657\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5736196d-d894-4ce0-bd41-be12b2dc4808/relationships/field_specialty_item?resourceVersion=id%3A16657\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"1f538793-a3ed-4ea1-97ab-7c2366dd1bd8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8?resourceVersion=id%3A16656\"}},\"attributes\":{\"drupal_internal__id\":976,\"drupal_internal__revision_id\":16656,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:58:18+00:00\",\"parent_id\":\"981\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8/paragraph_type?resourceVersion=id%3A16656\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8/relationships/paragraph_type?resourceVersion=id%3A16656\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"f73e0562-7f5f-4cf8-b3fd-f6c85972d464\",\"meta\":{\"target_revision_id\":16652,\"drupal_internal__target_id\":956}},{\"type\":\"paragraph--process_list_item\",\"id\":\"f8509430-8ab7-4bf7-ae90-8f2f7fce9015\",\"meta\":{\"target_revision_id\":16653,\"drupal_internal__target_id\":961}},{\"type\":\"paragraph--process_list_item\",\"id\":\"f384dee5-31b6-44db-b0e8-491651d2721f\",\"meta\":{\"target_revision_id\":16654,\"drupal_internal__target_id\":966}},{\"type\":\"paragraph--process_list_item\",\"id\":\"e8d8f9e8-1439-4436-964c-ab587c98442b\",\"meta\":{\"target_revision_id\":16655,\"drupal_internal__target_id\":971}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8/field_process_list_item?resourceVersion=id%3A16656\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/1f538793-a3ed-4ea1-97ab-7c2366dd1bd8/relationships/field_process_list_item?resourceVersion=id%3A16656\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"f73e0562-7f5f-4cf8-b3fd-f6c85972d464\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f73e0562-7f5f-4cf8-b3fd-f6c85972d464?resourceVersion=id%3A16652\"}},\"attributes\":{\"drupal_internal__id\":956,\"drupal_internal__revision_id\":16652,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:58:18+00:00\",\"parent_id\":\"976\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial \u003cstrong\u003eincident report\u003c/strong\u003e as a deliverable to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial \u003cstrong\u003eincident report\u003c/strong\u003e as a deliverable to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.\u003c/p\u003e\"},\"field_list_item_title\":\"Reporting\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f73e0562-7f5f-4cf8-b3fd-f6c85972d464/paragraph_type?resourceVersion=id%3A16652\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f73e0562-7f5f-4cf8-b3fd-f6c85972d464/relationships/paragraph_type?resourceVersion=id%3A16652\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"f8509430-8ab7-4bf7-ae90-8f2f7fce9015\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f8509430-8ab7-4bf7-ae90-8f2f7fce9015?resourceVersion=id%3A16653\"}},\"attributes\":{\"drupal_internal__id\":961,\"drupal_internal__revision_id\":16653,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:58:40+00:00\",\"parent_id\":\"976\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eIMT works with the affected systems officials and operators to investigate the incident. They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. IMT conducts a formal risk assessment and convenes a Breach Analysis Team if necessary, providing the team with the\u003cstrong\u003e IMT Risk Assessment\u003c/strong\u003e as a deliverable.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIMT works with the affected systems officials and operators to investigate the incident. They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. IMT conducts a formal risk assessment and convenes a Breach Analysis Team if necessary, providing the team with the\u003cstrong\u003e IMT Risk Assessment\u003c/strong\u003e as a deliverable.\u003c/p\u003e\"},\"field_list_item_title\":\"Risk assessment\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f8509430-8ab7-4bf7-ae90-8f2f7fce9015/paragraph_type?resourceVersion=id%3A16653\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f8509430-8ab7-4bf7-ae90-8f2f7fce9015/relationships/paragraph_type?resourceVersion=id%3A16653\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"f384dee5-31b6-44db-b0e8-491651d2721f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f384dee5-31b6-44db-b0e8-491651d2721f?resourceVersion=id%3A16654\"}},\"attributes\":{\"drupal_internal__id\":966,\"drupal_internal__revision_id\":16654,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T19:59:18+00:00\",\"parent_id\":\"976\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe Breach Analysis Team (BAT) convenes to review the risk assessment and categorizes the risk represented by the breach as low, moderate, or high. The BAT consists of stakeholders in leadership positions and security / privacy subject matter experts for the affected system. The team determines if the conditions of the breach warrant notifying the affected individuals. If so, the team drafts a \u003cstrong\u003eNotification and Mitigation Plan \u003c/strong\u003eto the HHS Privacy Incident Response Team (PIRT). The Business Owner of the system has the final decision on whether notification and mitigation will go forward.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe Breach Analysis Team (BAT) convenes to review the risk assessment and categorizes the risk represented by the breach as low, moderate, or high. The BAT consists of stakeholders in leadership positions and security / privacy subject matter experts for the affected system. The team determines if the conditions of the breach warrant notifying the affected individuals. If so, the team drafts a \u003cstrong\u003eNotification and Mitigation Plan \u003c/strong\u003eto the HHS Privacy Incident Response Team (PIRT). The Business Owner of the system has the final decision on whether notification and mitigation will go forward.\u003c/p\u003e\"},\"field_list_item_title\":\"Breach analysis\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f384dee5-31b6-44db-b0e8-491651d2721f/paragraph_type?resourceVersion=id%3A16654\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/f384dee5-31b6-44db-b0e8-491651d2721f/relationships/paragraph_type?resourceVersion=id%3A16654\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"e8d8f9e8-1439-4436-964c-ab587c98442b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e8d8f9e8-1439-4436-964c-ab587c98442b?resourceVersion=id%3A16655\"}},\"attributes\":{\"drupal_internal__id\":971,\"drupal_internal__revision_id\":16655,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T21:08:20+00:00\",\"parent_id\":\"976\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eHHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eHHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.\u003c/p\u003e\"},\"field_list_item_title\":\"Notification and mitigation\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e8d8f9e8-1439-4436-964c-ab587c98442b/paragraph_type?resourceVersion=id%3A16655\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e8d8f9e8-1439-4436-964c-ab587c98442b/relationships/paragraph_type?resourceVersion=id%3A16655\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"578aded8-f5f4-44ad-889c-dc6361470f93\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93?resourceVersion=id%3A16658\"}},\"attributes\":{\"drupal_internal__id\":1401,\"drupal_internal__revision_id\":16658,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T19:50:56+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93/paragraph_type?resourceVersion=id%3A16658\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93/relationships/paragraph_type?resourceVersion=id%3A16658\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e\",\"meta\":{\"drupal_internal__target_id\":621}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93/field_link?resourceVersion=id%3A16658\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/578aded8-f5f4-44ad-889c-dc6361470f93/relationships/field_link?resourceVersion=id%3A16658\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"98d03f5a-69fe-4161-a229-edbda422bc66\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66?resourceVersion=id%3A16659\"}},\"attributes\":{\"drupal_internal__id\":1406,\"drupal_internal__revision_id\":16659,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T19:50:46+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66/paragraph_type?resourceVersion=id%3A16659\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66/relationships/paragraph_type?resourceVersion=id%3A16659\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"8a4a46d2-953a-45b9-8143-0a7f26e526e9\",\"meta\":{\"drupal_internal__target_id\":701}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66/field_link?resourceVersion=id%3A16659\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/98d03f5a-69fe-4161-a229-edbda422bc66/relationships/field_link?resourceVersion=id%3A16659\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"898f22a8-2374-47bb-b702-364229dc6b1d\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d?resourceVersion=id%3A16660\"}},\"attributes\":{\"drupal_internal__id\":1411,\"drupal_internal__revision_id\":16660,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T19:51:06+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d/paragraph_type?resourceVersion=id%3A16660\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d/relationships/paragraph_type?resourceVersion=id%3A16660\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"meta\":{\"drupal_internal__target_id\":681}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d/field_link?resourceVersion=id%3A16660\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/898f22a8-2374-47bb-b702-364229dc6b1d/relationships/field_link?resourceVersion=id%3A16660\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"5d6eed26-779b-4619-9b43-9c37552afd58\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58?resourceVersion=id%3A16661\"}},\"attributes\":{\"drupal_internal__id\":1416,\"drupal_internal__revision_id\":16661,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T19:51:32+00:00\",\"parent_id\":\"696\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58/paragraph_type?resourceVersion=id%3A16661\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58/relationships/paragraph_type?resourceVersion=id%3A16661\"}}},\"field_link\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58/field_link?resourceVersion=id%3A16661\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5d6eed26-779b-4619-9b43-9c37552afd58/relationships/field_link?resourceVersion=id%3A16661\"}}}}},{\"type\":\"node--library\",\"id\":\"4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e?resourceVersion=id%3A4913\"}},\"attributes\":{\"drupal_internal__nid\":621,\"drupal_internal__vid\":4913,\"langcode\":\"en\",\"revision_timestamp\":\"2023-08-23T18:12:45+00:00\",\"status\":true,\"title\":\"CMS Breach Response Handbook\",\"created\":\"2022-12-30T21:49:21+00:00\",\"changed\":\"2023-08-23T18:12:45+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":null,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-breach-response-handbook\",\"pid\":611,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\",\"summary\":\"\"},\"field_contact_email\":\"IMT@cms.hhs.gov\",\"field_contact_name\":\"Incident Management Team\",\"field_last_reviewed\":\"2022-11-07\",\"field_related_resources\":[{\"uri\":\"entity:node/696\",\"title\":\"Breach Response \",\"options\":[],\"url\":\"/learn/breach-response\"},{\"uri\":\"entity:node/701\",\"title\":\"CMS Breach Analysis Team (BAT) Handbook \",\"options\":[],\"url\":\"/policy-guidance/cms-breach-analysis-team-bat-handbook\"}],\"field_short_description\":{\"value\":\"Procedures for handling a breach of sensitive data at CMS, including roles, responsibilities, and reporting requirements\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures for handling a breach of sensitive data at CMS, including roles, responsibilities, and reporting requirements\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/node_type?resourceVersion=id%3A4913\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/node_type?resourceVersion=id%3A4913\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/revision_uid?resourceVersion=id%3A4913\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/revision_uid?resourceVersion=id%3A4913\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/uid?resourceVersion=id%3A4913\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/uid?resourceVersion=id%3A4913\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/field_resource_type?resourceVersion=id%3A4913\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/field_resource_type?resourceVersion=id%3A4913\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/field_roles?resourceVersion=id%3A4913\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/field_roles?resourceVersion=id%3A4913\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/field_topics?resourceVersion=id%3A4913\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e/relationships/field_topics?resourceVersion=id%3A4913\"}}}}},{\"type\":\"node--library\",\"id\":\"8a4a46d2-953a-45b9-8143-0a7f26e526e9\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9?resourceVersion=id%3A4912\"}},\"attributes\":{\"drupal_internal__nid\":701,\"drupal_internal__vid\":4912,\"langcode\":\"en\",\"revision_timestamp\":\"2023-08-23T18:11:24+00:00\",\"status\":true,\"title\":\"CMS Breach Analysis Team (BAT) Handbook\",\"created\":\"2023-02-08T21:40:58+00:00\",\"changed\":\"2023-08-23T18:11:24+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":null,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-breach-analysis-team-bat-handbook\",\"pid\":691,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_contact_email\":\"IMT@cms.hhs.gov\",\"field_contact_name\":\"Incident Management Team\",\"field_last_reviewed\":\"2022-11-08\",\"field_related_resources\":[{\"uri\":\"entity:node/621\",\"title\":\"CMS Breach Response Handbook\",\"options\":[],\"url\":\"/policy-guidance/cms-breach-response-handbook\"},{\"uri\":\"entity:node/696\",\"title\":\"Breach Response\",\"options\":[],\"url\":\"/learn/breach-response\"},{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks (all)\",\"options\":[],\"url\":\"/learn/cms-security-and-privacy-handbooks\"}],\"field_short_description\":{\"value\":\"Procedures for the Breach Analysis Team (BAT) to follow when a team is convened to address a breach of PII at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures for the Breach Analysis Team (BAT) to follow when a team is convened to address a breach of PII at CMS\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/node_type?resourceVersion=id%3A4912\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/node_type?resourceVersion=id%3A4912\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/revision_uid?resourceVersion=id%3A4912\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/revision_uid?resourceVersion=id%3A4912\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/uid?resourceVersion=id%3A4912\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/uid?resourceVersion=id%3A4912\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/field_resource_type?resourceVersion=id%3A4912\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/field_resource_type?resourceVersion=id%3A4912\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/field_roles?resourceVersion=id%3A4912\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/field_roles?resourceVersion=id%3A4912\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/field_topics?resourceVersion=id%3A4912\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/8a4a46d2-953a-45b9-8143-0a7f26e526e9/relationships/field_topics?resourceVersion=id%3A4912\"}}}}},{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675?resourceVersion=id%3A5970\"}},\"attributes\":{\"drupal_internal__nid\":681,\"drupal_internal__vid\":5970,\"langcode\":\"en\",\"revision_timestamp\":\"2024-11-21T20:30:37+00:00\",\"status\":true,\"title\":\"CMS Security and Privacy Handbooks\",\"created\":\"2023-02-04T16:50:42+00:00\",\"changed\":\"2024-11-21T20:30:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-security-and-privacy-handbooks\",\"pid\":671,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/node_type?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/node_type?resourceVersion=id%3A5970\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/revision_uid?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/revision_uid?resourceVersion=id%3A5970\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/uid?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/uid?resourceVersion=id%3A5970\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"6348291e-48d1-4a0e-9a57-ac86d40af43e\",\"meta\":{\"target_revision_id\":19550,\"drupal_internal__target_id\":556}},{\"type\":\"paragraph--page_section\",\"id\":\"f5048b9a-b22a-4e67-abde-e964ff928b22\",\"meta\":{\"target_revision_id\":19551,\"drupal_internal__target_id\":1031}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_page_section?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_page_section?resourceVersion=id%3A5970\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"0f74c41a-2461-4cf5-b11e-ff7ce0b96f66\",\"meta\":{\"target_revision_id\":19552,\"drupal_internal__target_id\":566}},{\"type\":\"paragraph--internal_link\",\"id\":\"fe6656d7-9b88-4a4c-a27f-e41c610ab068\",\"meta\":{\"target_revision_id\":19553,\"drupal_internal__target_id\":571}},{\"type\":\"paragraph--internal_link\",\"id\":\"80d4e83c-5a1f-466b-9518-5400af425d7f\",\"meta\":{\"target_revision_id\":19554,\"drupal_internal__target_id\":576}},{\"type\":\"paragraph--internal_link\",\"id\":\"9967f006-5e08-4568-b636-63e8e8050a8f\",\"meta\":{\"target_revision_id\":19555,\"drupal_internal__target_id\":2776}},{\"type\":\"paragraph--internal_link\",\"id\":\"e0709a54-90c1-4f0d-b02a-5e8dce6acc17\",\"meta\":{\"target_revision_id\":19556,\"drupal_internal__target_id\":1871}},{\"type\":\"paragraph--internal_link\",\"id\":\"9c79715c-bf72-4433-9d27-f6a64a297c18\",\"meta\":{\"target_revision_id\":19557,\"drupal_internal__target_id\":3512}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_related_collection?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_related_collection?resourceVersion=id%3A5970\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_resource_type?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_resource_type?resourceVersion=id%3A5970\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_roles?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_roles?resourceVersion=id%3A5970\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_topics?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_topics?resourceVersion=id%3A5970\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1e\",\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\":\"$28\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$2c\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$30\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$4a\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$64\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7e\",\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\":\"$98\",\"0534f7e2-9894-488d-a526-3c0255df2ad5\":\"$b2\",\"5736196d-d894-4ce0-bd41-be12b2dc4808\":\"$cc\",\"1f538793-a3ed-4ea1-97ab-7c2366dd1bd8\":\"$e1\",\"f73e0562-7f5f-4cf8-b3fd-f6c85972d464\":\"$fa\",\"f8509430-8ab7-4bf7-ae90-8f2f7fce9015\":\"$107\",\"f384dee5-31b6-44db-b0e8-491651d2721f\":\"$114\",\"e8d8f9e8-1439-4436-964c-ab587c98442b\":\"$121\",\"578aded8-f5f4-44ad-889c-dc6361470f93\":\"$12e\",\"98d03f5a-69fe-4161-a229-edbda422bc66\":\"$140\",\"898f22a8-2374-47bb-b702-364229dc6b1d\":\"$152\",\"5d6eed26-779b-4619-9b43-9c37552afd58\":\"$164\",\"4d1cc2c6-4cc0-4999-b30f-8dc07a2a6a3e\":\"$174\",\"8a4a46d2-953a-45b9-8143-0a7f26e526e9\":\"$1ad\",\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\":\"$1e8\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Breach Response | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/breach-response\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Breach Response | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/breach-response\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/breach-response/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Breach Response | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/breach-response/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink