publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/cms-computer-matching-agreement-cma
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
331 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Computer Matching Agreement (CMA) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Written agreement used in the comparison of automated systems of record between federal or state agencies"/><link rel="canonical" href="https://security.cms.gov/learn/cms-computer-matching-agreement-cma"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Computer Matching Agreement (CMA) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Written agreement used in the comparison of automated systems of record between federal or state agencies"/><meta property="og:url" content="https://security.cms.gov/learn/cms-computer-matching-agreement-cma"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/cms-computer-matching-agreement-cma/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Computer Matching Agreement (CMA) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Written agreement used in the comparison of automated systems of record between federal or state agencies"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/cms-computer-matching-agreement-cma/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Computer Matching Agreement (CMA)</h1><p class="hero__description">Written agreement used in the comparison of automated systems of record between federal or state agencies</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">Privacy Office</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:privacy@cms.hhs.gov">privacy@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-privacy-agreement-consults</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2 dir="ltr">What is a Computer Matching Agreement (CMA)?</h2><p dir="ltr">A Computer Matching Agreement (CMA) is a written agreement that establishes the terms and conditions for sharing data between a federal agency and another federal or state agency when two or more automated systems of records are compared. CMAs are required by the Privacy Act of 1974. They are a type of <a href="https://security.cms.gov/learn/data-sharing-agreements">Data Sharing Agreement</a>.</p><p dir="ltr">Computer Matching Agreements are used to:</p><ul><li dir="ltr">Establish or verify eligibility for federal benefits</li><li dir="ltr">Verify compliance with federal benefit programs</li><li dir="ltr">Recoup payments or delinquent debts</li><li dir="ltr">Investigate potential fraud, waste, and abuse</li></ul><p dir="ltr">CMAs include safeguards and procedures to protect the use of Personally Identifiable Information (PII) and Protected Health Information (PHI). If there is PHI involved, then PII will be involved also.&nbsp;</p><p dir="ltr">CMAs also require agencies to provide individuals with notice and opportunity to contest findings if their information is being computer matched with information being held by other federal and state agencies. This allows people the opportunity to refute adverse information before having a benefit denied or terminated. The Department of Health and Human Services (HHS) maintains all current&nbsp;<a href="https://www.hhs.gov/foia/privacy/cmas/index.html">CMS Computer Matching Agreements</a>.</p><h2 dir="ltr">CMAs at CMS</h2><p dir="ltr">The Privacy Office at ISPG works with federal and state agencies to create and renew CMAs on behalf of CMS. If you have any questions about a new or current CMA, contact the Privacy Office for assistance:&nbsp;<a href="mailto:privacy@cms.hhs.gov">privacy@cms.hhs.gov</a>.</p><p dir="ltr">When finalizing a CMA, a complete package must be developed and submitted to the Office of Management and Budget (OMB) and to Congress, where it is reviewed and then published in the Federal Register. Typically, the agency receiving the shared information is responsible for completing the CMA package and submitting the artifacts for review (as well as ensuring publication in the Federal Register). However, if it is mutually agreed, the agency who is sharing the information can act in this capacity.&nbsp;</p><h3 dir="ltr">When do I need a CMA?</h3><p dir="ltr">A CMA is needed when CMS data will be compared with data from another federal agency or a state agency, and the results of the comparison may adversely impact an individuals federal benefits. The Privacy Office can assist you in confirming your need for a CMA and starting the process. Get in touch at:&nbsp;<a href="mailto:privacy@cms.hhs.gov">privacy@cms.hhs.gov</a>.</p><h3 dir="ltr">How long does a CMA remain in effect?</h3><p dir="ltr">There are three phases in the life cycle of CMAs: Establishment, Renewal, and Re-Establishment. Once a CMA is established, its valid for&nbsp;<strong>12 months</strong> and can then be renewed for another&nbsp;<strong>18 months</strong> — meaning that a CMA can technically cover the matching program for a&nbsp;<strong>total of 30 months</strong>. At that point the CMA can be re-established if the matching program is still needed.</p><h3 dir="ltr">How long does it take to complete or renew a CMA?</h3><p dir="ltr">Establishing or re-establishing a CMA takes about&nbsp;<strong>1 year</strong> from initial request to final sign-off. Renewing a CMA takes about&nbsp;<strong>10 months</strong> from initial request to final sign-off.&nbsp;</p><p dir="ltr">If you compare this with the amount of time a CMA remains in effect (above), youll see that you need to start preparing for Renewal soon after your CMA is established. And you need to start preparing for Re-establishment soon after the renewal, if the matching program needs to continue.</p><h3 dir="ltr">How do I initiate a CMA?</h3><p dir="ltr">First,&nbsp;<strong>review the information on this page</strong> to get familiar with the process for CMA Establishment, Renewal, and Re-establishment. Then, contact the Privacy Office to get started:&nbsp;<a href="mailto:privacy@cms.hhs.gov">privacy@cms.hhs.gov</a></p><h2 dir="ltr">CMA establishment process</h2><p dir="ltr">A CMA is established when CMS participates in a matching program with an initial effective period of 18 months.&nbsp;</p><p dir="ltr">The process for CMA Establishment is described below. (The process is the same for CMA Re-establishment.) Establishing or re-establishing a CMA takes about&nbsp;<strong>1 year</strong> from initial request to final sign-off.&nbsp;</p><h3 dir="ltr">1. Checklist &amp; prep</h3><p dir="ltr"><em>Estimated time to complete: 7 - 10 business days</em></p><ul><li dir="ltr">Business Owner reviews the <a href="https://security.cms.gov/learn/cms-computer-matching-agreement-cma#cma-checklist">CMA Checklist</a> to get familiar with the needed artifacts and what to expect from the process</li><li dir="ltr">Business Owner gathers materials and information that will be needed to complete CMA artifacts (such as the Cost-Benefit Analysis)</li></ul><h3 dir="ltr">2. Intake &amp; kickoff</h3><p dir="ltr"><em>Estimated time to complete: 10 - 15 business days</em></p><ul><li dir="ltr">Business Owner contacts the Privacy Office to request a CMA Establishment or Re-establishment</li><li dir="ltr">Privacy Office validates the need for a CMA and schedules a kickoff meeting with the Business Owner</li><li dir="ltr">Privacy Office and Business Owner conduct a review of the CMA requirements and the artifacts that will be needed</li></ul><h3 dir="ltr">3. Drafting &amp; internal review</h3><p dir="ltr"><em>Estimated time to complete: 40 business days</em></p><ul><li dir="ltr">Business Owner collaborates with Privacy Office to draft the CMA (working from the CMA template provided by the Privacy Office). Artifacts include the CMA Establishment or Re-establishment document and the Cost Benefit Analysis.</li><li dir="ltr">Business Owner coordinates internal stakeholder review of the CMA draft and incorporates any feedback</li></ul><h3 dir="ltr">4. External review</h3><p dir="ltr"><em>Estimated time to complete: 40 business days</em></p><ul><li dir="ltr">Business Owner provides CMA draft to external stakeholders for review</li><li dir="ltr">Once feedback is received and incorporated, Business Owner returns the CMA draft to the Privacy Office</li></ul><h3 dir="ltr">5. HHS Privacy Act Officer review</h3><p dir="ltr"><em>Estimated time to complete: 40 business days</em></p><ul><li dir="ltr">Privacy Office submits the CMA to HHS Privacy Act Officer (PAO) for review</li><li dir="ltr">Privacy Office works with the Business Owner and the external party to address comments from the HHS PAO</li><li dir="ltr">CMA document is finalized</li></ul><h3 dir="ltr">6. Sign-off</h3><p dir="ltr"><em>Estimated time to complete: 75 business days</em></p><ul><li dir="ltr">Privacy Office submits CMA to Business Owner for sign-off by Program Officials</li><li dir="ltr">Privacy Office obtains signature from CMS Senior Official for Privacy (SOP)</li><li dir="ltr">Privacy Office sends CMA to external parties for sign-off</li><li dir="ltr">Privacy Office sends CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB<ul><li dir="ltr"><em>Note: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.</em></li></ul></li><li dir="ltr">CMA is returned to the CMS Privacy Office once all signatures are obtained</li></ul><h3 dir="ltr">7. OMB &amp; Congress review</h3><p dir="ltr"><em>Estimated time to complete: 30 business days</em></p><ul><li dir="ltr">Recipient agency (who is receiving the data) sends the signed CMA to the Office of Management and Budget (OMB) and Congress for a 30-day review period</li><li dir="ltr">Recipient agency also sends letters of notification to the Office of Management and Budget (OMB) and Congress (these are called Transmittal Letters)</li></ul><h3 dir="ltr">8. Federal Register publication</h3><p dir="ltr"><em>Estimated time to complete: 30 business days</em></p><ul><li dir="ltr">Recipient agency (who is receiving the data) submits notice for publication in Federal Register</li><li dir="ltr">The CMA becomes effective after 30 days of being available for public review and comment in the Federal Register</li></ul><h3 dir="ltr">9. Distribution / completion</h3><p dir="ltr"><em>Estimated time to complete: 30 business days</em></p><ul><li dir="ltr">Party requesting match notifies all parties of the CMA effective date (the CMA will be effective for 18 months, with an option to renew for another 12 months)</li><li dir="ltr">CMS accessibility team conducts review on the CMA to ensure 508 compliance</li><li dir="ltr">HHS Privacy Act Official posts the approved, 508-compliant CMA and Federal Register notice on the&nbsp;<a href="https://www.hhs.gov/foia/privacy/cmas/index.html">HHS website</a></li><li dir="ltr">Privacy Office uploads final CMA to Sharepoint site</li></ul><h2 dir="ltr">CMA renewal process</h2><p dir="ltr">An existing CMA (after being established or re-established) can be renewed with a 12-month extension. A CMA Renewal requires parties to attest that (1) the matching program will continue without any significant changes and (2) the program has been conducted in compliance with the agreement. The process for CMA Renewal is similar to CMA Establishment or Re-establishment, with some differences:</p><ul><li dir="ltr">There is a separate template for CMA Renewal.</li><li dir="ltr">Cost Benefit Analysis (CBA) is not required.</li><li dir="ltr">HHS review and comment on the CMA Renewal draft is not required.</li><li dir="ltr">CMA Renewal requires approval and signature by the Data Integrity Board (DIB) Chairperson, but does not require a vote by the DIB.&nbsp;</li><li dir="ltr">Notice to OMB and Congress and publication in the Federal Register are not required.</li></ul><p dir="ltr">The complete process for CMA Renewal is described below. Renewing a CMA takes about&nbsp;<strong>10 months</strong> from initial request to final sign-off.</p><h4 dir="ltr">1. Intake and kickoff</h4><p dir="ltr"><em>Estimated time to complete: 25 business days</em></p><ul><li dir="ltr">Typically, the Privacy Office contacts the Business Owner to let them know the CMA will need to be renewed if the matching program is to continue</li><li dir="ltr">Kickoff meeting is scheduled to discuss the renewal process</li><li dir="ltr">Privacy Office conducts a review to confirm there are no substantive changes to the existing matching program</li></ul><h4 dir="ltr">2. Drafting &amp; internal review</h4><p dir="ltr"><em>Estimated time to complete: 40 business days</em></p><ul><li dir="ltr">Business Owner collaborates with Privacy Office to draft the CMA Renewal document using the CMA Renewal Template</li><li dir="ltr">Business Owner coordinates internal stakeholder review of the CMA Renewal draft</li></ul><h4 dir="ltr">3. External review</h4><p dir="ltr"><em>Estimated time to complete: 55 business days</em></p><ul><li dir="ltr">Business Owner provides CMA Renewal draft to external stakeholders for review</li><li dir="ltr">Once feedback is received and incorporated, Business Owner returns the draft to the Privacy Office</li><li dir="ltr">Privacy Office works with Business Owner and external party to finalize the Renewal CMA</li></ul><h4 dir="ltr">4. Sign-off</h4><p dir="ltr"><em>Estimated time to complete: 80 business days</em></p><ul><li dir="ltr">Privacy Office submits Renewal CMA to Business Owner for sign-off by Program Officials</li><li dir="ltr">Privacy Office obtains signature from CMS Senior Official for Privacy (SOP)</li><li dir="ltr">Privacy Office sends Renewal CMA to external parties for sign-off</li><li dir="ltr">Privacy Office sends Renewal CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB<ul><li dir="ltr"><em>Note: The Renewal CMA cant be submitted to the HHS DIB for signature unless the established CMA is within three months of expiring.</em></li><li dir="ltr"><em>Note: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.</em></li></ul></li><li dir="ltr">Renewal CMA is returned to the CMS Privacy Office once all signatures are obtained</li></ul><h4 dir="ltr">5. Distribution / completion</h4><p dir="ltr"><em>Estimated time to complete: 10 business days</em></p><ul><li dir="ltr">Party requesting match notifies all parties of the Renewal CMA effective date (the Renewal CMA will be effective for 12 months, with an option to Re-establish the CMA after that)</li><li dir="ltr">HHS Privacy Act Officer updates the CMA effective dates on the&nbsp;<a href="https://www.hhs.gov/foia/privacy/cmas/index.html">HHS website</a></li><li dir="ltr">Privacy Office uploads Renewal CMA to Sharepoint site</li></ul><h2 dir="ltr">CMA re-establishment process</h2><p dir="ltr">A CMA is re-established if the matching program continues past the 12-month CMA Renewal period, or if there are significant changes to the matching program (e.g., change in the authority to conduct the matching program or expansion of the categories of individuals whose records are used in the matching program).&nbsp;</p><p dir="ltr">The CMA is re-established for a period of 18 months, and then may be renewed again for 12 months. The process for CMA Re-establishment is the same as for CMA Establishment.</p><h2 dir="ltr">CMA checklist</h2><p dir="ltr"><em>Checklist for Business Owners to review when preparing for a CMA</em></p><p dir="ltr">Establishing or re-establishing a CMA requires a complete package to be developed and submitted to the Office of Management and Budget (OMB) and Congress. At CMS, much of this process is handled by the Privacy Office, but collaboration with the Business Owner is required to complete the initial documents.&nbsp;</p><p dir="ltr"><strong>Business Owners should review this checklist</strong> before contacting the Privacy Office to start the CMA process. Gather any data or documents in advance that will be helpful in completing the following artifacts, which are required for CMA Establishment or Re-establishment.</p><h3 dir="ltr">Computer Matching Agreement (CMA) document</h3><h4>What it is:</h4><p dir="ltr">The CMA document describes all aspects of the proposed computer matching program. The document is developed using the&nbsp;<strong>CMS Computer Matching Agreement Template</strong>, which aligns with the&nbsp;<a href="https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf">guidance for Computer Matching Agreements published by HHS</a> (PDF link).</p><p dir="ltr">The Privacy Office and the Business Owner work together to complete the template and develop the CMA document. Ahead of time, the Business Owner should look over the guidance from HHS (linked above) and start compiling information that will be used to complete the following sections of the CMA document:</p><h3 dir="ltr">Purpose</h3><h4>What it is:</h4><p dir="ltr">The start of the CMA document requires a description of why the matching program is needed and how the matching data will be used. Additionally, the first section of the CMA requires a listing of:</p><ul><li dir="ltr">Source agency (the agency disclosing the records that will be used)</li><li dir="ltr">Recipient agency (the agency receiving the records to be used)</li><li dir="ltr">Which agency will publish the matching program in the Federal Register</li><li dir="ltr">The name/designation and/or component(s) responsible for the matching activity (for example, "The responsible NIH component for the match is the National Cancer Institute (NCI).")</li></ul><h4>Business Owner responsibility:</h4><p dir="ltr">Before working with the Privacy Office to draft the CMA, Business Owners should write a statement that describes in detail:</p><ul><li dir="ltr">Why the matching program is being proposed</li><li dir="ltr">All purposes and uses for the match data</li><li dir="ltr">Purpose of all matching activities between all agencies involved (there may be more than one matching activity covered in the agreement)</li></ul><p dir="ltr">The more complete your statement is, the less likely you will need amendments or new approvals after establishing the CMA.</p><h3 dir="ltr">Legal authorities</h3><h4>What it is:</h4><p dir="ltr">This section of the matching agreement cites any specific federal or state statute or regulatory basis for the operation of the matching program. Keep in mind:</p><ul><li dir="ltr">If no specific statute or regulation addresses the use of information to be obtained in the match, general program authorities that permit the matching activities may be cited instead.</li><li dir="ltr">Citations to the Privacy Act should not be included, as it doesnt provide independent authority to conduct a match. However, the routine use section of the Privacy Act, 5 U.S.C. 552a(b)(3) can be cited as authority where appropriate.</li><li dir="ltr">Questions on appropriateness of selected legal authority should be directed to your program attorney in the Office of General Counsel (OGC).</li></ul><h4>Business Owner responsibility:</h4><p dir="ltr">Before working with the Privacy Office to draft the CMA, Business Owners should write a statement listing the legal authority for their proposed matching program. The text below is for example purposes only:</p><p dir="ltr"><em>This agreement provides for information matching necessary to implement the information provisions of section 6103(l)(12) of the Internal Revenue Code (IRC) (25 U.S.C. § 6103(l)(12)) and section 1862(b)(5) of the Social Security Act (42 U.S.C.§ 1395y(b)(5)). The legal authority for the disclosure of IRS and SSA data under this agreement is found at section 1106 of the Social Security Act (42 U.S.C. § 1306 and in routine uses published in relevant IRS and SSA SORNs pursuant to 5 U.S.C. § 552a(b)(3).&nbsp;</em></p><h3 dir="ltr">Terms and definitions</h3><h4>What it is:</h4><p dir="ltr">For clarity and shared understanding among the parties participating in the agreement, the CMA includes a list of definitions of terms relative to the proposed matching program. Some of these are common terms at CMS (for example, terms like “breach”, “incident”, “Medicaid”, and “PII”). There will likely be other terms specific to the systems, data, and operations of the proposed matching program.&nbsp;</p><h4>Business Owner responsibility:</h4><p dir="ltr">Before working with the Privacy Office to draft the CMA, Business Owners should complete a list of terms related to their proposed matching program. The Privacy Office will provide the terms and definitions that are commonly used at CMS.</p><h3 dir="ltr">Cost-Benefit Analysis (CBA)</h3><h4>What it is:</h4><p dir="ltr">The CBA analyzes the benefits and costs of a matching program. This helps prove that the proposed matching program is an effective use of federal resources. The cost-benefit analysis is included as an attachment in the final CMA package. The cost-benefit analysis is required for CMA Establishment and Re-establishment, but&nbsp;<strong>not</strong> for CMA Renewal.&nbsp;</p><p dir="ltr"><em>Note that a CBA is only one of several factors affecting the decision to approve a matching program. Sometimes the cost-benefit analysis is waived due to statutory exception, lack of reliable data, or other factors. In those cases, the Computer Matching Agreement still includes a section for justifying the matching program and summarizing the anticipated results.</em></p><h4>Business Owner responsibility:</h4><p dir="ltr">Business Owners should review the&nbsp;<a href="https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf">CMA guidelines provided by HHS</a> (PDF link), including the detailed instructions on how to prepare a cost-benefit analysis. Consider and document the resources that will be required to manage the matching program (such as IT costs, pay rates, etc.). Also document the anticipated benefits of the matching program (cost savings, increased efficiency, better service to beneficiaries, etc.).</p><p dir="ltr">The cost-benefit analysis follows a template that includes the following elements and sub-elements. All of them must be mentioned by name in the CBA, even if only to note that certain parts are not applicable to the specific program.</p><p dir="ltr">Identify</p><h4 dir="ltr">Costs</h4><p dir="ltr"><em>Costs for all stages and all major activities</em></p><h4>Key element 1: Personnel Costs</h4><ul><li dir="ltr">For agencies (source agency, recipient agencies, and justice agencies)</li><li dir="ltr">For clients</li><li dir="ltr">For third parties</li><li dir="ltr">For the general public</li></ul><h4>Key element 2: Agencies Computer Costs</h4><ul><li dir="ltr">For agencies (source agency, recipient agencies, and justice agencies)</li></ul><h4 dir="ltr">Benefits</h4><h4>Key element 3: Avoidance of future improper payments&nbsp;</h4><ul><li dir="ltr">To agencies (source agency, recipient agencies, and justice agencies)</li><li dir="ltr">To clients</li><li dir="ltr">To the general public</li></ul><h4>Key element 4: Recovery of improper payments and debts&nbsp;</h4><ul><li dir="ltr">To agencies (source agency, recipient agencies, and justice agencies)&nbsp;</li><li dir="ltr">To clients&nbsp;</li><li dir="ltr">To the general public</li></ul><h3 dir="ltr">Records description</h3><h4>What it is:</h4><p dir="ltr">This part of the CMA describes the records that will be shared between agencies for the matching program, and states that the records will be protected in accordance with the Privacy Act and other applicable laws.&nbsp;</p><h4>Who has responsibilities:</h4><p dir="ltr">The Privacy Office works with the Business Owner to fill out the following sections about records. It is useful for the Business Owner to be prepared with information specific to the matching program (such as the number of records involved, or the specific data elements that will be used).</p><ul><li dir="ltr"><strong>Systems of Records</strong>: For both agencies participating in the matching program (both CMS and the partner agency), a&nbsp;<a href="https://security.cms.gov/learn/system-records-notice-sorn">System of Records Notice (SORN)</a> must be listed that authorizes the disclosure of identifying information about individuals as part of the matching program.</li><li dir="ltr"><strong>Number of records involved</strong>: Describe the volume of data that will be involved in the matching program (for example, number of cases or number of individual records). If agencies are exchanging data, both agencies need to include this information. A table may be useful for visualization of large datasets.</li><li dir="ltr"><strong>Specified data elements used in the match</strong>: Provide the specific data elements that will be used for the matching program. The data elements can be from either agency participating in the program. They can be included in a separate document as an attachment or listed within the CMA document.<ul><li dir="ltr"><em>For example:&nbsp;“Attachment 2, “SSA Finder File,” and Attachment 3, “CMS LTC/MDS Response File,” contain the data elements used in this computer matching program.”</em></li></ul></li><li dir="ltr"><strong>Frequency of data exchanges</strong>: Explain how often data will be exchanged between agencies for the duration of the matching program.&nbsp;<ul><li dir="ltr">For example:&nbsp;<em>“CMS will provide SSA with a finder file on a monthly basis. SSA will submit its response file to CMS no later than 21 days after receipt of the CMS finder file.”</em></li></ul></li></ul><p dir="ltr">Besides the requirements listed above, the CMA template contains various other sections that the Privacy Office can assist with filling out. These include security procedures, verification and disposition of records, restrictions on how the records can be used, and other information required for Computer Matching Agreements.</p><h2 dir="ltr">Privacy Office responsibilities</h2><p dir="ltr">In addition to working with the Business Owner on the Computer Matching Agreement document, the Privacy Office is responsible for several artifacts that are submitted as part of the CMA package:</p><h3 dir="ltr">Narrative statement</h3><p dir="ltr">The narrative statement provides a brief overview of the proposed matching program, by referring to other materials in the report&nbsp;<strong>without restating information</strong> provided in those materials. The Privacy Office drafts the Narrative Statement and includes it in the CMA package.</p><h3 dir="ltr">Federal Register matching notice</h3><p dir="ltr">The matching notice describes the matching program for publication in the Federal Register. This is submitted by whichever agency is requesting the matching program. The Privacy Act requires the agency to notify the public by publishing a notice in the Federal Register of the establishment or alteration of a computer matching program.</p><h3 dir="ltr">HHS transmittal letters (House, Senate, OMB)</h3><p dir="ltr">As described in the process for CMA Establishment and Re-establishment, Congress and OMB must be notified of the matching program. This is the responsibility of the recipient agency (the agency receiving the data).&nbsp;</p><p dir="ltr">If CMS is the recipient agency, this step is done by the Privacy Office.</p><ul><li dir="ltr">The letter to the House of Representatives is based on the transmittal letter template and is addressed to the Chairman for the Committee on Oversight and Government Reform.&nbsp;</li><li dir="ltr">The letter to the Senate is based on the transmittal letter template and is addressed to the Chairman for the Committee on Homeland Security and Governmental Affairs.&nbsp;</li><li dir="ltr">The letter to the OMB is based on the transmittal letter template and is addressed to the Administrator of the Office of Information and Regulatory Affairs within OMB.&nbsp;</li></ul></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-information-exchange-agreement-iea">CMS Information Exchange Agreement (IEA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Business Owners and Privacy Advisors working together to determine the terms of sharing PII with other federal or state agencies</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/data-sharing-agreements">Data Sharing Agreements</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Agreements that establish how data will be managed and protected when shared between CMS and another agency</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-computer-matching-agreement-cma\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"cms-computer-matching-agreement-cma\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-computer-matching-agreement-cma\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-computer-matching-agreement-cma\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T6844,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is a Computer Matching Agreement (CMA)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA Computer Matching Agreement (CMA) is a written agreement that establishes the terms and conditions for sharing data between a federal agency and another federal or state agency when two or more automated systems of records are compared. CMAs are required by the Privacy Act of 1974. They are a type of \u003ca href=\"https://security.cms.gov/learn/data-sharing-agreements\"\u003eData Sharing Agreement\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eComputer Matching Agreements are used to:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eEstablish or verify eligibility for federal benefits\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVerify compliance with federal benefit programs\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecoup payments or delinquent debts\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInvestigate potential fraud, waste, and abuse\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eCMAs include safeguards and procedures to protect the use of Personally Identifiable Information (PII) and Protected Health Information (PHI). If there is PHI involved, then PII will be involved also.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMAs also require agencies to provide individuals with notice and opportunity to contest findings if their information is being computer matched with information being held by other federal and state agencies. This allows people the opportunity to refute adverse information before having a benefit denied or terminated. The Department of Health and Human Services (HHS) maintains all current\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eCMS Computer Matching Agreements\u003c/a\u003e.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMAs at CMS\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office at ISPG works with federal and state agencies to create and renew CMAs on behalf of CMS. If you have any questions about a new or current CMA, contact the Privacy Office for assistance:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eWhen finalizing a CMA, a complete package must be developed and submitted to the Office of Management and Budget (OMB) and to Congress, where it is reviewed and then published in the Federal Register. Typically, the agency receiving the shared information is responsible for completing the CMA package and submitting the artifacts for review (as well as ensuring publication in the Federal Register). However, if it is mutually agreed, the agency who is sharing the information can act in this capacity.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eWhen do I need a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eA CMA is needed when CMS data will be compared with data from another federal agency or a state agency, and the results of the comparison may adversely impact an individuals federal benefits. The Privacy Office can assist you in confirming your need for a CMA and starting the process. Get in touch at:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow long does a CMA remain in effect?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThere are three phases in the life cycle of CMAs: Establishment, Renewal, and Re-Establishment. Once a CMA is established, its valid for\u0026nbsp;\u003cstrong\u003e12 months\u003c/strong\u003e and can then be renewed for another\u0026nbsp;\u003cstrong\u003e18 months\u003c/strong\u003e — meaning that a CMA can technically cover the matching program for a\u0026nbsp;\u003cstrong\u003etotal of 30 months\u003c/strong\u003e. At that point the CMA can be re-established if the matching program is still needed.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow long does it take to complete or renew a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eEstablishing or re-establishing a CMA takes about\u0026nbsp;\u003cstrong\u003e1 year\u003c/strong\u003e from initial request to final sign-off. Renewing a CMA takes about\u0026nbsp;\u003cstrong\u003e10 months\u003c/strong\u003e from initial request to final sign-off.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf you compare this with the amount of time a CMA remains in effect (above), youll see that you need to start preparing for Renewal soon after your CMA is established. And you need to start preparing for Re-establishment soon after the renewal, if the matching program needs to continue.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow do I initiate a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFirst,\u0026nbsp;\u003cstrong\u003ereview the information on this page\u003c/strong\u003e to get familiar with the process for CMA Establishment, Renewal, and Re-establishment. Then, contact the Privacy Office to get started:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMA establishment process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA CMA is established when CMS participates in a matching program with an initial effective period of 18 months.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe process for CMA Establishment is described below. (The process is the same for CMA Re-establishment.) Establishing or re-establishing a CMA takes about\u0026nbsp;\u003cstrong\u003e1 year\u003c/strong\u003e from initial request to final sign-off.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e1. Checklist \u0026amp; prep\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 7 - 10 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner reviews the \u003ca href=\"https://security.cms.gov/learn/cms-computer-matching-agreement-cma#cma-checklist\"\u003eCMA Checklist\u003c/a\u003e to get familiar with the needed artifacts and what to expect from the process\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner gathers materials and information that will be needed to complete CMA artifacts (such as the Cost-Benefit Analysis)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e2. Intake \u0026amp; kickoff\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 10 - 15 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner contacts the Privacy Office to request a CMA Establishment or Re-establishment\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office validates the need for a CMA and schedules a kickoff meeting with the Business Owner\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office and Business Owner conduct a review of the CMA requirements and the artifacts that will be needed\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e3. Drafting \u0026amp; internal review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner collaborates with Privacy Office to draft the CMA (working from the CMA template provided by the Privacy Office). Artifacts include the CMA Establishment or Re-establishment document and the Cost Benefit Analysis.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner coordinates internal stakeholder review of the CMA draft and incorporates any feedback\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e4. External review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner provides CMA draft to external stakeholders for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOnce feedback is received and incorporated, Business Owner returns the CMA draft to the Privacy Office\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e5. HHS Privacy Act Officer review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits the CMA to HHS Privacy Act Officer (PAO) for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office works with the Business Owner and the external party to address comments from the HHS PAO\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA document is finalized\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e6. Sign-off\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 75 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits CMA to Business Owner for sign-off by Program Officials\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office obtains signature from CMS Senior Official for Privacy (SOP)\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends CMA to external parties for sign-off\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA is returned to the CMS Privacy Office once all signatures are obtained\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e7. OMB \u0026amp; Congress review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (who is receiving the data) sends the signed CMA to the Office of Management and Budget (OMB) and Congress for a 30-day review period\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecipient agency also sends letters of notification to the Office of Management and Budget (OMB) and Congress (these are called Transmittal Letters)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e8. Federal Register publication\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (who is receiving the data) submits notice for publication in Federal Register\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe CMA becomes effective after 30 days of being available for public review and comment in the Federal Register\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e9. Distribution / completion\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eParty requesting match notifies all parties of the CMA effective date (the CMA will be effective for 18 months, with an option to renew for another 12 months)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMS accessibility team conducts review on the CMA to ensure 508 compliance\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS Privacy Act Official posts the approved, 508-compliant CMA and Federal Register notice on the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eHHS website\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office uploads final CMA to Sharepoint site\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eCMA renewal process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAn existing CMA (after being established or re-established) can be renewed with a 12-month extension. A CMA Renewal requires parties to attest that (1) the matching program will continue without any significant changes and (2) the program has been conducted in compliance with the agreement. The process for CMA Renewal is similar to CMA Establishment or Re-establishment, with some differences:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThere is a separate template for CMA Renewal.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCost Benefit Analysis (CBA) is not required.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS review and comment on the CMA Renewal draft is not required.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA Renewal requires approval and signature by the Data Integrity Board (DIB) Chairperson, but does not require a vote by the DIB.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eNotice to OMB and Congress and publication in the Federal Register are not required.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe complete process for CMA Renewal is described below. Renewing a CMA takes about\u0026nbsp;\u003cstrong\u003e10 months\u003c/strong\u003e from initial request to final sign-off.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e1. Intake and kickoff\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 25 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTypically, the Privacy Office contacts the Business Owner to let them know the CMA will need to be renewed if the matching program is to continue\u003c/li\u003e\u003cli dir=\"ltr\"\u003eKickoff meeting is scheduled to discuss the renewal process\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office conducts a review to confirm there are no substantive changes to the existing matching program\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e2. Drafting \u0026amp; internal review\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner collaborates with Privacy Office to draft the CMA Renewal document using the CMA Renewal Template\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner coordinates internal stakeholder review of the CMA Renewal draft\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e3. External review\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 55 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner provides CMA Renewal draft to external stakeholders for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOnce feedback is received and incorporated, Business Owner returns the draft to the Privacy Office\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office works with Business Owner and external party to finalize the Renewal CMA\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e4. Sign-off\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 80 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits Renewal CMA to Business Owner for sign-off by Program Officials\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office obtains signature from CMS Senior Official for Privacy (SOP)\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends Renewal CMA to external parties for sign-off\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends Renewal CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: The Renewal CMA cant be submitted to the HHS DIB for signature unless the established CMA is within three months of expiring.\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRenewal CMA is returned to the CMS Privacy Office once all signatures are obtained\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e5. Distribution / completion\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 10 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eParty requesting match notifies all parties of the Renewal CMA effective date (the Renewal CMA will be effective for 12 months, with an option to Re-establish the CMA after that)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS Privacy Act Officer updates the CMA effective dates on the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eHHS website\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office uploads Renewal CMA to Sharepoint site\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eCMA re-establishment process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA CMA is re-established if the matching program continues past the 12-month CMA Renewal period, or if there are significant changes to the matching program (e.g., change in the authority to conduct the matching program or expansion of the categories of individuals whose records are used in the matching program).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe CMA is re-established for a period of 18 months, and then may be renewed again for 12 months. The process for CMA Re-establishment is the same as for CMA Establishment.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMA checklist\u003c/h2\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eChecklist for Business Owners to review when preparing for a CMA\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEstablishing or re-establishing a CMA requires a complete package to be developed and submitted to the Office of Management and Budget (OMB) and Congress. At CMS, much of this process is handled by the Privacy Office, but collaboration with the Business Owner is required to complete the initial documents.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eBusiness Owners should review this checklist\u003c/strong\u003e before contacting the Privacy Office to start the CMA process. Gather any data or documents in advance that will be helpful in completing the following artifacts, which are required for CMA Establishment or Re-establishment.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eComputer Matching Agreement (CMA) document\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMA document describes all aspects of the proposed computer matching program. The document is developed using the\u0026nbsp;\u003cstrong\u003eCMS Computer Matching Agreement Template\u003c/strong\u003e, which aligns with the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf\"\u003eguidance for Computer Matching Agreements published by HHS\u003c/a\u003e (PDF link).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office and the Business Owner work together to complete the template and develop the CMA document. Ahead of time, the Business Owner should look over the guidance from HHS (linked above) and start compiling information that will be used to complete the following sections of the CMA document:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003ePurpose\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe start of the CMA document requires a description of why the matching program is needed and how the matching data will be used. Additionally, the first section of the CMA requires a listing of:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSource agency (the agency disclosing the records that will be used)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (the agency receiving the records to be used)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhich agency will publish the matching program in the Federal Register\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe name/designation and/or component(s) responsible for the matching activity (for example, \"The responsible NIH component for the match is the National Cancer Institute (NCI).\")\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should write a statement that describes in detail:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWhy the matching program is being proposed\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAll purposes and uses for the match data\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePurpose of all matching activities between all agencies involved (there may be more than one matching activity covered in the agreement)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe more complete your statement is, the less likely you will need amendments or new approvals after establishing the CMA.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eLegal authorities\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis section of the matching agreement cites any specific federal or state statute or regulatory basis for the operation of the matching program. Keep in mind:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIf no specific statute or regulation addresses the use of information to be obtained in the match, general program authorities that permit the matching activities may be cited instead.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCitations to the Privacy Act should not be included, as it doesnt provide independent authority to conduct a match. However, the routine use section of the Privacy Act, 5 U.S.C. 552a(b)(3) can be cited as authority where appropriate.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eQuestions on appropriateness of selected legal authority should be directed to your program attorney in the Office of General Counsel (OGC).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should write a statement listing the legal authority for their proposed matching program. The text below is for example purposes only:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis agreement provides for information matching necessary to implement the information provisions of section 6103(l)(12) of the Internal Revenue Code (IRC) (25 U.S.C. § 6103(l)(12)) and section 1862(b)(5) of the Social Security Act (42 U.S.C.§ 1395y(b)(5)). The legal authority for the disclosure of IRS and SSA data under this agreement is found at section 1106 of the Social Security Act (42 U.S.C. § 1306 and in routine uses published in relevant IRS and SSA SORNs pursuant to 5 U.S.C. § 552a(b)(3).\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eTerms and definitions\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFor clarity and shared understanding among the parties participating in the agreement, the CMA includes a list of definitions of terms relative to the proposed matching program. Some of these are common terms at CMS (for example, terms like “breach”, “incident”, “Medicaid”, and “PII”). There will likely be other terms specific to the systems, data, and operations of the proposed matching program.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should complete a list of terms related to their proposed matching program. The Privacy Office will provide the terms and definitions that are commonly used at CMS.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eCost-Benefit Analysis (CBA)\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CBA analyzes the benefits and costs of a matching program. This helps prove that the proposed matching program is an effective use of federal resources. The cost-benefit analysis is included as an attachment in the final CMA package. The cost-benefit analysis is required for CMA Establishment and Re-establishment, but\u0026nbsp;\u003cstrong\u003enot\u003c/strong\u003e for CMA Renewal.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eNote that a CBA is only one of several factors affecting the decision to approve a matching program. Sometimes the cost-benefit analysis is waived due to statutory exception, lack of reliable data, or other factors. In those cases, the Computer Matching Agreement still includes a section for justifying the matching program and summarizing the anticipated results.\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBusiness Owners should review the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf\"\u003eCMA guidelines provided by HHS\u003c/a\u003e (PDF link), including the detailed instructions on how to prepare a cost-benefit analysis. Consider and document the resources that will be required to manage the matching program (such as IT costs, pay rates, etc.). Also document the anticipated benefits of the matching program (cost savings, increased efficiency, better service to beneficiaries, etc.).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe cost-benefit analysis follows a template that includes the following elements and sub-elements. All of them must be mentioned by name in the CBA, even if only to note that certain parts are not applicable to the specific program.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIdentify\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eCosts\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eCosts for all stages and all major activities\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey element 1: Personnel Costs\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor clients\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor third parties\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor the general public\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey element 2: Agencies Computer Costs\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003eBenefits\u003c/h4\u003e\u003ch4\u003e\u003cstrong\u003eKey element 3: Avoidance of future improper payments\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTo agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo clients\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo the general public\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey element 4: Recovery of improper payments and debts\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTo agencies (source agency, recipient agencies, and justice agencies)\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo clients\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo the general public\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRecords description\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis part of the CMA describes the records that will be shared between agencies for the matching program, and states that the records will be protected in accordance with the Privacy Act and other applicable laws.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWho has responsibilities:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office works with the Business Owner to fill out the following sections about records. It is useful for the Business Owner to be prepared with information specific to the matching program (such as the number of records involved, or the specific data elements that will be used).\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSystems of Records\u003c/strong\u003e: For both agencies participating in the matching program (both CMS and the partner agency), a\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-records-notice-sorn\"\u003eSystem of Records Notice (SORN)\u003c/a\u003e must be listed that authorizes the disclosure of identifying information about individuals as part of the matching program.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eNumber of records involved\u003c/strong\u003e: Describe the volume of data that will be involved in the matching program (for example, number of cases or number of individual records). If agencies are exchanging data, both agencies need to include this information. A table may be useful for visualization of large datasets.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSpecified data elements used in the match\u003c/strong\u003e: Provide the specific data elements that will be used for the matching program. The data elements can be from either agency participating in the program. They can be included in a separate document as an attachment or listed within the CMA document.\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eFor example:\u0026nbsp;“Attachment 2, “SSA Finder File,” and Attachment 3, “CMS LTC/MDS Response File,” contain the data elements used in this computer matching program.”\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFrequency of data exchanges\u003c/strong\u003e: Explain how often data will be exchanged between agencies for the duration of the matching program.\u0026nbsp;\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor example:\u0026nbsp;\u003cem\u003e“CMS will provide SSA with a finder file on a monthly basis. SSA will submit its response file to CMS no later than 21 days after receipt of the CMS finder file.”\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eBesides the requirements listed above, the CMA template contains various other sections that the Privacy Office can assist with filling out. These include security procedures, verification and disposition of records, restrictions on how the records can be used, and other information required for Computer Matching Agreements.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003ePrivacy Office responsibilities\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eIn addition to working with the Business Owner on the Computer Matching Agreement document, the Privacy Office is responsible for several artifacts that are submitted as part of the CMA package:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eNarrative statement\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe narrative statement provides a brief overview of the proposed matching program, by referring to other materials in the report\u0026nbsp;\u003cstrong\u003ewithout restating information\u003c/strong\u003e provided in those materials. The Privacy Office drafts the Narrative Statement and includes it in the CMA package.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eFederal Register matching notice\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe matching notice describes the matching program for publication in the Federal Register. This is submitted by whichever agency is requesting the matching program. The Privacy Act requires the agency to notify the public by publishing a notice in the Federal Register of the establishment or alteration of a computer matching program.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHHS transmittal letters (House, Senate, OMB)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAs described in the process for CMA Establishment and Re-establishment, Congress and OMB must be notified of the matching program. This is the responsibility of the recipient agency (the agency receiving the data).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf CMS is the recipient agency, this step is done by the Privacy Office.\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThe letter to the House of Representatives is based on the transmittal letter template and is addressed to the Chairman for the Committee on Oversight and Government Reform.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe letter to the Senate is based on the transmittal letter template and is addressed to the Chairman for the Committee on Homeland Security and Governmental Affairs.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe letter to the OMB is based on the transmittal letter template and is addressed to the Administrator of the Office of Information and Regulatory Affairs within OMB.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"19:T6844,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is a Computer Matching Agreement (CMA)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA Computer Matching Agreement (CMA) is a written agreement that establishes the terms and conditions for sharing data between a federal agency and another federal or state agency when two or more automated systems of records are compared. CMAs are required by the Privacy Act of 1974. They are a type of \u003ca href=\"https://security.cms.gov/learn/data-sharing-agreements\"\u003eData Sharing Agreement\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eComputer Matching Agreements are used to:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eEstablish or verify eligibility for federal benefits\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVerify compliance with federal benefit programs\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecoup payments or delinquent debts\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInvestigate potential fraud, waste, and abuse\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eCMAs include safeguards and procedures to protect the use of Personally Identifiable Information (PII) and Protected Health Information (PHI). If there is PHI involved, then PII will be involved also.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMAs also require agencies to provide individuals with notice and opportunity to contest findings if their information is being computer matched with information being held by other federal and state agencies. This allows people the opportunity to refute adverse information before having a benefit denied or terminated. The Department of Health and Human Services (HHS) maintains all current\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eCMS Computer Matching Agreements\u003c/a\u003e.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMAs at CMS\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office at ISPG works with federal and state agencies to create and renew CMAs on behalf of CMS. If you have any questions about a new or current CMA, contact the Privacy Office for assistance:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eWhen finalizing a CMA, a complete package must be developed and submitted to the Office of Management and Budget (OMB) and to Congress, where it is reviewed and then published in the Federal Register. Typically, the agency receiving the shared information is responsible for completing the CMA package and submitting the artifacts for review (as well as ensuring publication in the Federal Register). However, if it is mutually agreed, the agency who is sharing the information can act in this capacity.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eWhen do I need a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eA CMA is needed when CMS data will be compared with data from another federal agency or a state agency, and the results of the comparison may adversely impact an individuals federal benefits. The Privacy Office can assist you in confirming your need for a CMA and starting the process. Get in touch at:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow long does a CMA remain in effect?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThere are three phases in the life cycle of CMAs: Establishment, Renewal, and Re-Establishment. Once a CMA is established, its valid for\u0026nbsp;\u003cstrong\u003e12 months\u003c/strong\u003e and can then be renewed for another\u0026nbsp;\u003cstrong\u003e18 months\u003c/strong\u003e — meaning that a CMA can technically cover the matching program for a\u0026nbsp;\u003cstrong\u003etotal of 30 months\u003c/strong\u003e. At that point the CMA can be re-established if the matching program is still needed.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow long does it take to complete or renew a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eEstablishing or re-establishing a CMA takes about\u0026nbsp;\u003cstrong\u003e1 year\u003c/strong\u003e from initial request to final sign-off. Renewing a CMA takes about\u0026nbsp;\u003cstrong\u003e10 months\u003c/strong\u003e from initial request to final sign-off.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf you compare this with the amount of time a CMA remains in effect (above), youll see that you need to start preparing for Renewal soon after your CMA is established. And you need to start preparing for Re-establishment soon after the renewal, if the matching program needs to continue.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow do I initiate a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFirst,\u0026nbsp;\u003cstrong\u003ereview the information on this page\u003c/strong\u003e to get familiar with the process for CMA Establishment, Renewal, and Re-establishment. Then, contact the Privacy Office to get started:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMA establishment process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA CMA is established when CMS participates in a matching program with an initial effective period of 18 months.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe process for CMA Establishment is described below. (The process is the same for CMA Re-establishment.) Establishing or re-establishing a CMA takes about\u0026nbsp;\u003cstrong\u003e1 year\u003c/strong\u003e from initial request to final sign-off.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e1. Checklist \u0026amp; prep\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 7 - 10 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner reviews the \u003ca href=\"https://security.cms.gov/learn/cms-computer-matching-agreement-cma#cma-checklist\"\u003eCMA Checklist\u003c/a\u003e to get familiar with the needed artifacts and what to expect from the process\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner gathers materials and information that will be needed to complete CMA artifacts (such as the Cost-Benefit Analysis)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e2. Intake \u0026amp; kickoff\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 10 - 15 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner contacts the Privacy Office to request a CMA Establishment or Re-establishment\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office validates the need for a CMA and schedules a kickoff meeting with the Business Owner\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office and Business Owner conduct a review of the CMA requirements and the artifacts that will be needed\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e3. Drafting \u0026amp; internal review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner collaborates with Privacy Office to draft the CMA (working from the CMA template provided by the Privacy Office). Artifacts include the CMA Establishment or Re-establishment document and the Cost Benefit Analysis.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner coordinates internal stakeholder review of the CMA draft and incorporates any feedback\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e4. External review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner provides CMA draft to external stakeholders for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOnce feedback is received and incorporated, Business Owner returns the CMA draft to the Privacy Office\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e5. HHS Privacy Act Officer review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits the CMA to HHS Privacy Act Officer (PAO) for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office works with the Business Owner and the external party to address comments from the HHS PAO\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA document is finalized\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e6. Sign-off\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 75 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits CMA to Business Owner for sign-off by Program Officials\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office obtains signature from CMS Senior Official for Privacy (SOP)\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends CMA to external parties for sign-off\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA is returned to the CMS Privacy Office once all signatures are obtained\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e7. OMB \u0026amp; Congress review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (who is receiving the data) sends the signed CMA to the Office of Management and Budget (OMB) and Congress for a 30-day review period\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecipient agency also sends letters of notification to the Office of Management and Budget (OMB) and Congress (these are called Transmittal Letters)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e8. Federal Register publication\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (who is receiving the data) submits notice for publication in Federal Register\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe CMA becomes effective after 30 days of being available for public review and comment in the Federal Register\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e9. Distribution / completion\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eParty requesting match notifies all parties of the CMA effective date (the CMA will be effective for 18 months, with an option to renew for another 12 months)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMS accessibility team conducts review on the CMA to ensure 508 compliance\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS Privacy Act Official posts the approved, 508-compliant CMA and Federal Register notice on the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eHHS website\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office uploads final CMA to Sharepoint site\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eCMA renewal process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAn existing CMA (after being established or re-established) can be renewed with a 12-month extension. A CMA Renewal requires parties to attest that (1) the matching program will continue without any significant changes and (2) the program has been conducted in compliance with the agreement. The process for CMA Renewal is similar to CMA Establishment or Re-establishment, with some differences:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThere is a separate template for CMA Renewal.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCost Benefit Analysis (CBA) is not required.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS review and comment on the CMA Renewal draft is not required.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA Renewal requires approval and signature by the Data Integrity Board (DIB) Chairperson, but does not require a vote by the DIB.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eNotice to OMB and Congress and publication in the Federal Register are not required.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe complete process for CMA Renewal is described below. Renewing a CMA takes about\u0026nbsp;\u003cstrong\u003e10 months\u003c/strong\u003e from initial request to final sign-off.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e1. Intake and kickoff\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 25 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTypically, the Privacy Office contacts the Business Owner to let them know the CMA will need to be renewed if the matching program is to continue\u003c/li\u003e\u003cli dir=\"ltr\"\u003eKickoff meeting is scheduled to discuss the renewal process\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office conducts a review to confirm there are no substantive changes to the existing matching program\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e2. Drafting \u0026amp; internal review\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner collaborates with Privacy Office to draft the CMA Renewal document using the CMA Renewal Template\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner coordinates internal stakeholder review of the CMA Renewal draft\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e3. External review\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 55 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner provides CMA Renewal draft to external stakeholders for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOnce feedback is received and incorporated, Business Owner returns the draft to the Privacy Office\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office works with Business Owner and external party to finalize the Renewal CMA\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e4. Sign-off\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 80 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits Renewal CMA to Business Owner for sign-off by Program Officials\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office obtains signature from CMS Senior Official for Privacy (SOP)\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends Renewal CMA to external parties for sign-off\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends Renewal CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: The Renewal CMA cant be submitted to the HHS DIB for signature unless the established CMA is within three months of expiring.\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRenewal CMA is returned to the CMS Privacy Office once all signatures are obtained\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e5. Distribution / completion\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 10 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eParty requesting match notifies all parties of the Renewal CMA effective date (the Renewal CMA will be effective for 12 months, with an option to Re-establish the CMA after that)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS Privacy Act Officer updates the CMA effective dates on the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eHHS website\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office uploads Renewal CMA to Sharepoint site\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eCMA re-establishment process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA CMA is re-established if the matching program continues past the 12-month CMA Renewal period, or if there are significant changes to the matching program (e.g., change in the authority to conduct the matching program or expansion of the categories of individuals whose records are used in the matching program).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe CMA is re-established for a period of 18 months, and then may be renewed again for 12 months. The process for CMA Re-establishment is the same as for CMA Establishment.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMA checklist\u003c/h2\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eChecklist for Business Owners to review when preparing for a CMA\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEstablishing or re-establishing a CMA requires a complete package to be developed and submitted to the Office of Management and Budget (OMB) and Congress. At CMS, much of this process is handled by the Privacy Office, but collaboration with the Business Owner is required to complete the initial documents.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eBusiness Owners should review this checklist\u003c/strong\u003e before contacting the Privacy Office to start the CMA process. Gather any data or documents in advance that will be helpful in completing the following artifacts, which are required for CMA Establishment or Re-establishment.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eComputer Matching Agreement (CMA) document\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMA document describes all aspects of the proposed computer matching program. The document is developed using the\u0026nbsp;\u003cstrong\u003eCMS Computer Matching Agreement Template\u003c/strong\u003e, which aligns with the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf\"\u003eguidance for Computer Matching Agreements published by HHS\u003c/a\u003e (PDF link).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office and the Business Owner work together to complete the template and develop the CMA document. Ahead of time, the Business Owner should look over the guidance from HHS (linked above) and start compiling information that will be used to complete the following sections of the CMA document:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003ePurpose\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe start of the CMA document requires a description of why the matching program is needed and how the matching data will be used. Additionally, the first section of the CMA requires a listing of:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSource agency (the agency disclosing the records that will be used)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (the agency receiving the records to be used)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhich agency will publish the matching program in the Federal Register\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe name/designation and/or component(s) responsible for the matching activity (for example, \"The responsible NIH component for the match is the National Cancer Institute (NCI).\")\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should write a statement that describes in detail:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWhy the matching program is being proposed\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAll purposes and uses for the match data\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePurpose of all matching activities between all agencies involved (there may be more than one matching activity covered in the agreement)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe more complete your statement is, the less likely you will need amendments or new approvals after establishing the CMA.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eLegal authorities\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis section of the matching agreement cites any specific federal or state statute or regulatory basis for the operation of the matching program. Keep in mind:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIf no specific statute or regulation addresses the use of information to be obtained in the match, general program authorities that permit the matching activities may be cited instead.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCitations to the Privacy Act should not be included, as it doesnt provide independent authority to conduct a match. However, the routine use section of the Privacy Act, 5 U.S.C. 552a(b)(3) can be cited as authority where appropriate.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eQuestions on appropriateness of selected legal authority should be directed to your program attorney in the Office of General Counsel (OGC).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should write a statement listing the legal authority for their proposed matching program. The text below is for example purposes only:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis agreement provides for information matching necessary to implement the information provisions of section 6103(l)(12) of the Internal Revenue Code (IRC) (25 U.S.C. § 6103(l)(12)) and section 1862(b)(5) of the Social Security Act (42 U.S.C.§ 1395y(b)(5)). The legal authority for the disclosure of IRS and SSA data under this agreement is found at section 1106 of the Social Security Act (42 U.S.C. § 1306 and in routine uses published in relevant IRS and SSA SORNs pursuant to 5 U.S.C. § 552a(b)(3).\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eTerms and definitions\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFor clarity and shared understanding among the parties participating in the agreement, the CMA includes a list of definitions of terms relative to the proposed matching program. Some of these are common terms at CMS (for example, terms like “breach”, “incident”, “Medicaid”, and “PII”). There will likely be other terms specific to the systems, data, and operations of the proposed matching program.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should complete a list of terms related to their proposed matching program. The Privacy Office will provide the terms and definitions that are commonly used at CMS.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eCost-Benefit Analysis (CBA)\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CBA analyzes the benefits and costs of a matching program. This helps prove that the proposed matching program is an effective use of federal resources. The cost-benefit analysis is included as an attachment in the final CMA package. The cost-benefit analysis is required for CMA Establishment and Re-establishment, but\u0026nbsp;\u003cstrong\u003enot\u003c/strong\u003e for CMA Renewal.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eNote that a CBA is only one of several factors affecting the decision to approve a matching program. Sometimes the cost-benefit analysis is waived due to statutory exception, lack of reliable data, or other factors. In those cases, the Computer Matching Agreement still includes a section for justifying the matching program and summarizing the anticipated results.\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBusiness Owners should review the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf\"\u003eCMA guidelines provided by HHS\u003c/a\u003e (PDF link), including the detailed instructions on how to prepare a cost-benefit analysis. Consider and document the resources that will be required to manage the matching program (such as IT costs, pay rates, etc.). Also document the anticipated benefits of the matching program (cost savings, increased efficiency, better service to beneficiaries, etc.).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe cost-benefit analysis follows a template that includes the following elements and sub-elements. All of them must be mentioned by name in the CBA, even if only to note that certain parts are not applicable to the specific program.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIdentify\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eCosts\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eCosts for all stages and all major activities\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey element 1: Personnel Costs\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor clients\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor third parties\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor the general public\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey element 2: Agencies Computer Costs\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003eBenefits\u003c/h4\u003e\u003ch4\u003e\u003cstrong\u003eKey element 3: Avoidance of future improper payments\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTo agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo clients\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo the general public\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey element 4: Recovery of improper payments and debts\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTo agencies (source agency, recipient agencies, and justice agencies)\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo clients\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo the general public\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRecords description\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis part of the CMA describes the records that will be shared between agencies for the matching program, and states that the records will be protected in accordance with the Privacy Act and other applicable laws.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWho has responsibilities:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office works with the Business Owner to fill out the following sections about records. It is useful for the Business Owner to be prepared with information specific to the matching program (such as the number of records involved, or the specific data elements that will be used).\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSystems of Records\u003c/strong\u003e: For both agencies participating in the matching program (both CMS and the partner agency), a\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-records-notice-sorn\"\u003eSystem of Records Notice (SORN)\u003c/a\u003e must be listed that authorizes the disclosure of identifying information about individuals as part of the matching program.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eNumber of records involved\u003c/strong\u003e: Describe the volume of data that will be involved in the matching program (for example, number of cases or number of individual records). If agencies are exchanging data, both agencies need to include this information. A table may be useful for visualization of large datasets.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSpecified data elements used in the match\u003c/strong\u003e: Provide the specific data elements that will be used for the matching program. The data elements can be from either agency participating in the program. They can be included in a separate document as an attachment or listed within the CMA document.\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eFor example:\u0026nbsp;“Attachment 2, “SSA Finder File,” and Attachment 3, “CMS LTC/MDS Response File,” contain the data elements used in this computer matching program.”\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFrequency of data exchanges\u003c/strong\u003e: Explain how often data will be exchanged between agencies for the duration of the matching program.\u0026nbsp;\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor example:\u0026nbsp;\u003cem\u003e“CMS will provide SSA with a finder file on a monthly basis. SSA will submit its response file to CMS no later than 21 days after receipt of the CMS finder file.”\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eBesides the requirements listed above, the CMA template contains various other sections that the Privacy Office can assist with filling out. These include security procedures, verification and disposition of records, restrictions on how the records can be used, and other information required for Computer Matching Agreements.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003ePrivacy Office responsibilities\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eIn addition to working with the Business Owner on the Computer Matching Agreement document, the Privacy Office is responsible for several artifacts that are submitted as part of the CMA package:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eNarrative statement\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe narrative statement provides a brief overview of the proposed matching program, by referring to other materials in the report\u0026nbsp;\u003cstrong\u003ewithout restating information\u003c/strong\u003e provided in those materials. The Privacy Office drafts the Narrative Statement and includes it in the CMA package.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eFederal Register matching notice\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe matching notice describes the matching program for publication in the Federal Register. This is submitted by whichever agency is requesting the matching program. The Privacy Act requires the agency to notify the public by publishing a notice in the Federal Register of the establishment or alteration of a computer matching program.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHHS transmittal letters (House, Senate, OMB)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAs described in the process for CMA Establishment and Re-establishment, Congress and OMB must be notified of the matching program. This is the responsibility of the recipient agency (the agency receiving the data).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf CMS is the recipient agency, this step is done by the Privacy Office.\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThe letter to the House of Representatives is based on the transmittal letter template and is addressed to the Chairman for the Committee on Oversight and Government Reform.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe letter to the Senate is based on the transmittal letter template and is addressed to the Chairman for the Committee on Homeland Security and Governmental Affairs.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe letter to the OMB is based on the transmittal letter template and is addressed to the Administrator of the Office of Information and Regulatory Affairs within OMB.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"mburgess\"}\n24:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"meg - retired\"}\n28:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00"])</script><script>self.__next_f.push([1,"\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drupal_intern"])</script><script>self.__next_f.push([1,"al__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/t"])</script><script>self.__next_f.push([1,"axonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n61:{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id"])</script><script>self.__next_f.push([1,"\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$61\",\"attributes\":\"$63\",\"relationships\":\"$65\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf?resourceVersion=id%3A31\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":31,\"drupal_internal__revision_id\":31,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:48+00:00\",\"status\":true,\"name\":\"Privacy\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"topics\"}\n81:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/vid?resourceVersion=id%3A31\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/vid?resourceVersion=id%3A31\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/revision_user?resourceVersion=id%3A31\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/revision_user?resourceVersion=id%3A31\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/parent?resourceVersion=id%3A31\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/parent?resourceVersion=id%3A31\"}\n91:{\"related\":\"$92\","])</script><script>self.__next_f.push([1,"\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"vid\":\"$80\",\"revision_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b?resourceVersion=id%3A20081\"}\n95:{\"self\":\"$96\"}\n98:[]\n9a:T6844,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is a Computer Matching Agreement (CMA)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA Computer Matching Agreement (CMA) is a written agreement that establishes the terms and conditions for sharing data between a federal agency and another federal or state agency when two or more automated systems of records are compared. CMAs are required by the Privacy Act of 1974. They are a type of \u003ca href=\"https://security.cms.gov/learn/data-sharing-agreements\"\u003eData Sharing Agreement\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eComputer Matching Agreements are used to:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eEstablish or verify eligibility for federal benefits\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVerify compliance with federal benefit programs\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecoup payments or delinquent debts\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInvestigate potential fraud, waste, and abuse\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eCMAs include safeguards and procedures to protect the use of Personally Identifiable Information (PII) and Protected Health Information (PHI). If there is PHI involved, then PII will be involved also.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMAs also require agencies to provide individuals with notice and opportunity to contest findings if their information is being computer matched with information being held by other federal and state agencies. This allows people the opportunity to refute adverse information before having a benefit denied or terminated. The Department of Health and Human Services (HHS) maintains all current\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eCMS Computer Matching Agreements\u003c/a\u003e.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMAs at CMS\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office at ISPG works with federal and state agencies to create and renew CMAs on behalf of CMS. If you have any questions about a new or current CMA, contact the Privacy Office for assistance:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eWhen finalizing a CMA, a complete package must be developed and submitted to the Office of Management and Budget (OMB) and to Congress, where it is reviewed and then published in the Federal Register. Typically, the agency receiving the shared information is responsible for completing the CMA package and submitting the artifacts for review (as well as ensuring publication in the Federal Register). However, if it is mutually agreed, the agency who is sharing the information can act in this capacity.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eWhen do I need a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eA CMA is needed when CMS data will be compared with data from another federal agency or a state agency, and the results of the comparison may adversely impact an individuals federal benefits. The Privacy Office can assist you in confirming your need for a CMA and starting the process. Get in touch at:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow long does a CMA remain in effect?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThere are three phases in the life cycle of CMAs: Establishment, Renewal, and Re-Establishment. Once a CMA is established, its valid for\u0026nbsp;\u003cstrong\u003e12 months\u003c/strong\u003e and can then be renewed for another\u0026nbsp;\u003cstrong\u003e18 months\u003c/strong\u003e — meaning that a CMA can technically cover the matching program for a\u0026nbsp;\u003cstrong\u003etotal of 30 months\u003c/strong\u003e. At that point the CMA can be re-established if the matching program is still needed.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow long does it take to complete or renew a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eEstablishing or re-establishing a CMA takes about\u0026nbsp;\u003cstrong\u003e1 year\u003c/strong\u003e from initial request to final sign-off. Renewing a CMA takes about\u0026nbsp;\u003cstrong\u003e10 months\u003c/strong\u003e from initial request to final sign-off.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf you compare this with the amount of time a CMA remains in effect (above), youll see that you need to start preparing for Renewal soon after your CMA is established. And you need to start preparing for Re-establishment soon after the renewal, if the matching program needs to continue.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow do I initiate a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFirst,\u0026nbsp;\u003cstrong\u003ereview the information on this page\u003c/strong\u003e to get familiar with the process for CMA Establishment, Renewal, and Re-establishment. Then, contact the Privacy Office to get started:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMA establishment process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA CMA is established when CMS participates in a matching program with an initial effective period of 18 months.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe process for CMA Establishment is described below. (The process is the same for CMA Re-establishment.) Establishing or re-establishing a CMA takes about\u0026nbsp;\u003cstrong\u003e1 year\u003c/strong\u003e from initial request to final sign-off.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e1. Checklist \u0026amp; prep\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 7 - 10 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner reviews the \u003ca href=\"https://security.cms.gov/learn/cms-computer-matching-agreement-cma#cma-checklist\"\u003eCMA Checklist\u003c/a\u003e to get familiar with the needed artifacts and what to expect from the process\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner gathers materials and information that will be needed to complete CMA artifacts (such as the Cost-Benefit Analysis)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e2. Intake \u0026amp; kickoff\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 10 - 15 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner contacts the Privacy Office to request a CMA Establishment or Re-establishment\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office validates the need for a CMA and schedules a kickoff meeting with the Business Owner\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office and Business Owner conduct a review of the CMA requirements and the artifacts that will be needed\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e3. Drafting \u0026amp; internal review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner collaborates with Privacy Office to draft the CMA (working from the CMA template provided by the Privacy Office). Artifacts include the CMA Establishment or Re-establishment document and the Cost Benefit Analysis.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner coordinates internal stakeholder review of the CMA draft and incorporates any feedback\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e4. External review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner provides CMA draft to external stakeholders for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOnce feedback is received and incorporated, Business Owner returns the CMA draft to the Privacy Office\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e5. HHS Privacy Act Officer review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits the CMA to HHS Privacy Act Officer (PAO) for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office works with the Business Owner and the external party to address comments from the HHS PAO\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA document is finalized\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e6. Sign-off\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 75 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits CMA to Business Owner for sign-off by Program Officials\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office obtains signature from CMS Senior Official for Privacy (SOP)\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends CMA to external parties for sign-off\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA is returned to the CMS Privacy Office once all signatures are obtained\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e7. OMB \u0026amp; Congress review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (who is receiving the data) sends the signed CMA to the Office of Management and Budget (OMB) and Congress for a 30-day review period\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecipient agency also sends letters of notification to the Office of Management and Budget (OMB) and Congress (these are called Transmittal Letters)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e8. Federal Register publication\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (who is receiving the data) submits notice for publication in Federal Register\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe CMA becomes effective after 30 days of being available for public review and comment in the Federal Register\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e9. Distribution / completion\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eParty requesting match notifies all parties of the CMA effective date (the CMA will be effective for 18 months, with an option to renew for another 12 months)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMS accessibility team conducts review on the CMA to ensure 508 compliance\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS Privacy Act Official posts the approved, 508-compliant CMA and Federal Register notice on the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eHHS website\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office uploads final CMA to Sharepoint site\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eCMA renewal process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAn existing CMA (after being established or re-established) can be renewed with a 12-month extension. A CMA Renewal requires parties to attest that (1) the matching program will continue without any significant changes and (2) the program has been conducted in compliance with the agreement. The process for CMA Renewal is similar to CMA Establishment or Re-establishment, with some differences:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThere is a separate template for CMA Renewal.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCost Benefit Analysis (CBA) is not required.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS review and comment on the CMA Renewal draft is not required.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA Renewal requires approval and signature by the Data Integrity Board (DIB) Chairperson, but does not require a vote by the DIB.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eNotice to OMB and Congress and publication in the Federal Register are not required.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe complete process for CMA Renewal is described below. Renewing a CMA takes about\u0026nbsp;\u003cstrong\u003e10 months\u003c/strong\u003e from initial request to final sign-off.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e1. Intake and kickoff\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 25 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTypically, the Privacy Office contacts the Business Owner to let them know the CMA will need to be renewed if the matching program is to continue\u003c/li\u003e\u003cli dir=\"ltr\"\u003eKickoff meeting is scheduled to discuss the renewal process\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office conducts a review to confirm there are no substantive changes to the existing matching program\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e2. Drafting \u0026amp; internal review\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner collaborates with Privacy Office to draft the CMA Renewal document using the CMA Renewal Template\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner coordinates internal stakeholder review of the CMA Renewal draft\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e3. External review\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 55 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner provides CMA Renewal draft to external stakeholders for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOnce feedback is received and incorporated, Business Owner returns the draft to the Privacy Office\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office works with Business Owner and external party to finalize the Renewal CMA\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e4. Sign-off\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 80 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits Renewal CMA to Business Owner for sign-off by Program Officials\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office obtains signature from CMS Senior Official for Privacy (SOP)\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends Renewal CMA to external parties for sign-off\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends Renewal CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: The Renewal CMA cant be submitted to the HHS DIB for signature unless the established CMA is within three months of expiring.\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRenewal CMA is returned to the CMS Privacy Office once all signatures are obtained\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e5. Distribution / completion\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 10 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eParty requesting match notifies all parties of the Renewal CMA effective date (the Renewal CMA will be effective for 12 months, with an option to Re-establish the CMA after that)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS Privacy Act Officer updates the CMA effective dates on the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eHHS website\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office uploads Renewal CMA to Sharepoint site\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eCMA re-establishment process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA CMA is re-established if the matching program continues past the 12-month CMA Renewal period, or if there are significant changes to the matching program (e.g., change in the authority to conduct the matching program or expansion of the categories of individuals whose records are used in the matching program).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe CMA is re-established for a period of 18 months, and then may be renewed again for 12 months. The process for CMA Re-establishment is the same as for CMA Establishment.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMA checklist\u003c/h2\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eChecklist for Business Owners to review when preparing for a CMA\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEstablishing or re-establishing a CMA requires a complete package to be developed and submitted to the Office of Management and Budget (OMB) and Congress. At CMS, much of this process is handled by the Privacy Office, but collaboration with the Business Owner is required to complete the initial documents.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eBusiness Owners should review this checklist\u003c/strong\u003e before contacting the Privacy Office to start the CMA process. Gather any data or documents in advance that will be helpful in completing the following artifacts, which are required for CMA Establishment or Re-establishment.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eComputer Matching Agreement (CMA) document\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMA document describes all aspects of the proposed computer matching program. The document is developed using the\u0026nbsp;\u003cstrong\u003eCMS Computer Matching Agreement Template\u003c/strong\u003e, which aligns with the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf\"\u003eguidance for Computer Matching Agreements published by HHS\u003c/a\u003e (PDF link).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office and the Business Owner work together to complete the template and develop the CMA document. Ahead of time, the Business Owner should look over the guidance from HHS (linked above) and start compiling information that will be used to complete the following sections of the CMA document:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003ePurpose\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe start of the CMA document requires a description of why the matching program is needed and how the matching data will be used. Additionally, the first section of the CMA requires a listing of:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSource agency (the agency disclosing the records that will be used)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (the agency receiving the records to be used)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhich agency will publish the matching program in the Federal Register\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe name/designation and/or component(s) responsible for the matching activity (for example, \"The responsible NIH component for the match is the National Cancer Institute (NCI).\")\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should write a statement that describes in detail:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWhy the matching program is being proposed\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAll purposes and uses for the match data\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePurpose of all matching activities between all agencies involved (there may be more than one matching activity covered in the agreement)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe more complete your statement is, the less likely you will need amendments or new approvals after establishing the CMA.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eLegal authorities\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis section of the matching agreement cites any specific federal or state statute or regulatory basis for the operation of the matching program. Keep in mind:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIf no specific statute or regulation addresses the use of information to be obtained in the match, general program authorities that permit the matching activities may be cited instead.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCitations to the Privacy Act should not be included, as it doesnt provide independent authority to conduct a match. However, the routine use section of the Privacy Act, 5 U.S.C. 552a(b)(3) can be cited as authority where appropriate.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eQuestions on appropriateness of selected legal authority should be directed to your program attorney in the Office of General Counsel (OGC).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should write a statement listing the legal authority for their proposed matching program. The text below is for example purposes only:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis agreement provides for information matching necessary to implement the information provisions of section 6103(l)(12) of the Internal Revenue Code (IRC) (25 U.S.C. § 6103(l)(12)) and section 1862(b)(5) of the Social Security Act (42 U.S.C.§ 1395y(b)(5)). The legal authority for the disclosure of IRS and SSA data under this agreement is found at section 1106 of the Social Security Act (42 U.S.C. § 1306 and in routine uses published in relevant IRS and SSA SORNs pursuant to 5 U.S.C. § 552a(b)(3).\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eTerms and definitions\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFor clarity and shared understanding among the parties participating in the agreement, the CMA includes a list of definitions of terms relative to the proposed matching program. Some of these are common terms at CMS (for example, terms like “breach”, “incident”, “Medicaid”, and “PII”). There will likely be other terms specific to the systems, data, and operations of the proposed matching program.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should complete a list of terms related to their proposed matching program. The Privacy Office will provide the terms and definitions that are commonly used at CMS.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eCost-Benefit Analysis (CBA)\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CBA analyzes the benefits and costs of a matching program. This helps prove that the proposed matching program is an effective use of federal resources. The cost-benefit analysis is included as an attachment in the final CMA package. The cost-benefit analysis is required for CMA Establishment and Re-establishment, but\u0026nbsp;\u003cstrong\u003enot\u003c/strong\u003e for CMA Renewal.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eNote that a CBA is only one of several factors affecting the decision to approve a matching program. Sometimes the cost-benefit analysis is waived due to statutory exception, lack of reliable data, or other factors. In those cases, the Computer Matching Agreement still includes a section for justifying the matching program and summarizing the anticipated results.\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBusiness Owners should review the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf\"\u003eCMA guidelines provided by HHS\u003c/a\u003e (PDF link), including the detailed instructions on how to prepare a cost-benefit analysis. Consider and document the resources that will be required to manage the matching program (such as IT costs, pay rates, etc.). Also document the anticipated benefits of the matching program (cost savings, increased efficiency, better service to beneficiaries, etc.).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe cost-benefit analysis follows a template that includes the following elements and sub-elements. All of them must be mentioned by name in the CBA, even if only to note that certain parts are not applicable to the specific program.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIdentify\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eCosts\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eCosts for all stages and all major activities\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey element 1: Personnel Costs\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor clients\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor third parties\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor the general public\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey element 2: Agencies Computer Costs\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003eBenefits\u003c/h4\u003e\u003ch4\u003e\u003cstrong\u003eKey element 3: Avoidance of future improper payments\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTo agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo clients\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo the general public\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey element 4: Recovery of improper payments and debts\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTo agencies (source agency, recipient agencies, and justice agencies)\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo clients\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo the general public\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRecords description\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis part of the CMA describes the records that will be shared between agencies for the matching program, and states that the records will be protected in accordance with the Privacy Act and other applicable laws.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWho has responsibilities:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office works with the Business Owner to fill out the following sections about records. It is useful for the Business Owner to be prepared with information specific to the matching program (such as the number of records involved, or the specific data elements that will be used).\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSystems of Records\u003c/strong\u003e: For both agencies participating in the matching program (both CMS and the partner agency), a\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-records-notice-sorn\"\u003eSystem of Records Notice (SORN)\u003c/a\u003e must be listed that authorizes the disclosure of identifying information about individuals as part of the matching program.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eNumber of records involved\u003c/strong\u003e: Describe the volume of data that will be involved in the matching program (for example, number of cases or number of individual records). If agencies are exchanging data, both agencies need to include this information. A table may be useful for visualization of large datasets.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSpecified data elements used in the match\u003c/strong\u003e: Provide the specific data elements that will be used for the matching program. The data elements can be from either agency participating in the program. They can be included in a separate document as an attachment or listed within the CMA document.\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eFor example:\u0026nbsp;“Attachment 2, “SSA Finder File,” and Attachment 3, “CMS LTC/MDS Response File,” contain the data elements used in this computer matching program.”\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFrequency of data exchanges\u003c/strong\u003e: Explain how often data will be exchanged between agencies for the duration of the matching program.\u0026nbsp;\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor example:\u0026nbsp;\u003cem\u003e“CMS will provide SSA with a finder file on a monthly basis. SSA will submit its response file to CMS no later than 21 days after receipt of the CMS finder file.”\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eBesides the requirements listed above, the CMA template contains various other sections that the Privacy Office can assist with filling out. These include security procedures, verification and disposition of records, restrictions on how the records can be used, and other information required for Computer Matching Agreements.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003ePrivacy Office responsibilities\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eIn addition to working with the Business Owner on the Computer Matching Agreement document, the Privacy Office is responsible for several artifacts that are submitted as part of the CMA package:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eNarrative statement\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe narrative statement provides a brief overview of the proposed matching program, by referring to other materials in the report\u0026nbsp;\u003cstrong\u003ewithout restating information\u003c/strong\u003e provided in those materials. The Privacy Office drafts the Narrative Statement and includes it in the CMA package.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eFederal Register matching notice\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe matching notice describes the matching program for publication in the Federal Register. This is submitted by whichever agency is requesting the matching program. The Privacy Act requires the agency to notify the public by publishing a notice in the Federal Register of the establishment or alteration of a computer matching program.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHHS transmittal letters (House, Senate, OMB)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAs described in the process for CMA Establishment and Re-establishment, Congress and OMB must be notified of the matching program. This is the responsibility of the recipient agency (the agency receiving the data).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf CMS is the recipient agency, this step is done by the Privacy Office.\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThe letter to the House of Representatives is based on the transmittal letter template and is addressed to the Chairman for the Committee on Oversight and Government Reform.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe letter to the Senate is based on the transmittal letter template and is addressed to the Chairman for the Committee on Homeland Security and Governmental Affairs.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe letter to the OMB is based on the transmittal letter template and is addressed to the Administrator of the Office of Information and Regulatory Affairs within OMB.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"9b:T6844,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is a Computer Matching Agreement (CMA)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA Computer Matching Agreement (CMA) is a written agreement that establishes the terms and conditions for sharing data between a federal agency and another federal or state agency when two or more automated systems of records are compared. CMAs are required by the Privacy Act of 1974. They are a type of \u003ca href=\"https://security.cms.gov/learn/data-sharing-agreements\"\u003eData Sharing Agreement\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eComputer Matching Agreements are used to:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eEstablish or verify eligibility for federal benefits\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVerify compliance with federal benefit programs\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecoup payments or delinquent debts\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInvestigate potential fraud, waste, and abuse\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eCMAs include safeguards and procedures to protect the use of Personally Identifiable Information (PII) and Protected Health Information (PHI). If there is PHI involved, then PII will be involved also.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCMAs also require agencies to provide individuals with notice and opportunity to contest findings if their information is being computer matched with information being held by other federal and state agencies. This allows people the opportunity to refute adverse information before having a benefit denied or terminated. The Department of Health and Human Services (HHS) maintains all current\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eCMS Computer Matching Agreements\u003c/a\u003e.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMAs at CMS\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office at ISPG works with federal and state agencies to create and renew CMAs on behalf of CMS. If you have any questions about a new or current CMA, contact the Privacy Office for assistance:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eWhen finalizing a CMA, a complete package must be developed and submitted to the Office of Management and Budget (OMB) and to Congress, where it is reviewed and then published in the Federal Register. Typically, the agency receiving the shared information is responsible for completing the CMA package and submitting the artifacts for review (as well as ensuring publication in the Federal Register). However, if it is mutually agreed, the agency who is sharing the information can act in this capacity.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eWhen do I need a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eA CMA is needed when CMS data will be compared with data from another federal agency or a state agency, and the results of the comparison may adversely impact an individuals federal benefits. The Privacy Office can assist you in confirming your need for a CMA and starting the process. Get in touch at:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow long does a CMA remain in effect?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThere are three phases in the life cycle of CMAs: Establishment, Renewal, and Re-Establishment. Once a CMA is established, its valid for\u0026nbsp;\u003cstrong\u003e12 months\u003c/strong\u003e and can then be renewed for another\u0026nbsp;\u003cstrong\u003e18 months\u003c/strong\u003e — meaning that a CMA can technically cover the matching program for a\u0026nbsp;\u003cstrong\u003etotal of 30 months\u003c/strong\u003e. At that point the CMA can be re-established if the matching program is still needed.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow long does it take to complete or renew a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eEstablishing or re-establishing a CMA takes about\u0026nbsp;\u003cstrong\u003e1 year\u003c/strong\u003e from initial request to final sign-off. Renewing a CMA takes about\u0026nbsp;\u003cstrong\u003e10 months\u003c/strong\u003e from initial request to final sign-off.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf you compare this with the amount of time a CMA remains in effect (above), youll see that you need to start preparing for Renewal soon after your CMA is established. And you need to start preparing for Re-establishment soon after the renewal, if the matching program needs to continue.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHow do I initiate a CMA?\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFirst,\u0026nbsp;\u003cstrong\u003ereview the information on this page\u003c/strong\u003e to get familiar with the process for CMA Establishment, Renewal, and Re-establishment. Then, contact the Privacy Office to get started:\u0026nbsp;\u003ca href=\"mailto:privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMA establishment process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA CMA is established when CMS participates in a matching program with an initial effective period of 18 months.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe process for CMA Establishment is described below. (The process is the same for CMA Re-establishment.) Establishing or re-establishing a CMA takes about\u0026nbsp;\u003cstrong\u003e1 year\u003c/strong\u003e from initial request to final sign-off.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e1. Checklist \u0026amp; prep\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 7 - 10 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner reviews the \u003ca href=\"https://security.cms.gov/learn/cms-computer-matching-agreement-cma#cma-checklist\"\u003eCMA Checklist\u003c/a\u003e to get familiar with the needed artifacts and what to expect from the process\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner gathers materials and information that will be needed to complete CMA artifacts (such as the Cost-Benefit Analysis)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e2. Intake \u0026amp; kickoff\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 10 - 15 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner contacts the Privacy Office to request a CMA Establishment or Re-establishment\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office validates the need for a CMA and schedules a kickoff meeting with the Business Owner\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office and Business Owner conduct a review of the CMA requirements and the artifacts that will be needed\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e3. Drafting \u0026amp; internal review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner collaborates with Privacy Office to draft the CMA (working from the CMA template provided by the Privacy Office). Artifacts include the CMA Establishment or Re-establishment document and the Cost Benefit Analysis.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner coordinates internal stakeholder review of the CMA draft and incorporates any feedback\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e4. External review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner provides CMA draft to external stakeholders for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOnce feedback is received and incorporated, Business Owner returns the CMA draft to the Privacy Office\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e5. HHS Privacy Act Officer review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits the CMA to HHS Privacy Act Officer (PAO) for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office works with the Business Owner and the external party to address comments from the HHS PAO\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA document is finalized\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e6. Sign-off\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 75 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits CMA to Business Owner for sign-off by Program Officials\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office obtains signature from CMS Senior Official for Privacy (SOP)\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends CMA to external parties for sign-off\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA is returned to the CMS Privacy Office once all signatures are obtained\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e7. OMB \u0026amp; Congress review\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (who is receiving the data) sends the signed CMA to the Office of Management and Budget (OMB) and Congress for a 30-day review period\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecipient agency also sends letters of notification to the Office of Management and Budget (OMB) and Congress (these are called Transmittal Letters)\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e8. Federal Register publication\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (who is receiving the data) submits notice for publication in Federal Register\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe CMA becomes effective after 30 days of being available for public review and comment in the Federal Register\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e9. Distribution / completion\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 30 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eParty requesting match notifies all parties of the CMA effective date (the CMA will be effective for 18 months, with an option to renew for another 12 months)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMS accessibility team conducts review on the CMA to ensure 508 compliance\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS Privacy Act Official posts the approved, 508-compliant CMA and Federal Register notice on the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eHHS website\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office uploads final CMA to Sharepoint site\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eCMA renewal process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAn existing CMA (after being established or re-established) can be renewed with a 12-month extension. A CMA Renewal requires parties to attest that (1) the matching program will continue without any significant changes and (2) the program has been conducted in compliance with the agreement. The process for CMA Renewal is similar to CMA Establishment or Re-establishment, with some differences:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThere is a separate template for CMA Renewal.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCost Benefit Analysis (CBA) is not required.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS review and comment on the CMA Renewal draft is not required.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCMA Renewal requires approval and signature by the Data Integrity Board (DIB) Chairperson, but does not require a vote by the DIB.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eNotice to OMB and Congress and publication in the Federal Register are not required.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe complete process for CMA Renewal is described below. Renewing a CMA takes about\u0026nbsp;\u003cstrong\u003e10 months\u003c/strong\u003e from initial request to final sign-off.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e1. Intake and kickoff\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 25 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTypically, the Privacy Office contacts the Business Owner to let them know the CMA will need to be renewed if the matching program is to continue\u003c/li\u003e\u003cli dir=\"ltr\"\u003eKickoff meeting is scheduled to discuss the renewal process\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office conducts a review to confirm there are no substantive changes to the existing matching program\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e2. Drafting \u0026amp; internal review\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 40 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner collaborates with Privacy Office to draft the CMA Renewal document using the CMA Renewal Template\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner coordinates internal stakeholder review of the CMA Renewal draft\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e3. External review\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 55 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eBusiness Owner provides CMA Renewal draft to external stakeholders for review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOnce feedback is received and incorporated, Business Owner returns the draft to the Privacy Office\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office works with Business Owner and external party to finalize the Renewal CMA\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e4. Sign-off\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 80 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office submits Renewal CMA to Business Owner for sign-off by Program Officials\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office obtains signature from CMS Senior Official for Privacy (SOP)\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends Renewal CMA to external parties for sign-off\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office sends Renewal CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: The Renewal CMA cant be submitted to the HHS DIB for signature unless the established CMA is within three months of expiring.\u003c/em\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eNote: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRenewal CMA is returned to the CMS Privacy Office once all signatures are obtained\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003e5. Distribution / completion\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eEstimated time to complete: 10 business days\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eParty requesting match notifies all parties of the Renewal CMA effective date (the Renewal CMA will be effective for 12 months, with an option to Re-establish the CMA after that)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eHHS Privacy Act Officer updates the CMA effective dates on the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/cmas/index.html\"\u003eHHS website\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePrivacy Office uploads Renewal CMA to Sharepoint site\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eCMA re-establishment process\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eA CMA is re-established if the matching program continues past the 12-month CMA Renewal period, or if there are significant changes to the matching program (e.g., change in the authority to conduct the matching program or expansion of the categories of individuals whose records are used in the matching program).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe CMA is re-established for a period of 18 months, and then may be renewed again for 12 months. The process for CMA Re-establishment is the same as for CMA Establishment.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eCMA checklist\u003c/h2\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eChecklist for Business Owners to review when preparing for a CMA\u003c/em\u003e\u003c/p\u003e\u003cp dir=\"ltr\"\u003eEstablishing or re-establishing a CMA requires a complete package to be developed and submitted to the Office of Management and Budget (OMB) and Congress. At CMS, much of this process is handled by the Privacy Office, but collaboration with the Business Owner is required to complete the initial documents.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eBusiness Owners should review this checklist\u003c/strong\u003e before contacting the Privacy Office to start the CMA process. Gather any data or documents in advance that will be helpful in completing the following artifacts, which are required for CMA Establishment or Re-establishment.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eComputer Matching Agreement (CMA) document\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMA document describes all aspects of the proposed computer matching program. The document is developed using the\u0026nbsp;\u003cstrong\u003eCMS Computer Matching Agreement Template\u003c/strong\u003e, which aligns with the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf\"\u003eguidance for Computer Matching Agreements published by HHS\u003c/a\u003e (PDF link).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office and the Business Owner work together to complete the template and develop the CMA document. Ahead of time, the Business Owner should look over the guidance from HHS (linked above) and start compiling information that will be used to complete the following sections of the CMA document:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003ePurpose\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe start of the CMA document requires a description of why the matching program is needed and how the matching data will be used. Additionally, the first section of the CMA requires a listing of:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSource agency (the agency disclosing the records that will be used)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRecipient agency (the agency receiving the records to be used)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhich agency will publish the matching program in the Federal Register\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe name/designation and/or component(s) responsible for the matching activity (for example, \"The responsible NIH component for the match is the National Cancer Institute (NCI).\")\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should write a statement that describes in detail:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWhy the matching program is being proposed\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAll purposes and uses for the match data\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePurpose of all matching activities between all agencies involved (there may be more than one matching activity covered in the agreement)\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe more complete your statement is, the less likely you will need amendments or new approvals after establishing the CMA.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eLegal authorities\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis section of the matching agreement cites any specific federal or state statute or regulatory basis for the operation of the matching program. Keep in mind:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eIf no specific statute or regulation addresses the use of information to be obtained in the match, general program authorities that permit the matching activities may be cited instead.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCitations to the Privacy Act should not be included, as it doesnt provide independent authority to conduct a match. However, the routine use section of the Privacy Act, 5 U.S.C. 552a(b)(3) can be cited as authority where appropriate.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eQuestions on appropriateness of selected legal authority should be directed to your program attorney in the Office of General Counsel (OGC).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should write a statement listing the legal authority for their proposed matching program. The text below is for example purposes only:\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis agreement provides for information matching necessary to implement the information provisions of section 6103(l)(12) of the Internal Revenue Code (IRC) (25 U.S.C. § 6103(l)(12)) and section 1862(b)(5) of the Social Security Act (42 U.S.C.§ 1395y(b)(5)). The legal authority for the disclosure of IRS and SSA data under this agreement is found at section 1106 of the Social Security Act (42 U.S.C. § 1306 and in routine uses published in relevant IRS and SSA SORNs pursuant to 5 U.S.C. § 552a(b)(3).\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eTerms and definitions\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFor clarity and shared understanding among the parties participating in the agreement, the CMA includes a list of definitions of terms relative to the proposed matching program. Some of these are common terms at CMS (for example, terms like “breach”, “incident”, “Medicaid”, and “PII”). There will likely be other terms specific to the systems, data, and operations of the proposed matching program.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBefore working with the Privacy Office to draft the CMA, Business Owners should complete a list of terms related to their proposed matching program. The Privacy Office will provide the terms and definitions that are commonly used at CMS.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eCost-Benefit Analysis (CBA)\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CBA analyzes the benefits and costs of a matching program. This helps prove that the proposed matching program is an effective use of federal resources. The cost-benefit analysis is included as an attachment in the final CMA package. The cost-benefit analysis is required for CMA Establishment and Re-establishment, but\u0026nbsp;\u003cstrong\u003enot\u003c/strong\u003e for CMA Renewal.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eNote that a CBA is only one of several factors affecting the decision to approve a matching program. Sometimes the cost-benefit analysis is waived due to statutory exception, lack of reliable data, or other factors. In those cases, the Computer Matching Agreement still includes a section for justifying the matching program and summarizing the anticipated results.\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner responsibility:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBusiness Owners should review the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/sites/default/files/cma-guidelines-revised-approved-hhs-dib-august-29-2016.pdf\"\u003eCMA guidelines provided by HHS\u003c/a\u003e (PDF link), including the detailed instructions on how to prepare a cost-benefit analysis. Consider and document the resources that will be required to manage the matching program (such as IT costs, pay rates, etc.). Also document the anticipated benefits of the matching program (cost savings, increased efficiency, better service to beneficiaries, etc.).\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe cost-benefit analysis follows a template that includes the following elements and sub-elements. All of them must be mentioned by name in the CBA, even if only to note that certain parts are not applicable to the specific program.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIdentify\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003eCosts\u003c/h4\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eCosts for all stages and all major activities\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eKey element 1: Personnel Costs\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor clients\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor third parties\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFor the general public\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey element 2: Agencies Computer Costs\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003c/ul\u003e\u003ch4 dir=\"ltr\"\u003eBenefits\u003c/h4\u003e\u003ch4\u003e\u003cstrong\u003eKey element 3: Avoidance of future improper payments\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTo agencies (source agency, recipient agencies, and justice agencies)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo clients\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo the general public\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eKey element 4: Recovery of improper payments and debts\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eTo agencies (source agency, recipient agencies, and justice agencies)\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo clients\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTo the general public\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRecords description\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eWhat it is:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThis part of the CMA describes the records that will be shared between agencies for the matching program, and states that the records will be protected in accordance with the Privacy Act and other applicable laws.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWho has responsibilities:\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe Privacy Office works with the Business Owner to fill out the following sections about records. It is useful for the Business Owner to be prepared with information specific to the matching program (such as the number of records involved, or the specific data elements that will be used).\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSystems of Records\u003c/strong\u003e: For both agencies participating in the matching program (both CMS and the partner agency), a\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/system-records-notice-sorn\"\u003eSystem of Records Notice (SORN)\u003c/a\u003e must be listed that authorizes the disclosure of identifying information about individuals as part of the matching program.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eNumber of records involved\u003c/strong\u003e: Describe the volume of data that will be involved in the matching program (for example, number of cases or number of individual records). If agencies are exchanging data, both agencies need to include this information. A table may be useful for visualization of large datasets.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eSpecified data elements used in the match\u003c/strong\u003e: Provide the specific data elements that will be used for the matching program. The data elements can be from either agency participating in the program. They can be included in a separate document as an attachment or listed within the CMA document.\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cem\u003eFor example:\u0026nbsp;“Attachment 2, “SSA Finder File,” and Attachment 3, “CMS LTC/MDS Response File,” contain the data elements used in this computer matching program.”\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFrequency of data exchanges\u003c/strong\u003e: Explain how often data will be exchanged between agencies for the duration of the matching program.\u0026nbsp;\u003cul\u003e\u003cli dir=\"ltr\"\u003eFor example:\u0026nbsp;\u003cem\u003e“CMS will provide SSA with a finder file on a monthly basis. SSA will submit its response file to CMS no later than 21 days after receipt of the CMS finder file.”\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eBesides the requirements listed above, the CMA template contains various other sections that the Privacy Office can assist with filling out. These include security procedures, verification and disposition of records, restrictions on how the records can be used, and other information required for Computer Matching Agreements.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003ePrivacy Office responsibilities\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eIn addition to working with the Business Owner on the Computer Matching Agreement document, the Privacy Office is responsible for several artifacts that are submitted as part of the CMA package:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eNarrative statement\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe narrative statement provides a brief overview of the proposed matching program, by referring to other materials in the report\u0026nbsp;\u003cstrong\u003ewithout restating information\u003c/strong\u003e provided in those materials. The Privacy Office drafts the Narrative Statement and includes it in the CMA package.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eFederal Register matching notice\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe matching notice describes the matching program for publication in the Federal Register. This is submitted by whichever agency is requesting the matching program. The Privacy Act requires the agency to notify the public by publishing a notice in the Federal Register of the establishment or alteration of a computer matching program.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eHHS transmittal letters (House, Senate, OMB)\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eAs described in the process for CMA Establishment and Re-establishment, Congress and OMB must be notified of the matching program. This is the responsibility of the recipient agency (the agency receiving the data).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIf CMS is the recipient agency, this step is done by the Privacy Office.\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eThe letter to the House of Representatives is based on the transmittal letter template and is addressed to the Chairman for the Committee on Oversight and Government Reform.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe letter to the Senate is based on the transmittal letter template and is addressed to the Chairman for the Committee on Homeland Security and Governmental Affairs.\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eThe letter to the OMB is based on the transmittal letter template and is addressed to the Administrator of the Office of Information and Regulatory Affairs within OMB.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"99:{\"value\":\"$9a\",\"format\":\"body_text\",\"processed\":\"$9b\"}\n97:{\"drupal_internal__id\":451,\"drupal_internal__revision_id\":20081,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T15:02:52+00:00\",\"parent_id\":\"641\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$98\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$99\"}\n9f:{\"drupal_internal__target_id\":\"page_section\"}\n9e:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$9f\"}\na1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b/paragraph_type?resourceVersion=id%3A20081\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b/relationships/paragraph_type?resourceVersion=id%3A20081\"}\na0:{\"related\":\"$a1\",\"self\":\"$a2\"}\n9d:{\"data\":\"$9e\",\"links\":\"$a0\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b/field_specialty_item?resourceVersion=id%3A20081\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b/relationships/field_specialty_item?resourceVersion=id%3A20081\"}\na4:{\"related\":\"$a5\",\"self\":\"$a6\"}\na3:{\"data\":null,\"links\":\"$a4\"}\n9c:{\"paragraph_type\":\"$9d\",\"field_specialty_item\":\"$a3\"}\n94:{\"type\":\"paragraph--page_section\",\"id\":\"ebf079d8-dd73-43d4-b270-1dffecde688b\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$9c\"}\na9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007?resourceVersion=id%3A20086\"}\na8:{\"self\":\"$a9\"}\nab:[]\naa:{\"drupal_internal__id\":1876,\"drupal_internal__revision_id\":20086,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T19:31:36+00:00\",\"parent_id\":\"641\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$ab\",\"default_langcode\":true,\"revision_translation_affected\":true}\naf:{\"drupal_internal__target_id\":\"internal_link\"}\nae:{\"type\":\"paragraphs_t"])</script><script>self.__next_f.push([1,"ype--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$af\"}\nb1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007/paragraph_type?resourceVersion=id%3A20086\"}\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007/relationships/paragraph_type?resourceVersion=id%3A20086\"}\nb0:{\"related\":\"$b1\",\"self\":\"$b2\"}\nad:{\"data\":\"$ae\",\"links\":\"$b0\"}\nb5:{\"drupal_internal__target_id\":356}\nb4:{\"type\":\"node--explainer\",\"id\":\"85d3c6d9-87da-4285-9571-cfef16aa6d61\",\"meta\":\"$b5\"}\nb7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007/field_link?resourceVersion=id%3A20086\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007/relationships/field_link?resourceVersion=id%3A20086\"}\nb6:{\"related\":\"$b7\",\"self\":\"$b8\"}\nb3:{\"data\":\"$b4\",\"links\":\"$b6\"}\nac:{\"paragraph_type\":\"$ad\",\"field_link\":\"$b3\"}\na7:{\"type\":\"paragraph--internal_link\",\"id\":\"5fc47ff1-39bd-4c95-b001-ad89e85cd007\",\"links\":\"$a8\",\"attributes\":\"$aa\",\"relationships\":\"$ac\"}\nbb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e?resourceVersion=id%3A20091\"}\nba:{\"self\":\"$bb\"}\nbd:[]\nbc:{\"drupal_internal__id\":3576,\"drupal_internal__revision_id\":20091,\"langcode\":\"en\",\"status\":true,\"created\":\"2025-01-16T20:53:38+00:00\",\"parent_id\":\"641\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$bd\",\"default_langcode\":true,\"revision_translation_affected\":true}\nc1:{\"drupal_internal__target_id\":\"internal_link\"}\nc0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$c1\"}\nc3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e/paragraph_type?resourceVersion=id%3A20091\"}\nc4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e/relationships/paragr"])</script><script>self.__next_f.push([1,"aph_type?resourceVersion=id%3A20091\"}\nc2:{\"related\":\"$c3\",\"self\":\"$c4\"}\nbf:{\"data\":\"$c0\",\"links\":\"$c2\"}\nc7:{\"drupal_internal__target_id\":1246}\nc6:{\"type\":\"node--explainer\",\"id\":\"c1152e47-1dfe-4010-b73e-3c2661ff646f\",\"meta\":\"$c7\"}\nc9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e/field_link?resourceVersion=id%3A20091\"}\nca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e/relationships/field_link?resourceVersion=id%3A20091\"}\nc8:{\"related\":\"$c9\",\"self\":\"$ca\"}\nc5:{\"data\":\"$c6\",\"links\":\"$c8\"}\nbe:{\"paragraph_type\":\"$bf\",\"field_link\":\"$c5\"}\nb9:{\"type\":\"paragraph--internal_link\",\"id\":\"7f569b2e-5e41-45c0-954e-df9128d24e6e\",\"links\":\"$ba\",\"attributes\":\"$bc\",\"relationships\":\"$be\"}\ncd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c?resourceVersion=id%3A20096\"}\ncc:{\"self\":\"$cd\"}\ncf:[]\nce:{\"drupal_internal__id\":3581,\"drupal_internal__revision_id\":20096,\"langcode\":\"en\",\"status\":true,\"created\":\"2025-01-16T20:56:04+00:00\",\"parent_id\":\"641\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$cf\",\"default_langcode\":true,\"revision_translation_affected\":true}\nd3:{\"drupal_internal__target_id\":\"internal_link\"}\nd2:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$d3\"}\nd5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c/paragraph_type?resourceVersion=id%3A20096\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c/relationships/paragraph_type?resourceVersion=id%3A20096\"}\nd4:{\"related\":\"$d5\",\"self\":\"$d6\"}\nd1:{\"data\":\"$d2\",\"links\":\"$d4\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c/field_link?resourceVersion=id%3A20096\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c"])</script><script>self.__next_f.push([1,"/relationships/field_link?resourceVersion=id%3A20096\"}\nd8:{\"related\":\"$d9\",\"self\":\"$da\"}\nd7:{\"data\":null,\"links\":\"$d8\"}\nd0:{\"paragraph_type\":\"$d1\",\"field_link\":\"$d7\"}\ncb:{\"type\":\"paragraph--internal_link\",\"id\":\"8dde78c3-a853-4117-b100-c1c97b47829c\",\"links\":\"$cc\",\"attributes\":\"$ce\",\"relationships\":\"$d0\"}\ndd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61?resourceVersion=id%3A6126\"}\ndc:{\"self\":\"$dd\"}\ndf:{\"alias\":\"/learn/cms-information-exchange-agreement-iea\",\"pid\":346,\"langcode\":\"en\"}\ne0:{\"value\":\"Business Owners and Privacy Advisors working together to determine the terms of sharing PII with other federal or state agencies\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eBusiness Owners and Privacy Advisors working together to determine the terms of sharing PII with other federal or state agencies\u003c/p\u003e\\n\"}\ne1:[\"#ispg-privacy-agreement-consults\"]\nde:{\"drupal_internal__nid\":356,\"drupal_internal__vid\":6126,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-16T20:57:31+00:00\",\"status\":true,\"title\":\"CMS Information Exchange Agreement (IEA)\",\"created\":\"2022-08-29T16:33:09+00:00\",\"changed\":\"2025-01-16T20:57:31+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$df\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_short_description\":\"$e0\",\"field_slack_channel\":\"$e1\"}\ne5:{\"drupal_internal__target_id\":\"explainer\"}\ne4:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$e5\"}\ne7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/node_type?resourceVersion=id%3A6126\"}\ne8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/node_type?resourceVersion=id%3A6126\"}\ne6:{\"related\":\"$e7\",\"self\":\"$e8\"}\ne3:"])</script><script>self.__next_f.push([1,"{\"data\":\"$e4\",\"links\":\"$e6\"}\neb:{\"drupal_internal__target_id\":6}\nea:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$eb\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/revision_uid?resourceVersion=id%3A6126\"}\nee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/revision_uid?resourceVersion=id%3A6126\"}\nec:{\"related\":\"$ed\",\"self\":\"$ee\"}\ne9:{\"data\":\"$ea\",\"links\":\"$ec\"}\nf1:{\"drupal_internal__target_id\":26}\nf0:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$f1\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/uid?resourceVersion=id%3A6126\"}\nf4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/uid?resourceVersion=id%3A6126\"}\nf2:{\"related\":\"$f3\",\"self\":\"$f4\"}\nef:{\"data\":\"$f0\",\"links\":\"$f2\"}\nf8:{\"target_revision_id\":20101,\"drupal_internal__target_id\":466}\nf7:{\"type\":\"paragraph--page_section\",\"id\":\"24c64778-0ed9-4ae9-b9dc-dfc10681357c\",\"meta\":\"$f8\"}\nf6:[\"$f7\"]\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_page_section?resourceVersion=id%3A6126\"}\nfb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_page_section?resourceVersion=id%3A6126\"}\nf9:{\"related\":\"$fa\",\"self\":\"$fb\"}\nf5:{\"data\":\"$f6\",\"links\":\"$f9\"}\nff:{\"target_revision_id\":20106,\"drupal_internal__target_id\":1841}\nfe:{\"type\":\"paragraph--internal_link\",\"id\":\"4cef73c0-51d2-4d1a-8273-05c4fcd038bf\",\"meta\":\"$ff\"}\n101:{\"target_revision_id\":20111,\"drupal_internal__target_id\":1846}\n100:{\"type\":\"paragraph--internal_link\",\"id\":\"7eda830e-a420-46c6-b3a6-3a7c9dd09d0d\",\"meta\":\"$101\"}\nfd:[\"$fe\",\"$100\"]\n103:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_related_collection?resourceVersion=id%3A6126\"}\n104:{\"href\":\"https://cybergeek.cms.gov/jsonapi"])</script><script>self.__next_f.push([1,"/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_related_collection?resourceVersion=id%3A6126\"}\n102:{\"related\":\"$103\",\"self\":\"$104\"}\nfc:{\"data\":\"$fd\",\"links\":\"$102\"}\n107:{\"drupal_internal__target_id\":131}\n106:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$107\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_resource_type?resourceVersion=id%3A6126\"}\n10a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_resource_type?resourceVersion=id%3A6126\"}\n108:{\"related\":\"$109\",\"self\":\"$10a\"}\n105:{\"data\":\"$106\",\"links\":\"$108\"}\n10e:{\"drupal_internal__target_id\":66}\n10d:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$10e\"}\n110:{\"drupal_internal__target_id\":61}\n10f:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$110\"}\n112:{\"drupal_internal__target_id\":76}\n111:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$112\"}\n10c:[\"$10d\",\"$10f\",\"$111\"]\n114:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_roles?resourceVersion=id%3A6126\"}\n115:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_roles?resourceVersion=id%3A6126\"}\n113:{\"related\":\"$114\",\"self\":\"$115\"}\n10b:{\"data\":\"$10c\",\"links\":\"$113\"}\n119:{\"drupal_internal__target_id\":16}\n118:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$119\"}\n11b:{\"drupal_internal__target_id\":31}\n11a:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":\"$11b\"}\n117:[\"$118\",\"$11a\"]\n11d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_topics?resourceVersion=id%3A6126\"}\n11e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_topic"])</script><script>self.__next_f.push([1,"s?resourceVersion=id%3A6126\"}\n11c:{\"related\":\"$11d\",\"self\":\"$11e\"}\n116:{\"data\":\"$117\",\"links\":\"$11c\"}\ne2:{\"node_type\":\"$e3\",\"revision_uid\":\"$e9\",\"uid\":\"$ef\",\"field_page_section\":\"$f5\",\"field_related_collection\":\"$fc\",\"field_resource_type\":\"$105\",\"field_roles\":\"$10b\",\"field_topics\":\"$116\"}\ndb:{\"type\":\"node--explainer\",\"id\":\"85d3c6d9-87da-4285-9571-cfef16aa6d61\",\"links\":\"$dc\",\"attributes\":\"$de\",\"relationships\":\"$e2\"}\n121:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f?resourceVersion=id%3A6131\"}\n120:{\"self\":\"$121\"}\n123:{\"alias\":\"/learn/data-sharing-agreements\",\"pid\":1366,\"langcode\":\"en\"}\n124:{\"value\":\"Agreements that establish how data will be managed and protected when shared between CMS and another agency\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAgreements that establish how data will be managed and protected when shared between CMS and another agency\u003c/p\u003e\\n\"}\n125:[\"#ispg-privacy-agreement-consults\"]\n122:{\"drupal_internal__nid\":1246,\"drupal_internal__vid\":6131,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-16T20:58:18+00:00\",\"status\":true,\"title\":\"Data Sharing Agreements\",\"created\":\"2025-01-16T20:26:35+00:00\",\"changed\":\"2025-01-16T20:58:18+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$123\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_short_description\":\"$124\",\"field_slack_channel\":\"$125\"}\n129:{\"drupal_internal__target_id\":\"explainer\"}\n128:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$129\"}\n12b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/node_type?resourceVersion=id%3A6131\"}\n12c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/node_type?resource"])</script><script>self.__next_f.push([1,"Version=id%3A6131\"}\n12a:{\"related\":\"$12b\",\"self\":\"$12c\"}\n127:{\"data\":\"$128\",\"links\":\"$12a\"}\n12f:{\"drupal_internal__target_id\":6}\n12e:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$12f\"}\n131:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/revision_uid?resourceVersion=id%3A6131\"}\n132:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/revision_uid?resourceVersion=id%3A6131\"}\n130:{\"related\":\"$131\",\"self\":\"$132\"}\n12d:{\"data\":\"$12e\",\"links\":\"$130\"}\n135:{\"drupal_internal__target_id\":6}\n134:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$135\"}\n137:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/uid?resourceVersion=id%3A6131\"}\n138:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/uid?resourceVersion=id%3A6131\"}\n136:{\"related\":\"$137\",\"self\":\"$138\"}\n133:{\"data\":\"$134\",\"links\":\"$136\"}\n13c:{\"target_revision_id\":20116,\"drupal_internal__target_id\":3571}\n13b:{\"type\":\"paragraph--page_section\",\"id\":\"e6f122bb-36d3-41e9-833e-29c6351eb939\",\"meta\":\"$13c\"}\n13a:[\"$13b\"]\n13e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_page_section?resourceVersion=id%3A6131\"}\n13f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_page_section?resourceVersion=id%3A6131\"}\n13d:{\"related\":\"$13e\",\"self\":\"$13f\"}\n139:{\"data\":\"$13a\",\"links\":\"$13d\"}\n143:{\"target_revision_id\":20121,\"drupal_internal__target_id\":3586}\n142:{\"type\":\"paragraph--internal_link\",\"id\":\"98b4c323-6323-4eb8-98fd-7f6414cc3368\",\"meta\":\"$143\"}\n145:{\"target_revision_id\":20126,\"drupal_internal__target_id\":3591}\n144:{\"type\":\"paragraph--internal_link\",\"id\":\"5d97f40c-547a-439b-a92a-23efe869a4eb\",\"meta\":\"$145\"}\n141:[\"$142\",\"$144\"]\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff6"])</script><script>self.__next_f.push([1,"46f/field_related_collection?resourceVersion=id%3A6131\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_related_collection?resourceVersion=id%3A6131\"}\n146:{\"related\":\"$147\",\"self\":\"$148\"}\n140:{\"data\":\"$141\",\"links\":\"$146\"}\n14b:{\"drupal_internal__target_id\":131}\n14a:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$14b\"}\n14d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_resource_type?resourceVersion=id%3A6131\"}\n14e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_resource_type?resourceVersion=id%3A6131\"}\n14c:{\"related\":\"$14d\",\"self\":\"$14e\"}\n149:{\"data\":\"$14a\",\"links\":\"$14c\"}\n152:{\"drupal_internal__target_id\":61}\n151:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$152\"}\n154:{\"drupal_internal__target_id\":76}\n153:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$154\"}\n150:[\"$151\",\"$153\"]\n156:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_roles?resourceVersion=id%3A6131\"}\n157:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_roles?resourceVersion=id%3A6131\"}\n155:{\"related\":\"$156\",\"self\":\"$157\"}\n14f:{\"data\":\"$150\",\"links\":\"$155\"}\n15b:{\"drupal_internal__target_id\":31}\n15a:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":\"$15b\"}\n159:[\"$15a\"]\n15d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_topics?resourceVersion=id%3A6131\"}\n15e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_topics?resourceVersion=id%3A6131\"}\n15c:{\"related\":\"$15d\",\"self\":\"$15e\"}\n158:{\"data\":\"$159\",\"links\":\"$15c\"}\n126:{\"node_type\":\"$127\",\"revision_uid\":\"$12d\",\"uid\":\"$133\",\"field_page_s"])</script><script>self.__next_f.push([1,"ection\":\"$139\",\"field_related_collection\":\"$140\",\"field_resource_type\":\"$149\",\"field_roles\":\"$14f\",\"field_topics\":\"$158\"}\n11f:{\"type\":\"node--explainer\",\"id\":\"c1152e47-1dfe-4010-b73e-3c2661ff646f\",\"links\":\"$120\",\"attributes\":\"$122\",\"relationships\":\"$126\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"9086328f-ae1d-4345-a435-8300071aae86\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86?resourceVersion=id%3A6121\"}},\"attributes\":{\"drupal_internal__nid\":641,\"drupal_internal__vid\":6121,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-16T20:56:12+00:00\",\"status\":true,\"title\":\"CMS Computer Matching Agreement (CMA)\",\"created\":\"2023-02-02T14:59:22+00:00\",\"changed\":\"2025-01-16T20:56:12+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-computer-matching-agreement-cma\",\"pid\":631,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_short_description\":{\"value\":\"Written agreement used in the comparison of automated systems of record between federal or state agencies\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eWritten agreement used in the comparison of automated systems of record between federal or state agencies\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-privacy-agreement-consults\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/node_type?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/node_type?resourceVersion=id%3A6121\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/revision_uid?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/revision_uid?resourceVersion=id%3A6121\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/uid?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/uid?resourceVersion=id%3A6121\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"ebf079d8-dd73-43d4-b270-1dffecde688b\",\"meta\":{\"target_revision_id\":20081,\"drupal_internal__target_id\":451}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_page_section?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_page_section?resourceVersion=id%3A6121\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"5fc47ff1-39bd-4c95-b001-ad89e85cd007\",\"meta\":{\"target_revision_id\":20086,\"drupal_internal__target_id\":1876}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f569b2e-5e41-45c0-954e-df9128d24e6e\",\"meta\":{\"target_revision_id\":20091,\"drupal_internal__target_id\":3576}},{\"type\":\"paragraph--internal_link\",\"id\":\"8dde78c3-a853-4117-b100-c1c97b47829c\",\"meta\":{\"target_revision_id\":20096,\"drupal_internal__target_id\":3581}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_related_collection?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_related_collection?resourceVersion=id%3A6121\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_resource_type?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_resource_type?resourceVersion=id%3A6121\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_roles?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_roles?resourceVersion=id%3A6121\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/field_topics?resourceVersion=id%3A6121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/9086328f-ae1d-4345-a435-8300071aae86/relationships/field_topics?resourceVersion=id%3A6121\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf?resourceVersion=id%3A31\"}},\"attributes\":{\"drupal_internal__tid\":31,\"drupal_internal__revision_id\":31,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:48+00:00\",\"status\":true,\"name\":\"Privacy\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/vid?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/vid?resourceVersion=id%3A31\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/revision_user?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/revision_user?resourceVersion=id%3A31\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/parent?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/parent?resourceVersion=id%3A31\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"ebf079d8-dd73-43d4-b270-1dffecde688b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b?resourceVersion=id%3A20081\"}},\"attributes\":{\"drupal_internal__id\":451,\"drupal_internal__revision_id\":20081,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T15:02:52+00:00\",\"parent_id\":\"641\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b/paragraph_type?resourceVersion=id%3A20081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b/relationships/paragraph_type?resourceVersion=id%3A20081\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b/field_specialty_item?resourceVersion=id%3A20081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/ebf079d8-dd73-43d4-b270-1dffecde688b/relationships/field_specialty_item?resourceVersion=id%3A20081\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"5fc47ff1-39bd-4c95-b001-ad89e85cd007\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007?resourceVersion=id%3A20086\"}},\"attributes\":{\"drupal_internal__id\":1876,\"drupal_internal__revision_id\":20086,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T19:31:36+00:00\",\"parent_id\":\"641\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007/paragraph_type?resourceVersion=id%3A20086\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007/relationships/paragraph_type?resourceVersion=id%3A20086\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"85d3c6d9-87da-4285-9571-cfef16aa6d61\",\"meta\":{\"drupal_internal__target_id\":356}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007/field_link?resourceVersion=id%3A20086\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5fc47ff1-39bd-4c95-b001-ad89e85cd007/relationships/field_link?resourceVersion=id%3A20086\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f569b2e-5e41-45c0-954e-df9128d24e6e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e?resourceVersion=id%3A20091\"}},\"attributes\":{\"drupal_internal__id\":3576,\"drupal_internal__revision_id\":20091,\"langcode\":\"en\",\"status\":true,\"created\":\"2025-01-16T20:53:38+00:00\",\"parent_id\":\"641\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e/paragraph_type?resourceVersion=id%3A20091\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e/relationships/paragraph_type?resourceVersion=id%3A20091\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"c1152e47-1dfe-4010-b73e-3c2661ff646f\",\"meta\":{\"drupal_internal__target_id\":1246}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e/field_link?resourceVersion=id%3A20091\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/7f569b2e-5e41-45c0-954e-df9128d24e6e/relationships/field_link?resourceVersion=id%3A20091\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"8dde78c3-a853-4117-b100-c1c97b47829c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c?resourceVersion=id%3A20096\"}},\"attributes\":{\"drupal_internal__id\":3581,\"drupal_internal__revision_id\":20096,\"langcode\":\"en\",\"status\":true,\"created\":\"2025-01-16T20:56:04+00:00\",\"parent_id\":\"641\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c/paragraph_type?resourceVersion=id%3A20096\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c/relationships/paragraph_type?resourceVersion=id%3A20096\"}}},\"field_link\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c/field_link?resourceVersion=id%3A20096\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/8dde78c3-a853-4117-b100-c1c97b47829c/relationships/field_link?resourceVersion=id%3A20096\"}}}}},{\"type\":\"node--explainer\",\"id\":\"85d3c6d9-87da-4285-9571-cfef16aa6d61\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61?resourceVersion=id%3A6126\"}},\"attributes\":{\"drupal_internal__nid\":356,\"drupal_internal__vid\":6126,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-16T20:57:31+00:00\",\"status\":true,\"title\":\"CMS Information Exchange Agreement (IEA)\",\"created\":\"2022-08-29T16:33:09+00:00\",\"changed\":\"2025-01-16T20:57:31+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-information-exchange-agreement-iea\",\"pid\":346,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_short_description\":{\"value\":\"Business Owners and Privacy Advisors working together to determine the terms of sharing PII with other federal or state agencies\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eBusiness Owners and Privacy Advisors working together to determine the terms of sharing PII with other federal or state agencies\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-privacy-agreement-consults\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/node_type?resourceVersion=id%3A6126\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/node_type?resourceVersion=id%3A6126\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/revision_uid?resourceVersion=id%3A6126\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/revision_uid?resourceVersion=id%3A6126\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/uid?resourceVersion=id%3A6126\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/uid?resourceVersion=id%3A6126\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"24c64778-0ed9-4ae9-b9dc-dfc10681357c\",\"meta\":{\"target_revision_id\":20101,\"drupal_internal__target_id\":466}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_page_section?resourceVersion=id%3A6126\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_page_section?resourceVersion=id%3A6126\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"4cef73c0-51d2-4d1a-8273-05c4fcd038bf\",\"meta\":{\"target_revision_id\":20106,\"drupal_internal__target_id\":1841}},{\"type\":\"paragraph--internal_link\",\"id\":\"7eda830e-a420-46c6-b3a6-3a7c9dd09d0d\",\"meta\":{\"target_revision_id\":20111,\"drupal_internal__target_id\":1846}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_related_collection?resourceVersion=id%3A6126\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_related_collection?resourceVersion=id%3A6126\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_resource_type?resourceVersion=id%3A6126\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_resource_type?resourceVersion=id%3A6126\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_roles?resourceVersion=id%3A6126\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_roles?resourceVersion=id%3A6126\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/field_topics?resourceVersion=id%3A6126\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/85d3c6d9-87da-4285-9571-cfef16aa6d61/relationships/field_topics?resourceVersion=id%3A6126\"}}}}},{\"type\":\"node--explainer\",\"id\":\"c1152e47-1dfe-4010-b73e-3c2661ff646f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f?resourceVersion=id%3A6131\"}},\"attributes\":{\"drupal_internal__nid\":1246,\"drupal_internal__vid\":6131,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-16T20:58:18+00:00\",\"status\":true,\"title\":\"Data Sharing Agreements\",\"created\":\"2025-01-16T20:26:35+00:00\",\"changed\":\"2025-01-16T20:58:18+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/data-sharing-agreements\",\"pid\":1366,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"privacy@cms.hhs.gov\",\"field_contact_name\":\"Privacy Office\",\"field_short_description\":{\"value\":\"Agreements that establish how data will be managed and protected when shared between CMS and another agency\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAgreements that establish how data will be managed and protected when shared between CMS and another agency\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-privacy-agreement-consults\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/node_type?resourceVersion=id%3A6131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/node_type?resourceVersion=id%3A6131\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/revision_uid?resourceVersion=id%3A6131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/revision_uid?resourceVersion=id%3A6131\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/uid?resourceVersion=id%3A6131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/uid?resourceVersion=id%3A6131\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"e6f122bb-36d3-41e9-833e-29c6351eb939\",\"meta\":{\"target_revision_id\":20116,\"drupal_internal__target_id\":3571}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_page_section?resourceVersion=id%3A6131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_page_section?resourceVersion=id%3A6131\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"98b4c323-6323-4eb8-98fd-7f6414cc3368\",\"meta\":{\"target_revision_id\":20121,\"drupal_internal__target_id\":3586}},{\"type\":\"paragraph--internal_link\",\"id\":\"5d97f40c-547a-439b-a92a-23efe869a4eb\",\"meta\":{\"target_revision_id\":20126,\"drupal_internal__target_id\":3591}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_related_collection?resourceVersion=id%3A6131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_related_collection?resourceVersion=id%3A6131\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_resource_type?resourceVersion=id%3A6131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_resource_type?resourceVersion=id%3A6131\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_roles?resourceVersion=id%3A6131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_roles?resourceVersion=id%3A6131\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/field_topics?resourceVersion=id%3A6131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/c1152e47-1dfe-4010-b73e-3c2661ff646f/relationships/field_topics?resourceVersion=id%3A6131\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1a\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$24\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$28\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$2c\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$46\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$60\",\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\":\"$7a\",\"ebf079d8-dd73-43d4-b270-1dffecde688b\":\"$94\",\"5fc47ff1-39bd-4c95-b001-ad89e85cd007\":\"$a7\",\"7f569b2e-5e41-45c0-954e-df9128d24e6e\":\"$b9\",\"8dde78c3-a853-4117-b100-c1c97b47829c\":\"$cb\",\"85d3c6d9-87da-4285-9571-cfef16aa6d61\":\"$db\",\"c1152e47-1dfe-4010-b73e-3c2661ff646f\":\"$11f\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Computer Matching Agreement (CMA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Written agreement used in the comparison of automated systems of record between federal or state agencies\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/cms-computer-matching-agreement-cma\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Computer Matching Agreement (CMA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Written agreement used in the comparison of automated systems of record between federal or state agencies\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/cms-computer-matching-agreement-cma\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/cms-computer-matching-agreement-cma/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Computer Matching Agreement (CMA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Written agreement used in the comparison of automated systems of record between federal or state agencies\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/cms-computer-matching-agreement-cma/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink