publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/cms-cybersecurity-integration-center-ccic
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
1 MiB
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Cybersecurity Integration Center (CCIC) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="The CCIC uses data to address incidents through risk management and monitoring activities across CMS "/><link rel="canonical" href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Cybersecurity Integration Center (CCIC) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="The CCIC uses data to address incidents through risk management and monitoring activities across CMS "/><meta property="og:url" content="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Cybersecurity Integration Center (CCIC) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="The CCIC uses data to address incidents through risk management and monitoring activities across CMS "/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Cybersecurity Integration Center (CCIC)</h1><p class="hero__description">The CCIC uses data to address incidents through risk management and monitoring activities across CMS </p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">Report incidents in ServiceNOW</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is the CCIC?</h2><p>The CMS Cybersecurity Integration Center (CCIC) is the hub of cybersecurity strategy and response at CMS. The CCIC works with System/Business Owners, ISSOs, CRAs, and Data Guardians to manage how cyber threats are found and understood throughout our agency and works to educate users about best practices in continuous monitoring, risk management, and cybersecurity.&nbsp;</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Report an incident</h1><p>Do you need to report an incident? The ServiceNOW Catalog provides a space to quickly create a ticket, which will be sent to the CCIC for review. </p><p><a href="https://cmsitsm.servicenowservices.com/connect">Create a ticket</a></p></section><div class="text-block text-block--theme-explainer"><p>The CCIC is owned and managed by the Information Security and Privacy Group (ISPG) and is responsible for the following activities as determined by the <a href="https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2">CMS Information Systems Security and Privacy Policy (IS2P2)</a>:&nbsp;</p><ul><li>Identifying cyber threats&nbsp;</li><li>Disseminating cybersecurity advisories and guidance</li><li>Coordinating incident response activities in response to ongoing threats</li><li>Developing containment and mitigation approaches for cyber threats</li><li>Defining minimum interoperable defensive technology requirements for CMS systems</li><li>Reporting CMS information security and privacy incidents and breaches to HHS&nbsp;</li><li>Performing malware analysis and advanced analytics</li><li>Adhering to federal law, regulations, mandates, and directives for continual assessment and incident response activities</li><li>Defining information security and privacy requirements for all phases of the system development life cycle (SDLC)</li><li>Validating incident response processes and procedures</li><li>Defining reporting metrics for Penetration Testing, continuous monitoring, incident and breach response, and cyber threat intelligence</li></ul><p>The CCIC is made up of a collection of resources and teams that provide continuous monitoring, incident response, and threat intelligence services to System Teams across the enterprise and access to the following resources:&nbsp;</p><h3>Security Operations Center (SOC)</h3><p>The <strong>ISPG Security Operations Center (SOC) </strong>offers 24/7, 365 continuous monitoring activities for FISMA systems throughout CMS. The teams within the SOC serve as a second set of eyes for security operations teams across the agency. System Teams throughout CMS can benefit from the services offered by the SOC including:&nbsp;</p><h4>SOC-as-a-Service&nbsp;</h4><p>As the premier SOC at CMS, the ISPG SOC provides resources and training to System Teams across CMS. The SOC-as-a-Service was designed to provide SOC services and capabilities to CMS FISMA System Teams that are not able to provide those capabilities themselves or that do not wish to incur the costs associated with these services directly. Systems can be onboarded to the ISPG SOC through an <a href="https://security.cms.gov/learn/cms-memorandum-understanding-mou">MOU</a> to provide a direct response to incidents, breaches, and threats. With improved access to information, tools, and resources, teams can develop better response capabilities.&nbsp;</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Get SOC-as-a-Service for your team </h1><p>Access the latest tools and resources for your FISMA system -- connect with the SOC to onboard your team. </p><p><a href="https://cmsitsm.servicenowservices.com/connect?page=cat_item&amp;sys_id=8d414c9f1bd4e4100888ed7bbc4bcbed&amp;sysparm_category=5d2681841b17e0100888ed7bbc4bcb7f">Get started with SOC as a Service</a></p></section><div class="text-block text-block--theme-explainer"><h4>Threat Hunting Services&nbsp;</h4><p>Threat Hunting Teams within the SOC routinely conduct different types of cyber hunts, looking for bad actors and threats. These teams proactively look for signs of compromise within CMS FISMA systems and provide reports to System Teams about appropriate mitigations and procedures to address gaps that lead to threats.&nbsp;</p><h4>Content Creation and Management Services&nbsp;</h4><p>The Content Creation and Management Team provides subject-matter expertise in the areas of producing alert signatures, establishing dashboards, and developing reports for data sets. With help from Splunk, SOC Content Developers create signatures, look for known threats, and generate new alerts based on new indicators of compromise.&nbsp;</p><h4>Marketplace SOC&nbsp;</h4><p>The Marketplace SOC reports twice per week during non-open enrollment times regarding attacks to various spaces in the marketplace. Members of this team review data to identify weaknesses in FISMA systems across CMS. They then help System Teams drive <a href="https://security.cms.gov/learn/plan-action-and-milestones-poam">Plan of Action and Milestones (POA&amp;Ms)</a> to closure prior to open enrollment and provide risk management services for POA&amp;Ms.&nbsp;</p><h4>Insider Threat&nbsp;</h4><p>Some threats to CMS systems and data do not come from external bad actors, but from CMS employees or contractors. Whether intentional or unintentional, these threats need to be handled strategically by the organization. The Insider Threat Team within the SOC coordinates and shares information with the Division of Strategic Information (DSI) to triage insider threats and plan for appropriate response and mitigation efforts.&nbsp;</p><h4>Phishing Prevention Analysis&nbsp;</h4><p>Working with the Training and Awareness Team, this SOC service triages reports of phishing activity across CMS. When users report phishing activity (using the Cofense button located on the ribbon of their Outlook email), the SOC analyzes each report and makes recommendations or takes specific action based on the findings.&nbsp;&nbsp;</p><h4>ServiceNOW Security Incident Response&nbsp;</h4><p>This service within the SOC provides Incident Response Breach Response (IRBR) activities with improved ticketing to enhance response time. This resource also helps System Teams improve their overall incident response capabilities and update the content and accuracy of their tabletop exercises.&nbsp;</p><h3>Incident Management&nbsp;</h3><p>The Incident Management Team (IMT) is responsible for incident response at CMS. They triage tickets that come to the service desk when there is a potential compromise to the security of CMS systems or data. The IMT helps speed response time and supports System Teams through the appropriate handling of incidents.&nbsp;&nbsp;</p><h3>Penetration Testing&nbsp;</h3><p>The CCIC is the home of ISPGs in-house <a href="https://security.cms.gov/learn/penetration-testing-pentesting">Penetration Testing</a> Team. Penetration Testing (PenTesting) helps to identify areas where system security has been compromised or could be compromised in the future. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers.&nbsp;</p><p>The ISPG Penetration Testing Team has knowledge of FISMA systems theyre testing, so theyre a great place to start for your Penetration Testing needs.&nbsp;</p><h3>Forensics&nbsp;</h3><p>The Forensics Team offers memory and disk forensics and malware analysis for CMS FISMA systems. With the data and evidence gathered, the Forensics Team can determine the source of an attack, identify the malware used, and understand the attacker's techniques. This information can be used in internal incident response efforts and shared with the Office of the Inspector General (OIG). The Forensics Team will also work with System Teams to&nbsp; strengthen security defenses after an attack.</p><h3>Cyber Threat Intelligence&nbsp;</h3><p>The Cyber Threat Intelligence Team was created to identify emerging cyber threats in the healthcare sector. These threat hunters scan the dark web and other sources to seek out bad actors and threats before they materialize and impact CMS systems.&nbsp;</p><h3>Vulnerability Analysis&nbsp;</h3><p>The Vulnerability Analysis Team provides compliance and vulnerability scans for FISMA Systems across CMS. Using external-facing tool sets like DB Protect and Invicty, the team initiates system scans every 72 hours to assess the overall security posture of each system. They share vulnerability scan data with System Teams so that teams have the information they need to make decisions about their systems.&nbsp;</p><h3>CCIC Engineering&nbsp;</h3><p>The CCIC Engineering Team helps to build and test tools used by System Teams across the enterprise. As part of this work, they run proof-of-concept for outside vendors and tools to identify what might be a good fit for use at CMS. This team also creates, reviews, and manages network monitoring tools for all of CMS.&nbsp;</p><h2>Connecting with the CCIC</h2><p>CMS System Teams can find many of the resources, services, and tools offered by the CCIC in the ServiceNOW catalog. Teams are encouraged to review the available resources and engage with the CCIC early and often to ensure that they understand the correct procedures to follow in the event of an incident, breach, or cyber threat.&nbsp;</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Get the latest from the CCIC </h1><p>Review offerings from the CCIC in the ServiceNOW catalog (VPN required).</p><p><a href="https://cmsitsm.servicenowservices.com/connect">See the catalog</a></p></section></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing and documenting system security and compliance to gain approval to operate the system at CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/threat-modeling">Threat Modeling</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Design practices that facilitate secure software development through organization and collaboration </p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/penetration-testing-pentesting">Penetration Testing (PenTesting)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir">Risk Management Handbook Chapter 8: Incident Response (IR)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>This chapter (RMH Chapter 8) identifies the policies and standards for the Incident Response family of controls</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-cybersecurity-integration-center-ccic\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"cms-cybersecurity-integration-center-ccic\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-cybersecurity-integration-center-ccic\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-cybersecurity-integration-center-ccic\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:Ta5c,"])</script><script>self.__next_f.push([1,"\u003cp\u003eThe CCIC is owned and managed by the Information Security and Privacy Group (ISPG) and is responsible for the following activities as determined by the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentifying cyber threats\u0026nbsp;\u003c/li\u003e\u003cli\u003eDisseminating cybersecurity advisories and guidance\u003c/li\u003e\u003cli\u003eCoordinating incident response activities in response to ongoing threats\u003c/li\u003e\u003cli\u003eDeveloping containment and mitigation approaches for cyber threats\u003c/li\u003e\u003cli\u003eDefining minimum interoperable defensive technology requirements for CMS systems\u003c/li\u003e\u003cli\u003eReporting CMS information security and privacy incidents and breaches to HHS\u0026nbsp;\u003c/li\u003e\u003cli\u003ePerforming malware analysis and advanced analytics\u003c/li\u003e\u003cli\u003eAdhering to federal law, regulations, mandates, and directives for continual assessment and incident response activities\u003c/li\u003e\u003cli\u003eDefining information security and privacy requirements for all phases of the system development life cycle (SDLC)\u003c/li\u003e\u003cli\u003eValidating incident response processes and procedures\u003c/li\u003e\u003cli\u003eDefining reporting metrics for Penetration Testing, continuous monitoring, incident and breach response, and cyber threat intelligence\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CCIC is made up of a collection of resources and teams that provide continuous monitoring, incident response, and threat intelligence services to System Teams across the enterprise and access to the following resources:\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Operations Center (SOC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eISPG Security Operations Center (SOC) \u003c/strong\u003eoffers 24/7, 365 continuous monitoring activities for FISMA systems throughout CMS. The teams within the SOC serve as a second set of eyes for security operations teams across the agency. System Teams throughout CMS can benefit from the services offered by the SOC including:\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSOC-as-a-Service\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs the premier SOC at CMS, the ISPG SOC provides resources and training to System Teams across CMS. The SOC-as-a-Service was designed to provide SOC services and capabilities to CMS FISMA System Teams that are not able to provide those capabilities themselves or that do not wish to incur the costs associated with these services directly. Systems can be onboarded to the ISPG SOC through an \u003ca href=\"https://security.cms.gov/learn/cms-memorandum-understanding-mou\"\u003eMOU\u003c/a\u003e to provide a direct response to incidents, breaches, and threats. With improved access to information, tools, and resources, teams can develop better response capabilities.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Ta5c,"])</script><script>self.__next_f.push([1,"\u003cp\u003eThe CCIC is owned and managed by the Information Security and Privacy Group (ISPG) and is responsible for the following activities as determined by the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentifying cyber threats\u0026nbsp;\u003c/li\u003e\u003cli\u003eDisseminating cybersecurity advisories and guidance\u003c/li\u003e\u003cli\u003eCoordinating incident response activities in response to ongoing threats\u003c/li\u003e\u003cli\u003eDeveloping containment and mitigation approaches for cyber threats\u003c/li\u003e\u003cli\u003eDefining minimum interoperable defensive technology requirements for CMS systems\u003c/li\u003e\u003cli\u003eReporting CMS information security and privacy incidents and breaches to HHS\u0026nbsp;\u003c/li\u003e\u003cli\u003ePerforming malware analysis and advanced analytics\u003c/li\u003e\u003cli\u003eAdhering to federal law, regulations, mandates, and directives for continual assessment and incident response activities\u003c/li\u003e\u003cli\u003eDefining information security and privacy requirements for all phases of the system development life cycle (SDLC)\u003c/li\u003e\u003cli\u003eValidating incident response processes and procedures\u003c/li\u003e\u003cli\u003eDefining reporting metrics for Penetration Testing, continuous monitoring, incident and breach response, and cyber threat intelligence\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CCIC is made up of a collection of resources and teams that provide continuous monitoring, incident response, and threat intelligence services to System Teams across the enterprise and access to the following resources:\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Operations Center (SOC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eISPG Security Operations Center (SOC) \u003c/strong\u003eoffers 24/7, 365 continuous monitoring activities for FISMA systems throughout CMS. The teams within the SOC serve as a second set of eyes for security operations teams across the agency. System Teams throughout CMS can benefit from the services offered by the SOC including:\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSOC-as-a-Service\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs the premier SOC at CMS, the ISPG SOC provides resources and training to System Teams across CMS. The SOC-as-a-Service was designed to provide SOC services and capabilities to CMS FISMA System Teams that are not able to provide those capabilities themselves or that do not wish to incur the costs associated with these services directly. Systems can be onboarded to the ISPG SOC through an \u003ca href=\"https://security.cms.gov/learn/cms-memorandum-understanding-mou\"\u003eMOU\u003c/a\u003e to provide a direct response to incidents, breaches, and threats. With improved access to information, tools, and resources, teams can develop better response capabilities.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T16bf,"])</script><script>self.__next_f.push([1,"\u003ch4\u003e\u003cstrong\u003eThreat Hunting Services\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThreat Hunting Teams within the SOC routinely conduct different types of cyber hunts, looking for bad actors and threats. These teams proactively look for signs of compromise within CMS FISMA systems and provide reports to System Teams about appropriate mitigations and procedures to address gaps that lead to threats.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eContent Creation and Management Services\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Content Creation and Management Team provides subject-matter expertise in the areas of producing alert signatures, establishing dashboards, and developing reports for data sets. With help from Splunk, SOC Content Developers create signatures, look for known threats, and generate new alerts based on new indicators of compromise.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMarketplace SOC\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Marketplace SOC reports twice per week during non-open enrollment times regarding attacks to various spaces in the marketplace. Members of this team review data to identify weaknesses in FISMA systems across CMS. They then help System Teams drive \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;Ms)\u003c/a\u003e to closure prior to open enrollment and provide risk management services for POA\u0026amp;Ms.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInsider Threat\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSome threats to CMS systems and data do not come from external bad actors, but from CMS employees or contractors. Whether intentional or unintentional, these threats need to be handled strategically by the organization. The Insider Threat Team within the SOC coordinates and shares information with the Division of Strategic Information (DSI) to triage insider threats and plan for appropriate response and mitigation efforts.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePhishing Prevention Analysis\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eWorking with the Training and Awareness Team, this SOC service triages reports of phishing activity across CMS. When users report phishing activity (using the Cofense button located on the ribbon of their Outlook email), the SOC analyzes each report and makes recommendations or takes specific action based on the findings.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eServiceNOW Security Incident Response\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis service within the SOC provides Incident Response Breach Response (IRBR) activities with improved ticketing to enhance response time. This resource also helps System Teams improve their overall incident response capabilities and update the content and accuracy of their tabletop exercises.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncident Management\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Incident Management Team (IMT) is responsible for incident response at CMS. They triage tickets that come to the service desk when there is a potential compromise to the security of CMS systems or data. The IMT helps speed response time and supports System Teams through the appropriate handling of incidents.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Testing\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CCIC is the home of ISPGs in-house \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e Team. Penetration Testing (PenTesting) helps to identify areas where system security has been compromised or could be compromised in the future. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe ISPG Penetration Testing Team has knowledge of FISMA systems theyre testing, so theyre a great place to start for your Penetration Testing needs.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eForensics\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Forensics Team offers memory and disk forensics and malware analysis for CMS FISMA systems. With the data and evidence gathered, the Forensics Team can determine the source of an attack, identify the malware used, and understand the attacker's techniques. This information can be used in internal incident response efforts and shared with the Office of the Inspector General (OIG). The Forensics Team will also work with System Teams to\u0026nbsp; strengthen security defenses after an attack.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCyber Threat Intelligence\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Cyber Threat Intelligence Team was created to identify emerging cyber threats in the healthcare sector. These threat hunters scan the dark web and other sources to seek out bad actors and threats before they materialize and impact CMS systems.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVulnerability Analysis\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Vulnerability Analysis Team provides compliance and vulnerability scans for FISMA Systems across CMS. Using external-facing tool sets like DB Protect and Invicty, the team initiates system scans every 72 hours to assess the overall security posture of each system. They share vulnerability scan data with System Teams so that teams have the information they need to make decisions about their systems.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCCIC Engineering\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CCIC Engineering Team helps to build and test tools used by System Teams across the enterprise. As part of this work, they run proof-of-concept for outside vendors and tools to identify what might be a good fit for use at CMS. This team also creates, reviews, and manages network monitoring tools for all of CMS.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConnecting with the CCIC\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS System Teams can find many of the resources, services, and tools offered by the CCIC in the ServiceNOW catalog. Teams are encouraged to review the available resources and engage with the CCIC early and often to ensure that they understand the correct procedures to follow in the event of an incident, breach, or cyber threat.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:T16bf,"])</script><script>self.__next_f.push([1,"\u003ch4\u003e\u003cstrong\u003eThreat Hunting Services\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThreat Hunting Teams within the SOC routinely conduct different types of cyber hunts, looking for bad actors and threats. These teams proactively look for signs of compromise within CMS FISMA systems and provide reports to System Teams about appropriate mitigations and procedures to address gaps that lead to threats.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eContent Creation and Management Services\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Content Creation and Management Team provides subject-matter expertise in the areas of producing alert signatures, establishing dashboards, and developing reports for data sets. With help from Splunk, SOC Content Developers create signatures, look for known threats, and generate new alerts based on new indicators of compromise.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMarketplace SOC\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Marketplace SOC reports twice per week during non-open enrollment times regarding attacks to various spaces in the marketplace. Members of this team review data to identify weaknesses in FISMA systems across CMS. They then help System Teams drive \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;Ms)\u003c/a\u003e to closure prior to open enrollment and provide risk management services for POA\u0026amp;Ms.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInsider Threat\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSome threats to CMS systems and data do not come from external bad actors, but from CMS employees or contractors. Whether intentional or unintentional, these threats need to be handled strategically by the organization. The Insider Threat Team within the SOC coordinates and shares information with the Division of Strategic Information (DSI) to triage insider threats and plan for appropriate response and mitigation efforts.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePhishing Prevention Analysis\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eWorking with the Training and Awareness Team, this SOC service triages reports of phishing activity across CMS. When users report phishing activity (using the Cofense button located on the ribbon of their Outlook email), the SOC analyzes each report and makes recommendations or takes specific action based on the findings.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eServiceNOW Security Incident Response\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis service within the SOC provides Incident Response Breach Response (IRBR) activities with improved ticketing to enhance response time. This resource also helps System Teams improve their overall incident response capabilities and update the content and accuracy of their tabletop exercises.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncident Management\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Incident Management Team (IMT) is responsible for incident response at CMS. They triage tickets that come to the service desk when there is a potential compromise to the security of CMS systems or data. The IMT helps speed response time and supports System Teams through the appropriate handling of incidents.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Testing\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CCIC is the home of ISPGs in-house \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e Team. Penetration Testing (PenTesting) helps to identify areas where system security has been compromised or could be compromised in the future. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe ISPG Penetration Testing Team has knowledge of FISMA systems theyre testing, so theyre a great place to start for your Penetration Testing needs.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eForensics\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Forensics Team offers memory and disk forensics and malware analysis for CMS FISMA systems. With the data and evidence gathered, the Forensics Team can determine the source of an attack, identify the malware used, and understand the attacker's techniques. This information can be used in internal incident response efforts and shared with the Office of the Inspector General (OIG). The Forensics Team will also work with System Teams to\u0026nbsp; strengthen security defenses after an attack.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCyber Threat Intelligence\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Cyber Threat Intelligence Team was created to identify emerging cyber threats in the healthcare sector. These threat hunters scan the dark web and other sources to seek out bad actors and threats before they materialize and impact CMS systems.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVulnerability Analysis\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Vulnerability Analysis Team provides compliance and vulnerability scans for FISMA Systems across CMS. Using external-facing tool sets like DB Protect and Invicty, the team initiates system scans every 72 hours to assess the overall security posture of each system. They share vulnerability scan data with System Teams so that teams have the information they need to make decisions about their systems.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCCIC Engineering\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CCIC Engineering Team helps to build and test tools used by System Teams across the enterprise. As part of this work, they run proof-of-concept for outside vendors and tools to identify what might be a good fit for use at CMS. This team also creates, reviews, and manages network monitoring tools for all of CMS.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConnecting with the CCIC\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS System Teams can find many of the resources, services, and tools offered by the CCIC in the ServiceNOW catalog. Teams are encouraged to review the available resources and engage with the CCIC early and often to ensure that they understand the correct procedures to follow in the event of an incident, breach, or cyber threat.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:T23062,"])</script><script>self.__next_f.push([1,"\u003ch3\u003eIntroduction\u003c/h3\u003e\u003cp\u003eRMH Chapter 8 Incident Response documents the controls that focus on how the organization must: establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and track, document, and report incidents to appropriate organizational officials and/or authorities. Procedures addressed include incident response training, incident response testing, incident handling, monitoring and reporting, and information spillage response. Within this chapter, readers will find the CMS Cybersecurity Integration Center (CCIC) Functional Area Overview figure and how the Incident Management Team (IMT) within the CCIC works with systems to mitigate information security and privacy incidents.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLooking for templates and forms about Incident Response\u003c/strong\u003e? Within this page you can find:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#cms-security-privacy-incident-report-form\"\u003eCMS Security and Privacy Incident Report form\u003c/a\u003e (for reporting an incident)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#cms-security-privacy-incident-report-form\"\u003eIncident Response Plan Template\u003c/a\u003e (for creating your Incident Response plan)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#tabletop-exercise-test-plan-template\"\u003eTabletop Exercise Test Template\u003c/a\u003e (for creating your Tabletop Exercise that you will use to test your Incident Response Plan)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#tabletop-exercise-participant-guide-template\"\u003eTabletop Exercise Participant Guide Template\u003c/a\u003e (for creating Participant Guides that you can give to people who will be participating in your Tabletop Exercise)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#after-action-report-template\"\u003eAfter-Action Report Template\u003c/a\u003e (for summarizing the outcomes / finding of the Tabletop Exercise, along with any necessary next steps)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eCommon Control Inheritance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe inherited controls list can be used to identify common controls offered by system alternatives. The use of inherited controls is optional, the objective of this process is to identify opportunities to extract benefits (and reduce costs) by maximizing the use of already existing solutions, and minimizing duplication of efforts across the enterprise.\u003c/p\u003e\u003cp\u003eBelow is a listing of controls that can be inherited, where they can be inherited from and if they are a hybrid control for this control family.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eIncident Response Control\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eInheritable From\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eHybrid Control\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-01\u003c/td\u003e\u003ctd\u003eOCISO Inheritable Controls\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02(01)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02(02)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03(02)\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04(01)\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04(04)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-05\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-05(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-06\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-06(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-07\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-07(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-08\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(01)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(02)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(03)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(04)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eProcedures\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eProcedures assist in the implementation of the required security and privacy controls.\u003c/p\u003e\u003cp\u003eIn this section, the IR family procedures are outlined. To increase traceability, each procedure maps to the associated National Institute of Standards and Technology (NIST) controls using the control number from the CMS Acceptable Risk Safeguards (ARS).\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Training (IR-02)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Response Training is to prepare individuals to prevent, detect, and respond to security and privacy incidents, and ensure that CMS fulfills Federal Information Security Modernization Act (FISMA) requirements. Incident response training should be consistent with the roles and responsibilities assigned in the incident response plan. For example, incident response training is applicable to Information System Owners (SO), Business Owners (BO), and Information System Security Officers (ISSO). CMS personnel (i.e., employees and contractors) who routinely access sensitive data, such as names, Social Security numbers, and health records to carry out the CMS mission receive incident response training annually as part of the general information security awareness training.\u003c/p\u003e\u003cp\u003eThe CMS Chief Information Officer (CIO), CMS Chief Information Security Officer (CISO), and the CMS Senior Official for Privacy (SOP) shall endorse and promote an organizational- wide information systems security and privacy awareness training. According to \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e the CIO, shall establish, implement, and enforce a CMS-wide framework to facilitate an incident response program including Personal Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) breaches that ensures proper and timely reporting to HHS. In the CMS IS2P2, the CISO and the SOP shall ensure the CMS-wide implementation of Department and CMS policies and procedures that relate to information security and privacy incident response.\u003c/p\u003e\u003cp\u003eUsers must be aware that the Internal Revenue Code (IRC), Section 6103(p) (4) (D) requires that agencies receiving FTI provide appropriate safeguard measures to ensure the confidentiality of the FTI. Incident response training is one of the safeguards for implementing this requirement.\u003c/p\u003e\u003cp\u003eThe CMS Information Security and Privacy Group (ISPG) will provide incident response training to information system users that is consistent with assigned roles and responsibilities when assuming an incident response role or responsibility and annually thereafter. For example, general users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. In addition, those responsible for identifying and responding to a security incident must understand how to recognize when PII or PHI are involved so that they can coordinate with the SOP.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally-defined parameters (ODPs) for IR-2.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Defined Parameters Control IR-2\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-2\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization provides incident response training to information system users consistent with assigned roles and responsibilities:\u003c/p\u003e\u003cp\u003ea. Within [\u003cem\u003eAssignment: organization- defined time period\u003c/em\u003e] of assuming an incident response role or responsibility;\u003c/p\u003e\u003cp\u003eb. When required by information system changes; and\u003c/p\u003e\u003cp\u003ec. [\u003cem\u003eAssignment: organization-defined frequency\u003c/em\u003e] thereafter\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization provides incident response training to information system users consistent with assigned roles and responsibilities:\u003c/p\u003e\u003cp\u003ea. Within one (1) month of assuming an incident response role or responsibility;\u003cbr\u003e\u003cbr\u003eb. When required by information system changes; and\u003c/p\u003e\u003cp\u003ec. [\u003cem\u003eAssignment: organization-defined frequency\u003c/em\u003e] thereafter\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eTraining for General Users\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFor all Enterprise User Administration (EUA) users the following steps outline the process for completing the CMS Computer-based Training (CBT), which includes IR training.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eThe incident response training is incorporated into the annual Information Systems Security and Privacy Awareness Training. All EUA users must take the CBT Training located at \u003ca href=\"https://www.cms.gov/cbt\"\u003eCMS Information Technology Security and Privacy web page\u003c/a\u003e The training will be delivered to all EUA users initially prior to account issuance and annually thereafter. It is the responsibility of users to take this training within three (3) days.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEach year based on the date of account issuance each user receives an email that requires a review and completion of the annual CBT.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eTraining records are maintained using the CBT database and include the User ID (UID) and the date the individual last completed the training\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eRole-Based Training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFor individuals with incident response roles and responsibilities, role-based training is satisfied through the execution of a tabletop exercise as long as all personnel with incident response roles and responsibilities participate in the exercise. Review Section 3.2 Incident Response Testing for procedures to conduct a tabletop exercise.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSimulated Events (IR-02(01))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to facilitate the effective response by personnel who handle crisis situations by incorporating simulated events into incident response training. Exercises involving simulated incidents can also be very useful for preparing staff for incident handling.1\u003c/p\u003e\u003cp\u003eThe selection of the scenarios should occur as a part of the test plan development; see Section 3.2 Incident Response Testing for developing the test plan. The following details the CMS specific process for incorporating simulated events/scenarios into incident response training, through the execution of a tabletop exercise.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eSelect two scenarios from the list below that will form the foundation of the tabletop exercise. Document the scenarios and a description of each in the Tabletop Exercise Test Plan. It is important to select your scenarios based upon an assessment of risk (i.e., the greatest current threats). Weaknesses identified during prior incidents might identify good candidate scenarios for future incident response tests. In addition, results from prior \u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003esecurity control assessments (SCAs)\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e or existing \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;Ms)\u003c/a\u003e might assist in selecting scenarios for incident response testing. For example, if access control was identified as a weakness during a prior SCA, a good scenario to select for incident response testing would be scenario 6 (Unauthorized Access to Payroll Records). Detailed descriptions of each of these scenarios can be found in the ISPL (Information Security and Privacy Library) and the scenarios are listed below:\u003cul\u003e\u003cli\u003e\u003cstrong\u003eScenario 1: \u003c/strong\u003eDomain Name System (DNS) Server Denial of Service (DoS)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 2: \u003c/strong\u003eWorm and Distributed Denial of Service (DDoS) Agent Infestation\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 3: \u003c/strong\u003eStolen Documents\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 4: \u003c/strong\u003eCompromised Database Server\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 5: \u003c/strong\u003eUnknown Exfiltration\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 6: \u003c/strong\u003eUnauthorized Access to Payroll Records\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 7: \u003c/strong\u003eDisappearing Host\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 8: \u003c/strong\u003eTelecommuting Compromise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 9: \u003c/strong\u003eAnonymous Threat\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 10: \u003c/strong\u003ePeer-to-Peer File Sharing\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 11: \u003c/strong\u003eUnknown Wireless Access Point\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEnsure that the material developed for the tabletop exercise supports the scenarios selected. Review Section 3.2 Incident Response Testing for more information for developing the exercise material.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eExecute the tabletop test using the procedures outlined below in Section 3.2 Incident Response Testing Automated Training Environments (IR-02(02)).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAutomated Training Environments (IR-02(02))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of Incident Response Training/Automated Training Environments is to ensure that CMS employs automated mechanisms to provide a more thorough and realistic incident training environment. At CMS, incident training and incident response testing are both satisfied through the execution of a tabletop exercise. These tabletop exercises are designed to incorporate automated mechanisms for incident response, review Section 3.2.1 Automated Testing for detailed procedure which ensure automated mechanisms are incorporated into incident response training.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Testing (IR-03)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Incident Response Testing is to ensure that CMS tests the incident response capability for the information system using testing principles to determine the incident response effectiveness and document the results.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for IR testing.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 2: CMS Defined Parameters Control IR-03\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-03\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization tests the incident response capability for the information system:\u003c/p\u003e\u003cp\u003e[Assignment: organization- defined frequency] using [Assignment: organization- defined tests] to determine the incident response effectiveness and documents the results\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe organization tests the incident response capability for the information system within every three hundred sixty- five (365) days using NIST SP 800-61, reviews, analyses, and simulations to determine the organizations incident response effectiveness, and documents its findings.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS incident response testing is accomplished through the execution of tabletop exercises. Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss roles during an emergency and the responses to a particular emergency situation.\u0026nbsp; A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for conducting a tabletop exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eComplete the Test Plan utilizing the Tabletop Exercise Test Plan Template located in the ISPL\u003cstrong\u003e. \u003c/strong\u003eTesting must include two scenario-based exercises to determine the ability of the CMS to respond to information security and privacy incidents. Scenarios should be selected which integrate the use of automated mechanisms for incident response.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eAcquire approval of the Test Plan from the Business Owner and/or ISSO. The approval is granted by signing the final row of the Test Plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eDevelop the exercise materials (e.g., briefings, Participant Guide). A sample Tabletop Exercise Participant Guide Template is located in the ISPL. For more information on functional exercise material please refer to Section 5.3 of \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/84/final\"\u003eNIST SP 800- 84\u003c/a\u003e\u003cstrong\u003e, \u003c/strong\u003e\u003cem\u003eGuide to Test, Training, and Exercise Programs for IT Plans and Capabilities.\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eConduct the tabletop exercise according to the approved Test Plan. The agenda contained within the Test Plan serves as a guide for executing the exercise. Prior to releasing the exercise participants, the Exercise Facilitator and Data Collector conduct a debrief/hotwash.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eEvaluate the tabletop exercise by completing the After-Action Report located in the ISPL. This step is completed by the Exercise Facilitator and Data Collector.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCoordination with Related Plans (IR-03(02))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of the Incident Response Testing/Coordination with Related Plans is to ensure that CMS coordinates incident response testing with organizational elements responsible for related plans. Related plans can include but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConfiguration Management Plan\u003c/li\u003e\u003cli\u003eInformation System Contingency Plan\u003c/li\u003e\u003cli\u003ePatch and Vulnerability Management Plan\u003c/li\u003e\u003cli\u003eInformation System Continuous Monitoring Strategy/Plan\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe following steps detail the CMS specific process to ensure Coordination with Related Plans:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1:\u0026nbsp; \u003c/strong\u003eIdentify the related plans and the stakeholders associated with each.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEstablish a primary method of communication. Possible methods of communication include emails, face-to-face meetings, and teleconferences.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eUsing the primary method of communication identified above, request copies of related plans. Review the related plans identifying dependencies for the IR test.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eIdentify stakeholders from related plans that will be required to participate in the incident response exercise. Coordinate with the stakeholders through the establishment, review, and execution of a test plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eConduct follow up communications as necessary. Specifically, a copy of the After-Action Report should be provided to stakeholders associated with related plans so that those plans may be updated as needed.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Handling (IR-04)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS implements an incident handling capability for security and privacy incidents that includes 1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery, and 4) post incident activity.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAll distributed Incident Response Teams (IRT) fall under the authority of the CCIC IMT, the single information security and privacy incident coordination entity. Each individual system is responsible for identifying incident responders as part of the systems Incident Response Plan (IRP). The incident responders serve as the frontline of the incident handling capability with oversight and incident response assistance provided by the IMT. This section of the document establishes the specific requirements and processes for maintaining a unified, cohesive incident handling capability across the CMS enterprise and describes the relationship between the IMT and the frontline incident responders.\u003c/p\u003e\u003cp\u003eIn the event of a suspected or confirmed privacy (PII) data breach, CCIC IMT will notify ISPG that a Breach Analysis Team (BAT) should be convened, including representatives from ISPG, IMT, and system stakeholders such as the system Business Owner. The BAT will conduct and document a formal Risk Assessment to assess the risk of harm to individuals potentially affected by the breach. The following factors are used:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNature and sensitivity of PII\u003c/li\u003e\u003cli\u003eLikelihood of access and use of PII and\u003c/li\u003e\u003cli\u003eType of breach\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the Risk Assessment concludes that there is a moderate or high risk that PII has been compromised, the CMS Senior Official for Pivacy will work with IMT and system stakeholders to develop a notification plan to notify affected individuals and mitigate their risk.\u003c/p\u003e\u003cp\u003eAffected individuals should be notified of a breach via first-class mail where possible, though depending on the nature and scale of the breach, additional methods such as email, telephone, and local media outreach may be used. The breach notification should include the following information:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSource of the breach\u003c/li\u003e\u003cli\u003eBrief description\u003c/li\u003e\u003cli\u003eDate of discovery and breach occurrence\u003c/li\u003e\u003cli\u003eType of PII involved\u003c/li\u003e\u003cli\u003eA statement whether or not the information was encrypted\u003c/li\u003e\u003cli\u003eWhat steps individuals should take to protect themselves from potential harm and services being provided to potentially affected individuals\u003c/li\u003e\u003cli\u003eWhat the agency is doing to investigate and resolve the breach\u003c/li\u003e\u003cli\u003eWho affected individuals should contact for information\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition to breach notification, CMS must also consider how best to mitigate the risk of harm to affected individuals. CMS may need to provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCountermeasures against misuse of lost PII/PHI, such as notifying a bank if credit card numbers are lost\u003c/li\u003e\u003cli\u003eGuidance on how affected individuals can protect themselves against identity theft, such as education on credit freezes and other defensive measures\u003c/li\u003e\u003cli\u003eServices, such as credit monitoring\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Breach Analysis Team may determine that some, all, or none of these mitigation techniques are appropriate for a given breach. Some breaches may require notification, but not mitigation.\u003c/p\u003e\u003cp\u003eThe SOP coordinates with HHS Privacy Incident Response Team (PIRT) for review and approval of CMS response plan, breach notification, and breach mitigation. Incident handling activities should be coordinated with contingency planning activities; and the lessons learned from ongoing incident handling activities should be incorporated into incident response procedures, training and testing. The procedure below provides an inclusive set of specific steps and requirements for handling information security and privacy incidents using the four-phase lifecycle. This lifecycle must be used by the IMT and the frontline incident responders to properly handle information security and privacy incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIncident response methodologies typically emphasize preparation, not only establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. Although the incident response team is not typically responsible for incident prevention, it is fundamental to the success of incident response programs.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for phase one (preparation) of the incident handling lifecycle:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSteps\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eActivity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 1:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eEnsure the proper preparations have been made to respond to information security and privacy incidents by completing the Incident Preparation Checklist located in the ISPL. This checklist should be reviewed annually in coordination with the update to the incident response plan.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 2:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eEnsure regular practices have been implemented to prevent information security and privacy incidents. The list below taken from NIST SP 800-61 Rev. 2 provides a brief overview of some of the main recommended practices for securing networks, systems and applications.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eRisk Assessments: \u003c/strong\u003ePeriodic risk assessments of systems and applications should determine what risks are posed by combinations of threats and vulnerabilities. This should include understanding the applicable threats, including organization-specific threats. Each risk should be prioritized, and the risks can be mitigated, transferred, or accepted until a reasonable overall level of risk is reached. Another benefit of conducting risk assessments regularly is that critical resources are identified, allowing staff to emphasize monitoring and response activities for those resources\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard for risk assessment requires that the results of the risk assessment are reviewed at least annually and that the risk assessment is updated at least every three years or when a significant change occurs.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eHost Security: \u003c/strong\u003eAll hosts should be hardened appropriately using\u003c/li\u003e\u003c/ul\u003e\u003cp\u003estandard configurations. In addition to keeping each host properly patched, hosts should be configured to follow the principle of least privilege, granting users only the privileges necessary for performing authorized tasks. Hosts should have auditing enabled and should log significant security-related events. The security of hosts and configurations should be continuously monitored. Many organizations use Security Content Automation Protocol (SCAP) configuration checklists to assist in securing hosts consistently and effectively.\u003c/p\u003e\u003cp\u003eThe CMS standard requires the implementation of the latest security configuration baselines established by the HHS, U.S. Government Configuration Baselines (USGCB), and the National Checklist Program (NCP).\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eNetwork Security: \u003c/strong\u003eThe network perimeter should be configured to deny all activity that is not expressly permitted. This includes securing all connection points, such as virtual private networks (VPNs) and dedicated connections to other organizations.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard requires that the information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMalware Prevention: \u003c/strong\u003eSoftware to detect and stop malware should be deployed throughout the organization. Malware protection should be deployed at the host level (e.g., server and workstation operating systems), the application server level (e.g., email server, web proxies), and the application client level (e.g., email clients, instant messaging clients). The CMS standard requires that malicious code protection mechanisms are implemented as follows:\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDesktops: \u003c/strong\u003eMalicious code scanning software is configured to perform critical system file scans no less often than once every twelve (12) hours and full system scans no less often than once every seventy-two (72) hours.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eServers \u003c/strong\u003e(to include databases and applications)\u003cstrong\u003e: \u003c/strong\u003eMalicious code scanning software is configured to perform critical system file scans no less often than once every twelve (12) hours and full system scans no less often than once every seventy-two (72) hours.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition, malicious code protection mechanisms should be updated whenever new releases are available in accordance with CMS configuration management policy and procedures. Antivirus definitions should be updated in near-real-time. Malicious code protection mechanisms should be configured to lock and quarantine malicious code and send alerts to administrators in response to malicious code detection.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eUser Awareness and Training: \u003c/strong\u003eUsers should be made aware of policies and procedures regarding appropriate use of networks, systems, and applications as well as the policy and procedures for safeguarding data that is not in digital form (e.g., PII in paper form). Applicable lessons learned from previous incidents should also be shared with users to evaluate how actions taken by the user could affect the organization. Improving user awareness regarding incidents should reduce the frequency of incidents. IT staff should be trained to maintain networks, systems, and applications in accordance with the organizations security standards. All users should be trained to protect printed hard/paper copies of data, including PII.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard requires all general users receive security and privacy awareness training annually. The incident response training is incorporated into the annual Information Systems Security and Privacy Awareness Training. All EUA users must take the CBT Training located at \u003ca href=\"https://www.cms.gov/cbt\"\u003eCMS Information Technology Security and Privacy web page\u003c/a\u003e\u003ca href=\"https://www.cms.gov/cbt/forms/isspa.aspx\"\u003e.\u003c/a\u003e The training must be delivered to all EUA users initially prior to account issuance and annually thereafter.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMaintain Inventory: \u003c/strong\u003eMaintain an accurate inventory of information system components identifying those components that store, transmit, and/or process PII. An accurate inventory facilitates the implementation of the appropriate information security and privacy controls and is critical to preventing, detecting and responding to information security incidents.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 3:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eEnsure that the preparation and prevention techniques listed in Steps 1 and 2 above have been incorporated into the incident response plan for the information system and exercised at least annually. Review Incident Response Plan or details on developing the incident response plan and Incident Response Testing for details on incident response testing.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eDetection and Analysis\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSteps\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eActivity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 1:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePrepare for Common Attack Vectors. The attack vectors listed below are not intended to provide definitive classification for incidents; but rather, to simply list common methods of attack, which can be used as a basis for detection:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eExternal/Removable Media: \u003c/strong\u003eAn attack executed from removable media or a peripheral device, for example, malicious code spreading onto a system from an infected universal serial bus (USB) flash drive.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAttrition: \u003c/strong\u003eAn attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services (e.g., a Distributed Denial of Service (DDoS) intended to impair or deny access to a service or application; or a brute force attack against an authentication mechanism, such as passwords, CAPTCHAS, or digital signatures).\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eWeb: \u003c/strong\u003eAn attack executed from a website or web-based application; for example, a cross-site scripting attack used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEmail: \u003c/strong\u003eAn attack executed via an email message or attachment; for example, exploit code disguised as an attached document or a link to a malicious website in the body of an email message.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImpersonation: \u003c/strong\u003eAn attack involving replacement of something benign with something malicious; for example: spoofing, man in the middle attacks, rogue wireless access points, and structured query language (SQL) injection attacks all involve impersonation.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImproper Usage: \u003c/strong\u003eAny incident resulting from violation of an organizations acceptable usage policies by an authorized user, excluding the above categories; for example, a user installs file sharing software, leading to the loss of sensitive data; or a user performs illegal activities on a system.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 2:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRecognize the Signs of an Incident.\u0026nbsp; Signs of an incident fall into one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in the future. An indicator is a sign that an incident may have occurred or may be occurring now. Precursors and indicators are identified using many different sources, with the most common being computer security software alerts, logs, publicly available information, and people. The table below, taken from \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/61/r2/final\"\u003eNIST SP 800-61 Rev. 2\u003c/a\u003e, lists common sources of precursors and indicators for each category.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: Common Sources of Precursors and Indicators\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAlerts\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIDPSs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntrusion Detection and Prevention Systems (IDPS) products identify suspicious events regarding record pertinent data, including the date and time the attack was detected, the type of attack, the source and destination IP addresses, and the username (if applicable and known). Most IDPS products use attack signatures to identify malicious activity; the signatures must be kept up to date so that the newest attacks can be detected. IDPS software often produces \u003cem\u003efalse positives, \u003c/em\u003ealerts that indicate malicious activity is occurring, when in fact there has been none. Analysts should manually validate IDPS alerts either by closely reviewing the recorded supporting data or by getting related data from other sources.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSIEMs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eSecurity Information and Event Management (SIEM) products are similar to IDPS products, and can generate alerts based on analysis of log data.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAntivirus and anti-spam software\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eAntivirus software detects various forms of malware, generates alerts, and prevents the malware from infecting hosts. Current antivirus products are effective at stopping many instances of malware if signatures are kept up to date. Anti-spam software is used to detect spam and prevent it from reaching users mailboxes. Spam may contain malware, phishing attacks, and other malicious content, so alerts from antispam software may indicate attack attempts.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eFile integrity checking software\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eFile integrity checking software can detect changes made to important files during incidents. It uses a hashing algorithm to obtain a cryptographic checksum for each designated file. If the file is altered and the checksum is recalculated, an extremely high probability exists that the new checksum will not match the old checksum. By regularly recalculating checksums and comparing checksum with previous values, changes to files can be detected.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eThird-party monitoring services\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThird parties offer a variety of subscription-based and free monitoring services. An example is fraud detection services that will notify an organization if its IP addresses, domain names, etc. are associated with current incident activity involving other organizations. There are also free real-time deny lists with similar information.\u003c/p\u003e\u003cp\u003eAnother example of a third-party monitoring service is a CSIRC notification list; these lists are often available only to other incident response teams.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003eLogs\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eOperating system, service and application logs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eLogs from operating systems, services, and applications (particularly audit-related data) are frequently of great value when an incident occurs, such as recording which accounts were accessed and what actions were performed. Organizations should require a baseline level of logging on all systems and a higher baseline level on critical systems. Logs can be used for analysis by correlating event information.\u003c/p\u003e\u003cp\u003eDepending on the event information, an alert can be generated to indicate an incident.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eNetwork device logs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLogs from network devices such as firewalls and routers are not typically a primary source of precursors or indicators. Although these devices are usually configured to log blocked connection attempts, little information is provided about the nature of the activity. Still, the devices can be valuable in identifying network trends and in correlating events detected by other devices.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eNetwork flows\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eA network flow is a particular communication session occurring between hosts. Routers and other networking devices can provide network flow information, which can be used to find anomalous network activity caused by malware, data exfiltration, and other malicious acts. There are many standards for flow data formats, including NetFlow, sFlow, and IPFIX.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003ePublicly Available Information\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eInformation on new vulnerabilities and exploits\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eKeeping up with new vulnerabilities and exploits can prevent some incidents from occurring and assist in detecting and analyzing new attacks. The National Vulnerability Database (NVD) contains information on vulnerabilities. Organizations such as US-CERT33 and CERT®/CC periodically provide threat update information through briefings, web postings, and mailing lists.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003ePeople\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePeople from within the organization\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eUsers, system administrators, network administrators, security staff, and others within the organization may report signs of incidents. It is important to validate all such reports. One approach is to ask people who provide such information is the confidence of the accuracy of the information. Recording this estimate along with the information provided can help considerably during incident analysis, particularly when conflicting data is discovered.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePeople from other organizations\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReports of incidents that originate externally should be taken seriously. For example, the organization might be contacted by a party claiming a system at the organization is attacking the other partys systems. External users may also report other indicators, such as a defaced web page or an unavailable service. Other incident response teams also may report incidents. It is important to have mechanisms in place for external parties to report indicators and for trained staff to monitor those mechanisms carefully; this may be as simple as setting up a phone number and email address, configured to forward messages to the help desk.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 3:\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eReport and Analyze the Incident. Report the incident using the procedures outlined in Section 3.5 Incident Reporting. Once reported the IMT and frontline IR responders analyze the incident. The following are recommendations taken from \u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-61\"\u003eNIST-SP 800-61 Rev. 4 \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003efor making incident analysis easier and more effective:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eProfile Networks and Systems\u003c/strong\u003e: Profiling is measuring the characteristics of expected activity so that changes to it can be more easily identified. Examples of profiling are running file integrity checking software on hosts to derive checksums for critical files and monitoring network bandwidth usage to determine what the average and peak usage levels are on various days and times. In practice, it is difficult to detect incidents accurately using most profiling techniques; organizations should use profiling as one of several detection and analysis techniques.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUnderstand Normal Behaviors\u003c/strong\u003e: Incident response team members should study networks, systems, and applications to understand what the normal behavior is so that abnormal behavior can be recognized more easily. No incident handler will have a comprehensive knowledge of all behavior throughout the environment, but handlers should know which experts could fill in the gaps. One way to gain this knowledge is through reviewing log entries and security alerts. This may be tedious if filtering is not used to condense the logs to a reasonable size.\u0026nbsp; As handlers become more familiar with the logs and alerts, handlers should be able to focus on unexplained entries, which are usually more important to investigate. Conducting frequent log reviews should keep the knowledge fresh, and the analyst should be able to notice trends and changes over time. The reviews also give the analyst an indication of the reliability of each source.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eCreate a Log Retention Policy: \u003c/strong\u003eInformation regarding an incident may be recorded in several places, such as firewall, IDPS, and application logs. Creating and implementing a log retention policy that specifies how long log data should be maintained may be extremely helpful in analysis because older log entries may show reconnaissance activity or previous instances of similar attacks. Another reason for retaining logs is that incidents may not be discovered until days, weeks, or even months later. The length of time to maintain log data is dependent on several factors, including the organizations data retention policies and the volume of data. See NIST SP 800-92, \u003cem\u003eGuide to Computer Security Log Management \u003c/em\u003efor additional recommendations related to logging.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePerform Event Correlation: \u003c/strong\u003eEvidence of an incident may be captured in several logs that each contain different types of data, firewall log may have the source IP address that was used, whereas an application log may contain a username. A network IDPS may detect that an attack was launched against a particular host, but it may not know if the attack was successful. The analyst may need to examine the hosts logs to determine that information.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCorrelating events among multiple indicator sources can be invaluable in validating whether a particular incident occurred.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eKeep All Host Clocks Synchronized\u003c/strong\u003e: Protocols such as the Network Time Protocol (NTP) synchronize clocks among hosts. Event correlation will be more complicated if the devices reporting events have inconsistent clock settings. From an evidentiary standpoint, it is preferable to have consistent timestamps in logs, for example, to have three logs that show an attack occurred at 12:07:01 a.m., rather than logs that list the attack as occurring at 12:07:01, 12:10:35, and 11:07:06.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMaintain and Use a Knowledge Base of Information: \u003c/strong\u003eThe knowledge base should include information that handlers need for referencing quickly during incident analysis. Although it is possible to build a knowledge base with a complex structure, a simple approach can be effective. Text documents, spreadsheets, and relatively simple databases provide effective, flexible, and searchable mechanisms for sharing data among team members. The knowledge base should also contain a variety of information, including explanations of the significance and validity of precursors and indicators, such as IDPS alerts, operating system log entries, and application error codes.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUse Internet Search Engines for Research: \u003c/strong\u003eInternet search engines can help analysts find information on unusual activity. For example, an analyst may see some unusual connection attempts targeting TCP port 22912. Performing a search on the terms “TCP,” “port,” and “22912” may return some hits that contain logs of similar activity or even an explanation of the significance of the port number. Note that separate workstations should be used for research to minimize the risk to the organization from conducting these searches.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRun Packet Sniffers to Collect Additional Data: \u003c/strong\u003eSometimes the indicators do not record enough detail to permit the handler to understand what is occurring. If an incident is occurring over a network, the fastest way to collect the necessary data may be to have a packet sniffer capture the network traffic. Configuring the sniffer to record traffic that matches specified criteria should keep the volume of data manageable and minimize the inadvertent capture of other information. Because of privacy concerns, some organizations may require incident handlers to request and receive permission before using packet sniffers.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eFilter the Data: \u003c/strong\u003eThere is simply not enough time to review and analyze all the indicators; at minimum, the most suspicious activity should be investigated. One effective strategy is to filter out categories of indicators that tend to be insignificant. Another filtering strategy is to show only the categories of indicators that are of the highest significance; however, this approach carries substantial risk because new malicious activity may not fall into one of the chosen indicator categories.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSeek Assistance from Others: \u003c/strong\u003eOccasionally, the team will be unable to determine the full cause and nature of an incident. If the team lacks sufficient information to contain and eradicate the incident, then it should consult with internal resources (e.g., information security staff) and external resources (e.g., US-CERT, other CSIRTs (Computer Security Incident Response Teams), contractors with incident response expertise). It is important to accurately determine the cause of each incident so that it can be fully contained.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 4\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eContinue to document updates to the incident in the Incident Response Reporting Template form.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 5\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003ePrioritize the incident using the criteria found in the \u003cem\u003e“Impact Category, Attack Vector Descriptions, \u0026amp; Attribute Category” \u003c/em\u003edocument of the Incident Response Reporting document which is located in the ISPL\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp\u003eEstablish communication method and notify the appropriate CMS personnel. The Incident Notification Table located in the Incident Response Steps for CISO (Appendix A) is a guide on notification steps per incident type. The list below provides examples of individuals that may require notification in the event of an incident:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCIO\u003c/li\u003e\u003cli\u003eCISO\u003c/li\u003e\u003cli\u003eDeputy CISO\u003c/li\u003e\u003cli\u003eSOP\u003c/li\u003e\u003cli\u003eHHS Office of the Inspector General (OIG)\u003c/li\u003e\u003cli\u003eLocal information response team within the organization\u003c/li\u003e\u003cli\u003eExternal incident response team (if appropriate)\u003c/li\u003e\u003cli\u003eSystem Owner\u003c/li\u003e\u003cli\u003eInformation System Security Owner\u003c/li\u003e\u003cli\u003eSystem Business Owner\u003c/li\u003e\u003cli\u003eSystem Cyber Risk Advisor\u003c/li\u003e\u003cli\u003eCMS Office of Human Capital (for cases involving employees, such as harassment through email)\u003c/li\u003e\u003cli\u003eCMS Office of Financial Management (in the case where extra funding is needed for investigation activities)\u003c/li\u003e\u003cli\u003eCMS Office of Communications (for incidents that may generate publicity)\u003c/li\u003e\u003cli\u003eCMS Office of Legislation (for incidents with potential legal ramifications)\u003c/li\u003e\u003cli\u003eUS-CERT (required for Federal agencies and systems operated on behalf of the Federal government).\u003c/li\u003e\u003cli\u003eIndividual (whose PII has been compromised)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe below table documents the responsibilities that should be fulfilled by employees in certain roles during an incident response event:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eRole\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eResponsibility\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCISO\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eLead the investigation and resolution of information security and privacy incidents and breaches across CMS.\u003c/li\u003e\u003cli\u003eOnce an incident has been validated, the incumbent CISO will follow the steps in the CISO Playbook which is attached as Appendix A. This playbook details the CISOs responsibilities, the scenarios to be considered and the relevant incident response contacts during an event.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIMT Lead\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eNotify and deliver incident situation reports to CMS CISO.\u003c/li\u003e\u003cli\u003eCoordinate Incident Response activities\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSenior Official for Privacy (SOP)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCoordinate/Support incident response activities with CISO.\u003c/li\u003e\u003cli\u003eIn the event of a PII/PHI breach, coordinate with the system Business Owner and HHS PIRT to handle notifying affected individuals\u003c/li\u003e\u003cli\u003eProvide overall direction for incident handling which includes all incidents involving PII/PHI.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eWorks with IMT Lead to coordinate incident response activities related to their assigned CMS information systems.\u003c/li\u003e\u003cli\u003eIn the event of a PII/PHI breach, coordinate with the Senior Official for Privacy and HHS PIRT to handle notifying affected individuals\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCMS IT Service Desk\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eNotify IMT of incident situation\u003c/li\u003e\u003cli\u003eEnsure Incident Response form has been completed as accurately as possible at the time of the initial report.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDesignated Appointee\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eUpdate the ServiceNow ticket as the situation arises and follow up with the CMS IT Helpdesk until incident has been resolved.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eContainment, Eradication and Recovery\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eChoose a containment strategy. The containment strategy is determined based on the type of the incident (e.g., disconnect system from the network, or disable certain functions). Frontline incident responders should work with the IMT to select an appropriate containment strategy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eGather and handle evidence. The CCIC Forensic, Malware and Analysis Team (FMAT) maintain the criteria for evidence collection and a procedure to ensure a chain of custody. The IMT will coordinate with the FMAT to provide incident responders with assistance to collect and handle evidence.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eIdentify the attacking host. The following items taken from NIST-SP 800-61 Rev. 2 \u003cem\u003eComputer Security Incident Handling Guide \u003c/em\u003edescribe the most commonly performed activities for attacking host identification:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eValidating the Attacking Hosts IP Address: \u003c/strong\u003eNew incident handlers often focus on the attacking hosts IP address. The handler may attempt to validate that the address was not spoofed by verifying connectivity to it; however, this simply indicates that a host at that address does or does not respond to the requests. A failure to respond does not mean the address is not real, for example, a host may be configured to ignore pings and traceroutes. Also, the attacker may have received a dynamic address that has already been reassigned to someone else.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eResearching the Attacking Host through Search Engines: \u003c/strong\u003ePerforming an Internet search using the apparent source IP address of an attack may lead to more information on the attack, for example, a mailing list message regarding a similar attack.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUsing Incident Databases: \u003c/strong\u003eSeveral groups collect and consolidate incident data from various organizations into incident databases. This information sharing may take place in many forms, such as trackers and real-time deny lists. The organization can also check its own knowledge base or issue tracking system for related activity.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitoring Possible Attacker Communication Channels: \u003c/strong\u003eIncident handlers can monitor communication channels that may be used by an attacking host. For example, many bots use IRC as the primary means of communication. Also, attackers may congregate on certain IRC channels to brag about compromises and share information. However, incident handlers should treat any such information acquired only as a potential lead, not as fact.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eEradicate the incident and recover. Eliminate components of the incident (e.g. delete malware, disable breached accounts, identify and mitigate vulnerabilities that were exploited). Incident responders should coordinate with the IMT to identify and execute a strategy for eradication of the incident. Once eradication has been completed restore systems to normal operation, confirm that systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePost-Incident Activity\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eConduct a lessons learned meeting. Learning and improving, one of the most important parts of incident response is also the most often omitted. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Holding a “lessons learned” meeting with all involved parties after a major incident, and optionally periodically after lesser incidents as resources permit, can be extremely helpful in improving security measures and the incident handling process itself. Multiple incidents can be covered in a single lessons learned meeting. This meeting provides a chance to achieve closure with respect to an incident by reviewing what occurred, what was done to intervene, and how well intervention worked. The meeting should be held within several days of the end of the incident. Questions to be answered in the meeting include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eExactly what happened, and at what times?\u003c/li\u003e\u003cli\u003eHow well did staff and management perform in dealing with the incident? Were the documented procedures followed and adequate?\u003c/li\u003e\u003cli\u003eWhat information was needed sooner?\u003c/li\u003e\u003cli\u003eWere any steps or actions taken that might have inhibited the recovery?\u003c/li\u003e\u003cli\u003eWhat would the staff and management do differently the next time a similar incident occurs?\u003c/li\u003e\u003cli\u003eHow could information sharing with other organizations have been improved?\u003c/li\u003e\u003cli\u003eWhat corrective actions can prevent similar incidents in the future?\u003c/li\u003e\u003cli\u003eWhat precursors or indicators should be watched for in the future to detect similar incidents?\u003c/li\u003e\u003cli\u003eWhat additional tools or resources are needed to detect, analyze, and mitigate future incidents?\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eDocument the lessons learned and update IRP and associated procedures as necessary.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eEnsure evidence is retained and archived. The criteria for evidence collection, a procedure to ensure a chain of custody, and archival instructions are maintained by the CCIC Forensic, Malware and Analysis Team (FMAT). The IMT will coordinate with the FMAT to provide incident responders with assistance to collect and handle evidence.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAutomated Incident Handling Processes (IR-04(01))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS employs automated mechanisms to support the incident handling process. CMS employs automated mechanism (e.g., online incident management systems) to support the organizations incident handling process. The following table provides examples of tools used for automated incident handling processes at CMS.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: Automated Tools\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTools\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eUsers\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eHHS RSA Archer\u003c/td\u003e\u003ctd\u003eThe HHS tool used for all incident/tracking and reporting. Users do not access HHS Archer directly.\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCCIC IMT and CCIC SOC\u003c/p\u003e\u003cp\u003eAnalysts\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eServiceNow\u003c/td\u003e\u003ctd\u003eThe CMS ServiceNow ticket is used by the CMS IT Service Desk to track changes and problems within the CMS environment.\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS IT Service Desk CCIC IMT and CCIC SOC\u003c/p\u003e\u003cp\u003eAnalysts\u003c/p\u003e\u003cp\u003eCMS Users\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSplunk\u003c/td\u003e\u003ctd\u003eIs a logging solution for security (CMS Enterprise Security) and Operations and Maintenance (O\u0026amp;M) log management OCISO Systems Security Management (OSSM). It used as an audit reduction tool by the agency to review audit logs.\u003c/td\u003e\u003ctd\u003eCCIC\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eInformation Correlation (IR-04(04))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of Information Correlation is to ensure that CMS correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. To achieve this,\u003c/p\u003e\u003col\u003e\u003cli\u003eAll tickets submitted in ServiceNow are thoroughly worked through to determine the validity of being classified as an incident. The submitted tickets are correlated and analyzed for trends.\u003c/li\u003e\u003cli\u003eCCIC uses the SIEM tool, Splunk, to correlate data from various sources to receive alerts associated with incident breaches.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eIncident Monitoring (IR-05)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Monitoring is to ensure that CMS documents information system security incidents and maintains records about each incident such as the status of the incident, and pertinent information necessary for forensics (evaluating incident details, trends, and handling). At CMS, the CCIC delivers a number of important, agency-wide security services. One of such services is Continuous Diagnostics and Mitigation (CDM), which is still in development and not all data centers have been transitioned. Other services include vulnerability management, security engineering, incident management, forensics and malware analysis, information sharing, cyber-threat intelligence, penetration testing, and software assurance.\u003c/p\u003e\u003cp\u003eThe IMT is the group responsible for tracking and documenting security and privacy incidents. Stakeholders outside of the IMT (e.g., incident responders, ISSO, system owners, etc.) are responsible for providing the information necessary to track and monitor information security and privacy incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAutomated Tracking/Data Collection/Analysis (IR-05(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automated Tracking/Data Collection/Analysis is to ensure that CMS employs automated mechanism to assist in the tracking of security incidents and in the collection and analysis of incident information. At CMS, the RSA Archer/CFACTS SecOps Module is utilized for tracking potential incidents under investigation by the CCIC SOC. The IMT is responsible for maintaining the data in RSA Archer/CFACTS along with reviewing, updating, and analyzing the data and producing the trends analysis.\u003c/p\u003e\u003cp\u003eThe following list details automated tools utilized at CMS to assist in the tracking of security incidents and in the collection and analysis of incident information. Once an incident has been reported, the external stakeholders will be able to leverage the benefits of these tools via the support provided by the IMT.\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS uses a ServiceNow ticketing system for all privacy and security incidents for incident/tracking and reporting.\u003c/li\u003e\u003cli\u003eThe CMS ServiceNow ticket is used by the CMS IT Service Desk to track changes and problems within the CMS environment.\u003c/li\u003e\u003cli\u003eThe HHS Archer is the incident response tool used to notifiy HHS of an incident. A shell ticket is automatically created in HHS Archer when CMS IMT is assigned a ticket in ServiceNow.\u003c/li\u003e\u003cli\u003eThe CCIC IMT updates the incident information in ServiceNow which will post automatically to HHS Archer. This will occur till the incident has been resolved.\u003c/li\u003e\u003cli\u003eCMS RSA Archer/CFACTS SecOps Module is used for investigating potential incidents discovered by the CCIC SOC.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Reporting (IR-06)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe intent of this control is to ensure that CMS requires employees and contractors to report suspected or confirmed information security and privacy incidents to appropriate authorities and to ensure that a formal incident reporting process exists.\u003c/p\u003e\u003cp\u003eAs part of a robust, enterprise security operations program designed to reduce the risks of malicious activity, CMS established the CCIC to provide enterprise-wide situational awareness and near real-time risk management. The CCIC also provides information security and aggregated monitoring of security events across all CMS information systems. Finally, the CCIC notifies appropriate security operations staff of detected configuration weaknesses, vulnerabilities open to exploitation, relevant threat intelligence, including indicators of compromise (IOCs) and security patches. For purposes of incident response, the IMT as a sub- component of the CCIC provides incident response assistance and support. All information security and privacy incidents are to be reported to CMS IT Service Helpdesk. The CMS IT Service Helpdesk will notify the IMT as appropriate.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters for IR reporting.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters Control IR-6\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-6\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eRequires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]\u003c/li\u003e\u003cli\u003eReports security, privacy and supply chain incident information to [Assignment: organization-defined authorities]\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003col\u003e\u003cli\u003eRequires personnel to report actual or suspected security and privacy incidents to the organizational incident response capability within 1 hour of discovery/notification; and\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eReports security, privacy and supply chain incident information to CMS IT Service Help Desk.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe following process details the CMS procedure for reporting suspected security and privacy incidents:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eReport the suspected information security and privacy incident to the CMS IT Service Desk at (410) 786-2580 (internal only) or (800) 562-1963 (internal and external) and/or ema\u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eil CMS_IT_Service@cms.hhs.gov.\u003c/a\u003e Additionally, contact your ISSO as soon as possible and apprise them of the situation. All suspected information security and privacy incidents must be reported to the CMS IT Service Desk within one hour of discovery.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eAfter notifiying the CMS IT Service Desk, collect as much supporting information as possible on the suspected security and privacy incident using the Incident Response Reporting Template located in the ISPL. Provide the information contained on the completed incident reporting form to the CMS IT Service Desk.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThis template replaces the previous HHS CMS Computer Security Incident Report form that was published separately to the information security library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3:\u003c/strong\u003eThe CMS IT Service Desk creates a ServiceNow ticket and enters the details on the suspected security and privacy incident. This ServiceNow ticket creates a shell ticket in HHS Archer, which is the HHS incident response tool.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 4:\u003c/strong\u003eThe IMT will update the ServiceNow ticket, as necessary, which will automatically populate in HHS Archer until the incident has been resolved.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eThe IMT analyzes the suspected incident, working with the SOC analyst as necessary, and if confirmed as an actual incident executes the incident handling procedures located in Section 3.5 Incident Handling.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAutomated Reporting (IR-06(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automated Reporting is to ensure that CMS employs automated mechanisms to assist in the reporting of security and privacy incidents. The following steps detail the CMS specific process for Automated Reporting:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eUser will contact the CMS IT Service Helpdesk and report the information security incident.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eThe CMS IT Service Helpdesk will open a ServiceNow ticket and record the incident. This ServiceNow ticket automatically generates an Archer ticket notifying HHS CSIRC.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eThe CMS IT Service Helpdesk will then assign the ticket to the IMT and they will evaluate the incident report while providing updates to CMS CISO and HHS CSIRC.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eThe user (reporter) will continue to update the incident report in ServiceNow or contact the CMS IT Service Helpdesk.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eIf the IMT finds that the event is valid, the user will be contacted and the mitigation process will start.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 6: \u003c/strong\u003eIf the IMT finds that the event is not valid, the IMT will close out the ticket and contact the user.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 7: \u003c/strong\u003eThe user (reporter) will work with the IMT until remediation of the security incident.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Assistance (IR-07)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Response Assistance is to ensure that CMS provides an incident response support resource, integral to the CMS incident capability that offers advice and assistance to users of the information system for handling and reporting of security and privacy incidents. The following steps detail the CMS specific process for Incident Response assistance:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eUser will contact the CMS IT Service Helpdesk for incident response assistance. The CMS IT Service Desk notifies the IMT as appropriate.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eThe IMT will evaluate, validate the incident and assist with the mitigation.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAutomation Support for Availability of Information/Support (IR-07(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automation Support for Availability of Information Support is to ensure that CMS employs automated mechanisms to increase the availability of incident response-related information and support.\u003c/p\u003e\u003cp\u003eCMS uses multiple resources to provide the user community information/support. These include but are not limited to intranets, mailboxes, and online libraries.\u003c/p\u003e\u003cp\u003eUsers may use the following resources for Automation Support for Availability of Information/Support:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/\"\u003eThe CMS website\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThe CMS CISO mailbox at \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCMS IT Service Desk at \u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eCMS_IT_Service@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCMS Incident Management Team (IMT) at \u003ca href=\"mailto:IncidentManagement@cms.hhs.gov\"\u003eIncidentManagement@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"http://intranet.cms.gov/\"\u003eThe CMS Intranet \u003c/a\u003e(this service is available ONLY to personnel who have access to a GFE issued device, (i.e., laptop, desktop))\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.hhs.gov/ocio\"\u003eThe HHS.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThe \u003ca href=\"https://intranet.hhs.gov/\"\u003eHHS Intranet \u003c/a\u003e(this service is available ONLY to personnel who have access to a GFE issued device, (i.e., laptop, desktop))\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Plan (IR-08)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Incident Response Plan (IRP) is to provide a roadmap for implementing the incident response capability. Each organization needs a plan that meets its unique requirements, which relates to the organizations mission, size, structure, and functions. The plan should lay out the necessary resources and management support. The incident response plan should include the following elements:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePurpose\u003c/li\u003e\u003cli\u003eScope\u003c/li\u003e\u003cli\u003eDefinitions\u003c/li\u003e\u003cli\u003eRoles and Responsibilities\u003c/li\u003e\u003cli\u003eUnderstanding an Incident\u003c/li\u003e\u003cli\u003eIncident Life Cycle\u003cul\u003e\u003cli\u003ePreparation\u003c/li\u003e\u003cli\u003eDetection and Analysis\u003c/li\u003e\u003cli\u003eContainment, Eradication and Recovery\u003c/li\u003e\u003cli\u003ePost-Incident Activity\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReporting Requirements\u003c/li\u003e\u003cli\u003ePoints of Contact\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe incident response policy is established in the CMS IS2P2 and has been included in this handbook. The Incident Response Plan template is attached to this document as Appendix B. This document provides incident response procedure to facilitate the implementation of incident response controls. Incident response plan, policy, and procedure creation are an important part of establishing a team and permits incident response to be performed effectively, efficiently, and consistently; and so that the team is empowered to do what needs to be done.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters for IR planning.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters - Control IR-8\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-8\u003c/td\u003e\u003ctd\u003e\u003cp\u003ea. Incident Response Plan is reviewed and approved by [Assignment: organization- defined personnel or role];\u003c/p\u003e\u003cp\u003eb. Distributes copies of the incident response plan to [Assignment organization- defined incident response personnel (identified by name and/or role) and organizational elements]\u003c/p\u003e\u003cp\u003ec. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;\u003c/p\u003e\u003cp\u003ed. Communicates incident response plan changes to [Assignment: organization- defined incident response personnel (identified by name and/or by role) and organizational elements]; and Protects the incident response plan from unauthorized disclosure and modification\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003ea. Incident Response Plan is reviewed and approved by the applicable Business Owner at least annually.\u003c/p\u003e\u003cp\u003eb. Distributes copies of the incident response plan to CMS CIO, CMS CISO, ISSO, CMS OIG Computer Crime Unit (CCU), All personnel within the CMS Incident Response Team, PII Breach Response Team and Operations Centers.\u003c/p\u003e\u003cp\u003ec. Reviewed annually updated as required\u003c/p\u003e\u003cp\u003ed. Communicates incident response plan changes to all stakeholders.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CCIC IMT created an IRP that provides the CMS with a roadmap for implementing its incident response capability and outlines the incident response process for the IMT. In addition, each information system is responsible for maintaining a separate IRP that describes the systems internal processes for incident response and leverages the capability of the IMT. The following steps details the process for creating an IRP using the template located in the ISPL:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eComplete a draft IRP by leveraging the template and instructions located in Appendix B.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eSubmit the draft IRP to the information systems assigned CRA for ISPG approval. Update that plan as necessary based on the feedback received from ISPG.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eDocument the plan approval by having the Business Owner and ISSO sign the plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eDisseminate the plan to all appropriate stakeholders to include: the CRA, ISSO, BO, Incident Responders, System Developers, and System Administrators.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eCMS Security \u0026amp; Privacy Incident Report Form\u003c/h2\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Security and Privacy Incident Report\u003c/strong\u003e is a form to be filled out when someone has an incident to report. \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/info-security-library-items/rmh-chapter-08-incident-response-appendix-k-incident-report-template\"\u003eYou can access the form and instructions here\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Steps for CISO\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eSignificant Event/Potential Incident Reported\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive notification from DCTSO Director or IR Fed Lead\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eDoes this incident potentially include a criminal element and, therefore, require notification of law enforcement? If so, engage HHS Office of the Inspector General.\u003c/li\u003e\u003cli\u003eWas this incident reported to HHS Office of Civil Rights (OCR) in accordance with HIPAA and for Protected Health Information (PHI)? Refer to the OCR website for any details about the event / incident.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e2\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eObtain situational awareness \u003c/strong\u003eof the potential incident and the likely\u003c/p\u003e\u003cp\u003eimpact(s) on CMS data and /or CMS FISMA systems.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident situation reports from IMT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eWhen engaging an external partner, consider including or informing HHS Office of the Secretary (OS), Office of the Assistant Secretary for Preparedness and Response (ASPR), which executes the Federal coordination responsibilities on behalf of HHS regarding the critical infrastructure public-private partnership for the Healthcare and Public Healthcare Sector (identified in PPD-21 and the National Infrastructure Protection Plan (NIPP)).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e3\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConduct security bridge with stakeholders to review incident \u003c/strong\u003eto obtain a greater understanding of the incidents impacts and implications. Also,\u003c/p\u003e\u003cp\u003ediscuss potential response needs, such as deployment of response capabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eCISO/Deputy CISO will coordinate with IMT to ensure all stakeholders are on security bridge (e.g., SOP, OL, OA, HHS)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eDoes this incident potentially include a criminal element and, therefore, require notification of law enforcement? If so, engage HHS Office of the Inspector General.\u003c/li\u003e\u003cli\u003eDoes CMS have relevant experience or capabilities that it could deploy?\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e4\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eTriage and determine if risk analysis should be performed\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eOC/OL will keep the response teams apprised of public or legislative affairs matters related to the event/incident (e.g., Congressional inquiries and media monitoring)\u003c/li\u003e\u003cli\u003eIf communication of CMS risks or potential impacts is necessary, coordinate development of messaging and identify communication channels\u003c/li\u003e\u003cli\u003eReceive impact analysis and make a decision regarding additional analysis of impacts to CMS\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e5\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eDetermine specific CMS impacts \u003c/strong\u003e(e.g., PII, PHI, FTI, contracts, \u0026amp; other business partners) and \u003cstrong\u003eDetermine specific impacts to CMS data \u003c/strong\u003e(e.g., PII,\u003c/p\u003e\u003cp\u003ePHI, FTI)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eProvide guidance to IR staff about cadence of status reporting\u003c/li\u003e\u003cli\u003eEscalate incident to HHS leadership\u003c/li\u003e\u003cli\u003eWhen findings are presented, consider if public and/or external communication may be appropriate (even if it is not legally necessary or required)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIn accordance with OMB M-20-04, report “\u003cem\u003emajor incidents” \u003c/em\u003eto Congress within seven days.\u003c/li\u003e\u003cli\u003eWhen evaluating impacts to CMS systems, engage business owners and system owners (including ISSOs) and include the impacts to their environments in status reports.\u003c/li\u003e\u003cli\u003eIf sensitive information other than PII, PHI, or FTI (e.g., proprietary information) is at risk, consider the risk to the agency and determine appropriate next steps.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e6\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConduct security bridge with stakeholders to review incident \u003c/strong\u003eto obtain a greater understanding of the incidents impacts and implications. Also,\u003c/p\u003e\u003cp\u003ediscuss potential response needs, such as deployment of response capabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eCISO/Deputy CISO will likely lead the meeting(s)/call(s), with\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e7\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eExecute SOPs to contain and eradicate cause of the event/incident\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT and provide additional guidance/direction as necessary\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDoes CMS have relevant experience or capabilities that it could deploy or offer to assist the external partner(s)?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e8\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eMonitor event/incident to assess changes in risk to CMS systems and/or data\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf changes in risk to CMS systems and/or data are evident, go to \u003cstrong\u003eStep 2A\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT and provide counsel to leadership and response teams as appropriate\u003c/li\u003e\u003cli\u003eOC/OL: Determine if monitoring of media and Congressional sources is necessary, and communicate requests or news to leadership and response teams. Coordinate requests for information or messages that may need to be communicated externally\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDevelop lessons learned and recommend program enhancements\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eParticipate in IMT-led lessons learned development process and inform recommendations\u003c/li\u003e\u003cli\u003eReview lessons learned and submit to business \u0026amp; system owners\u003c/li\u003e\u003cli\u003eReview and support POA\u0026amp;Ms as required\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDetermine if policy changes need to occur in order to further safeguard CMS data.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e10\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eConclude incident and complete external communications activities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReview final Security Incident Report (SIR)\u003c/li\u003e\u003cli\u003eReport closure of incident as appropriate/necessary\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eContacts\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContact\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eNumber\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIncident Management Team (IMT)\u003c/td\u003e\u003ctd\u003e443-316-5005\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSenior Official for Privacy (SOP)\u003c/td\u003e\u003ctd\u003e410-786-5759\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDCTSO Director\u003c/td\u003e\u003ctd\u003e410-786-5956\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDSPC Director\u003c/td\u003e\u003ctd\u003e410-786-6918\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDSPPG Director\u003c/td\u003e\u003ctd\u003e410-786-5759\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of Communications (OC)\u003c/td\u003e\u003ctd\u003e410-786-8126\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of Legislation (OL)\u003c/td\u003e\u003ctd\u003e202-619-0630\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of the Administrator (OA)\u003c/td\u003e\u003ctd\u003e410-786-3000\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHHS Office of the Secretary (OS), Office of the Assistant Secretary for Preparedness and Response (ASPR)\u003c/td\u003e\u003ctd\u003e202-205-8114\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHHS Office of Inspector General (OIG)\u003c/td\u003e\u003ctd\u003e800-447-8477\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBridge\u003c/td\u003e\u003ctd\u003e877-267-1577 (meeting ID will be shared by IMT upon notification)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eIncident Notification Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIncident\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eNotification\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eWho Notifies?\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll incidents\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT\u003c/li\u003e\u003cli\u003eHHS CSIRC\u003c/li\u003e\u003cli\u003eCIO\u003c/li\u003e\u003cli\u003eCISO\u003c/li\u003e\u003cli\u003eSOP\u003c/li\u003e\u003cli\u003eDeputy CISO\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCMS IT Service Desk notifies IMT of an incident\u003c/li\u003e\u003cli\u003eCMS incident tickets are mirrored in the HHS Archer, which notifies HHS CSIRC\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving a CMS System\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eSO\u003c/li\u003e\u003cli\u003eBO\u003c/li\u003e\u003cli\u003eISSO\u003c/li\u003e\u003cli\u003eDG\u003c/li\u003e\u003cli\u003eCRA\u003c/li\u003e\u003cli\u003eUS-CERT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT alerts CMS Personnel.\u003c/li\u003e\u003cli\u003eHHS CSIRC handles US- CERT reporting.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving suspected criminal activity\u003c/td\u003e\u003ctd\u003eHHS OIG\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving employees\u003c/td\u003e\u003ctd\u003eCMS Office of Human Capital\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving legal ramifications\u003c/td\u003e\u003ctd\u003eCMS Office of Legislation\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eISPG (to convene Breach Analysis Team)\u003c/li\u003e\u003cli\u003eIndividuals affected by PII/PHI compromise\u003c/li\u003e\u003cli\u003eHHS PIRT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT alerts ISPG of suspected breach\u003c/li\u003e\u003cli\u003eCMS SOP and BO create a notification plan for affected individuals, subject to review by HHS PIRT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches affecting 500 or more people\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eHHS OCR\u003c/li\u003e\u003cli\u003eMedia outlets, as appropriate\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003eCMS SOP\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches requiring Media Outreach\u003c/td\u003e\u003ctd\u003eCMS Office of Communications\u003c/td\u003e\u003ctd\u003eCMS SOP\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Plan Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe objective of this Incident Response Plan (IRP) is to outline the incident handling and response process for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; in accordance with the requirements outlined in the CMS Acceptable Risk Safeguards (ARS) and CMS Risk Management Handbook (RMH) Chapter 8, Incident Response. This plan covers all assets within the information system boundary, transmitting, storing, or processing CMS information. Furthermore, this plan describes how to manage incident response according to all Federal, Departmental and Agency requirements, policies, directives, and guidelines.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThis IRP is written for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; stakeholders with incident response roles and responsibilities and describes those responsibilities for each phase of the incident life cycle. This plan establishes a quick reference for security and privacy incident handling and response.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDefinitions\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eThe following key terms and definitions relate to incident response:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdministrative Vulnerability: \u003c/strong\u003eAn administrative vulnerability is a security weakness caused by incorrect or inadequate implementation of a systems existing security features by the system administrator, security officer, or users. An administrative vulnerability is not the result of a design deficiency. It is characterized by the fact that the full correction of the vulnerability is possible through a change in the implementation of the system or the establishment of a special administrative or security procedure for the system administrators and users. Poor passwords and inadequately maintained systems are the leading causes of this type of vulnerability.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eBreach: \u003c/strong\u003eA breach is an incident that poses a reasonable risk of harm to the applicable individuals. For the purposes of Office of Management and Budget (OMB) OMB M-17-12 (for PII incidents) and Health Information Technology for Economic and Clinical Health (HITECH) Act (for PHI incidents) reporting requirements, a privacy incident does not rise to the level of a breach until it has been determined that the use or disclosure of the protected information compromises the security or privacy of the protected individual(s) and poses a reasonable risk of harm to the applicable individuals. For any CMS privacy incident, the determination of whether it may rise to the level of a breach is made (exclusively) by the CMS Breach Analysis Team (BAT), which determines whether the privacy incident poses a significant risk of financial, reputational, or other harm to the individual(s).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent: \u003c/strong\u003eAn event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal Tax Information (FTI): \u003c/strong\u003eGenerally, Federal Tax Returns and return information are confidential,\u003c/p\u003e\u003cp\u003eas required by Internal Revenue Code (IRC) Section 6103. The information is used by the Internal Revenue Service (IRS) is considered FTI and ensure that agencies, bodies, and commissions are\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDefinitions\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003emaintaining appropriate safeguards to protect the information confidentiality. [IRS 1075] Tax return information that is not provided by the IRS falls under PII.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Response: \u003c/strong\u003eIncident response outlines steps for reporting incidents and lists actions to be taken to resolve information systems security and privacy related incidents.\u0026nbsp; Handling an incident entails forming a team with the necessary technical capabilities to resolve an incident, engaging the appropriate personnel to aid in the resolution and reporting of such incidents to the proper authorities as required, and report closeout after an incident has been resolved.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Incident: \u003c/strong\u003eA Privacy Incident is a Security Incident that involves Personally Identifiable Information (PII) or Protected Health Information (PHI), or Federal Tax Information (FTI) where there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users or any other than authorized purposes. Users must have access or potential access to PII, PHI and/or FTI in usable form whether physical or electronic.\u003c/p\u003e\u003cp\u003ePrivacy incident scenarios include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLoss of federal, contractor, or personal electronic devices that store PII, PHI and/or FTI affiliated with CMS activities (i.e., laptops, cell phones that can store data, disks, thumb-drives, flash drives, compact disks, etc.)\u003c/li\u003e\u003cli\u003eLoss of hard copy documents containing PII, PHI and/or FTI\u003c/li\u003e\u003cli\u003eSharing paper or electronic documents containing PII, PHI and/or FTI with individuals who are not authorized to access it\u003c/li\u003e\u003cli\u003eAccessing paper or electronic documents containing PII, PHI and/or FTI without authorization or for reasons not related to job performance\u003c/li\u003e\u003cli\u003eEmailing or faxing documents containing PII, PHI and/or FTI to inappropriate recipients, whether intentionally or unintentionally\u003c/li\u003e\u003cli\u003ePosting PII, PHI and/or FTI, whether intentionally or unintentionally, to a public website\u003c/li\u003e\u003cli\u003eMailing hard copy documents containing PII, PHI and/or FTI to the incorrect address\u003c/li\u003e\u003cli\u003eLeaving documents containing PII, PHI and/or FTI exposed in an area where individuals without approved access could read, copy, or move for future use\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSecurity Incident: \u003c/strong\u003eIn accordance with \u003cem\u003eNIST SP 800-61 Revision 2, Computer Security Incident Handling Guide\u003c/em\u003e, a Security Incident is defined as an event that meets one or more of the following criteria:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in any information system processing information on behalf of CMS. It also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents and misrouting of mail, all of which may have the potential to put CMS data at risk of unauthorized access, use, disclosure, modification, or destruction\u003c/li\u003e\u003cli\u003eAn occurrence that jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits\u003c/li\u003e\u003cli\u003eA violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTechnical Vulnerability: \u003c/strong\u003eA technical vulnerability is a hardware, firmware, or software weakness or design deficiency that leaves a system open to potential exploitation, either externally or internally, thus increasing the risk of compromise, alteration of information, or denial of service.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert the roles and responsibilities associated with this plan. Possible roles include:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eBusiness Owners:\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eInformation System Owner(s)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eCyber Risk Advisors (CRA)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eInformation System Security Officer (i.e., ISSO)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eCCIC Incident Management Team (i.e., CCIC IMT)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eFor a detailed description of the responsibilities associated with these role please refer to the CMS IS2P2 located at: \u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003e\u003cem\u003e\u003cstrong\u003ehttps://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\u003c/strong\u003e\u003c/em\u003e\u003c/a\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eUnderstanding an Incident\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe following lists a small subset of common well known incidents:\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTypes of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eData Destruction or Corruption: \u003c/strong\u003eThe loss of data integrity can take many forms including changing permissions on files making the files writable by non-privileged users, deleting data files and or programs, changing audit files to cover-up an intrusion, changing configuration files that determine how and what data is stored and ingesting information from other sources that may be corrupt\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eData Compromise and Data Spills: \u003c/strong\u003eData compromise is the exposure of information to a person not authorized to access that information either through clearance level or formal authorization. This could happen when a person accesses a system not authorized to access or through a data spill. Data spill is the release of information to another system or person not authorized to access that information, even though the person is authorized to access the system on which the data was released. This can occur through the loss of control, improper storage, improper classification, or improper escorting of media, computer equipment (with memory), and computer generated output\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMalicious Software (Malware): \u003c/strong\u003eMalicious code is software based attacks used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs to exclude unauthorized activity. Malicious code is particularly troublesome in that it is typically written to masquerade its presence and, thus, is often difficult to detect. Self-replicating malicious code such as viruses and worms can replicate rapidly, thereby making containment an especially difficult problem. The following is a brief listing of various software attacks:\u003col\u003e\u003cli\u003e\u003cstrong\u003eVirus: \u003c/strong\u003eIt is propagated via a triggering mechanism (e.g., event time) with a mission (e.g., delete files, corrupt data, send data).\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eWorm: \u003c/strong\u003eAn unwanted, self-replicating autonomous process (or set of processes) that penetrates computers using automated hacking techniques.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eTrojan Horse: \u003c/strong\u003eA useful and innocent program containing additional hidden code that allows unauthorized computer network exploitation (CNE), falsification, or destruction of data.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTypes of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eSpyware: \u003c/strong\u003eSurreptitiously installed malicious software that is intended to track and report the usage of a target system or collect other data the author wishes to obtain.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRootkit Software: \u003c/strong\u003eSoftware that is intended to take full or partial control of a system at the lowest levels. Contamination is defined as inappropriate introduction of data into a system.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePrivileged User Misuse: \u003c/strong\u003ePrivileged user misuse occurs when a trusted user or operator attempts to damage the system or compromise the information it contains.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSecurity Support Structure Configuration Modification: \u003c/strong\u003eSoftware, hardware and system configurations contributing to the Security Support Structure (SSS) are controlled. SSS are essential to maintaining the security policies of the system Unauthorized modifications to these configurations can increase the risk to the system.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eNote: These categories of incidents are not necessarily mutually exclusive.\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eCauses of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMalicious Code: \u003c/strong\u003eMalicious code is software or firmware intentionally inserted into an information system for an unauthorized purpose\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSystem Failures: \u003c/strong\u003eProcedures Failures or Improper Acts. A secure operating environment depends upon proper operation and use of systems. Failure to comply with established procedures, or errors/limitations in the procedures for a CMS system, can damage CMS reputation and increase vulnerability/risk to the system or application. While advances in computer technology enable the building of increased security into the CMS architecture, much still depends upon the people operating and using the system(s). Improper acts may be differentiated from insider attack according to intent. With improper acts, someone may knowingly violate policy and procedures, but is not intending to damage the system or compromise the information it contains\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eIntrusions or Break-Ins: \u003c/strong\u003eAn intrusion or break-in is entry into and use of a system by an unauthorized individual\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eInsider Attack: \u003c/strong\u003eInsider attacks can provide the greatest risk. In an insider attack, a trusted user or operator attempts to damage the system or compromise the information it contains\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eAvenues of Attack\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAs with any information system, attacks can originate through certain avenues or routes. An attack avenue is a path or means by which an attacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack avenues enable attackers to exploit system vulnerabilities, including the human element. If a system were locked in a vault with security personnel surrounding it, and if the system were not connected to any other system or network, there would be virtually no avenue of attack. However, there are numerous avenues of attack.\u003c/p\u003e\u003cul\u003e\u003cli\u003eLocal and/or partner networks\u003c/li\u003e\u003cli\u003eUnauthorized devices (including non-approved connections to a local network)\u003c/li\u003e\u003cli\u003eGateways to outside networks\u003c/li\u003e\u003cli\u003eCommunications devices\u003c/li\u003e\u003cli\u003eShared disks\u003c/li\u003e\u003cli\u003eRemovable media\u003c/li\u003e\u003cli\u003eDownloaded software\u003c/li\u003e\u003cli\u003eDirect physical access\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePossible Impacts of an Attack\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOne of the major concerns of a verifiable computer security attack is that sensitive PII is compromised. The release of sensitive information to people without the proper need-to-know or formal authorization jeopardizes the tenant of Confidentiality, Integrity and Availability (CIA). In addition, users may lose trust in computing systems and become hesitant to use one that has a high frequency of incidents or even a high frequency of events that cause the user to distrust the integrity of the federal system. Moreover, users become disenfranchised with any action that causes all or part of the networks service to be stopped entirely, interrupted, or degraded sufficiently to impact operations; as with a DoS attack. The list of impacts from attacks that compromise computer security include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDenial of Service\u003c/li\u003e\u003cli\u003eLoss or Alteration of Data or Programs\u003c/li\u003e\u003cli\u003ePrivacy Incident, including those resulting in identity theft or data breach\u003c/li\u003e\u003cli\u003eLoss of Trust in Computing Systems\u003c/li\u003e\u003cli\u003eThe loss of intellectual property and CMS confidential information\u003c/li\u003e\u003cli\u003eReputational damage to the organization\u003c/li\u003e\u003cli\u003eThe additional cost of securing networks, insurance, and recovery from attacks\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eIncident Life Cycles\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe incident response process has four phases. Review the \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/61/r2/final\"\u003eNIST SP 800-61 Incident Lifecycle\u003c/a\u003e.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003ePreparation ensures that the organization is ready to respond to incidents, but can also prevent incidents by ensuring that systems, networks, and applications are sufficiently secure. The following describes the techniques utilized by the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; and to prepare for security and privacy incidents.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to prepare for information security incidents. Examples of preparation methods are, implementing incident response tools, establishing security baselines, and running periodic announced training and/or unannounced drills. For additional information on preparation activities please review Section 3.3.1 Preparation of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe how incidents involving PII are to be handled, including the policies and procedures that have been developed and how those policies and procedures are communicated to the staff. Staff should be informed of the consequences of their actions for inappropriate use and handling of PII. Describe how it is determined that the existing processes are adequate and that staff understand their responsibilities. Describe how suspected or known incidents involving PII are reported to the business owner, information system owner, CRA, ISSO, and CCIC IMT. Describe what information needs to be reported, and to whom.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDetection and Analysis\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eIncidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling every incident. Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Different types of incidents merit different response strategies. The following section describes the techniques utilized by the \u0026lt;system name\u0026gt; to detect and analyze security incidents\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to detect and analyze for information security incidents. Examples of detection and analysis methods are, prepare for common attack vectors, recognize the signs of an incident, and document and prioritize the incident. For additional information on preparation, activities please review Section 3.3.2 Detection and Analysis of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the activities and methods in place to detect and analyze incidents involving PII that are the responsibility of the information staff. Describe how it is ensured that the analysis process includes an evaluation of whether an incident involved PII, focusing on both known and suspected breaches of PII. Detection of an incident involving PII also requires reporting internally, to US-CERT, and externally, as appropriate; this is a CCIC IMT responsibility.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContainment, Eradication \u0026amp; Recovery\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eContainment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eContainment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making. Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. The following section describes the containment strategies and procedures for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt;:\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the strategies and procedures in place for the information system to contain information security incidents. Examples of containment strategies are, shut down a system, disconnect it from a network, and/or disable certain functions. For additional information on Containment activities, review Section 3.3.3 Containment, Eradication and Recovery of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the strategies and procedures in place for containing incidents involving PII.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContainment, Eradication \u0026amp; Recovery\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAfter an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts, as well as identifying and mitigating all vulnerabilities that were exploited. During eradication, it is important to identify all affected hosts within the organization so that the hosts can be remediated. For some incidents, eradication is either not necessary or is performed during recovery.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to eradicate and recover from information security incidents. Examples methods for eradication are delete malware, disable breached accounts, identify and mitigate vulnerabilities that were exploited. Examples activities associated with recovering from information security incidents are restore systems to normal operation, confirm that systems are functioning normally, and remediate vulnerabilities to prevent similar incidents. For additional information on Eradication and Recovery activities review Section 3.3.3 Containment, Eradication and Recovery of the CMS RMH Chapter 8 Incident Response\u003c/em\u003e.\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe if media sanitization steps are performed when PII needs to be deleted from media during recovery. PII should not be sanitized until a determination has been made about whether the PII must be preserved as evidence. Describe if forensics techniques are needed to ensure preservation of evidence. If PII was accessed, how is it determined how many records or individuals were affected. These activities should be coordinated with the CCIC IMT.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePost-Incident Activity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAfter an incident has been eradicated and recovery completed, each incident response team should evolve to reflect upon new threats, improve technology, and document lessons learned. Holding a lessons learned meeting with all involved parties after a major incident, and optionally after lesser incidents, can be extremely helpful in improving information security measures and the incident handling process.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to conduct post-incident activity after information security incidents. Examples methods for post-incident activity are: to conduct a lesson learned meeting, document the lessons learned, update the IRP and associated procedures as necessary, and ensure evidence is retained and archived. For additional information on post-incident activity review Post-Incident Activity of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the activities and methods in place to conduct post-incident activity after incidents involving PII. This should include how the IRP is continually updated and improved based on the lessons learned during each incident. Sharing information within CMS and US-CERT to help protect against future incidents is a CCIC responsibility.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eReporting Requirements\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eDescribe the information system process for reporting information security incidents. Incident should be reported to the \u003c/em\u003eCMS IT Service Desk within one hour, by calling at (410) 786-2580 (i.e., internal) or (1- 800) 562-1963 (internal and external) or email \u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eCMS_IT_Service@cms.hhs.gov.\u003c/a\u003e For information on reporting requirements \u003cem\u003efor information security and privacy incidents, \u003c/em\u003ereview Section 3.5 Incident Reporting and for the Incident Response Reporting Template in \u003cem\u003eThe CMS RMH Chapter 8 Incident Response\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePoints of Contact\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS IT Service Desk\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Risk Advisor (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Management Team\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Responders\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem Administrators\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem Developers\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePlan Approval\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003cbr\u003e\u003cem\u003e\u0026lt;insert signature\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert title\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert signature\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert title\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Test Plan Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Topic\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cem\u003e\u0026lt;Insert Topic\u0026gt;\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Scope\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eDescribe the scope of the incident response test to include who will participate in the exercise, the purpose of the test, and the expected outcome.\u0026nbsp; All personnel with responsibilities under the incident response plan should participate in the exercise.\u0026nbsp; The exercise should apply to the roles and responsibilities.\u0026nbsp; This includes personnel within the incident response plan being exercised and focus on validating that the documented roles, responsibilities, and interdependencies are accurate and current.\u0026nbsp; To ensure that the knowledge of the roles and responsibilities identified in the plan being exercised is current, it is often effective to conduct a training session in conjunction with any tabletop exercise\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Objectives\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eThe objectives of this test is as follows:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo validate the content of the incident response plan and the related policies and procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e2\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eValidate participants roles and responsibilities as documented in the incident response plan and validate the interdependencies documented in the incident response plan.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e3\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo meet regulatory requirements specifically the NIST SP 800-53 Rev. 4 requirements for incident response testing and incident response training.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e4\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo document lessons learned that may be utilized to update the incident response plan and related policies and procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eParticipants\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert participants, the participants should be comprised of personnel with roles and responsibilities identified in the incident response plan.\u0026nbsp; For example, training staff, validation staff, and evaluation staff\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eExercise Facilitator\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name of the individual who will lead the discussion among the exercise participants\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eData Collector\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name of the individual who records information about the actions that occur during the exercise\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate of Testing\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date and time of testing\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eLocation\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert Location\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eEquipment Required\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert required equipment, for example, audio visual equipment, whiteboard, flipchart\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMaterial Required\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert required material, for example, participant guides, PowerPoint presentations, handouts\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Scenarios\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert a sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives.\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Questions\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert a list of questions regarding the scenario that address the exercise objective.\u0026nbsp; Below are sample questions taken from NIST Special Publication 800-61 Computer Security Incident Handling Guide\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePreparation:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWould the organization consider this activity to be an incident?\u0026nbsp; If so, which of the organizations policies does this activity violate?\u003c/li\u003e\u003cli\u003eWhat measures are in place to attempt to prevent this type of incident from occurring or to limit its impact?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eDetection and Analysis:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat precursors of the incident, if any, might the organization detect?\u0026nbsp; Would any precursors cause the organization to take action before the incident occurred?\u003c/li\u003e\u003cli\u003eWhat indicators of the incident might the organization detect?\u0026nbsp; Which indicators would cause someone to think that an incident might have occurred?\u003c/li\u003e\u003cli\u003eWhat additional tools might be needed to detect this particular incident?\u003c/li\u003e\u003cli\u003eHow would the incident response team analyze and validate this incident?\u0026nbsp; What personnel would be involved in the analysis and validation process?\u003c/li\u003e\u003cli\u003eTo which people and groups within the organization would the team report the incident?\u003c/li\u003e\u003cli\u003eHow would the team prioritize the handling of this incident?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eContainment, Eradication, and Recovery:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat strategy should the organization take to contain the incident?\u0026nbsp; Why is this strategy preferable to others?\u003c/li\u003e\u003cli\u003eWhat could happen if the incident were not contained?\u003c/li\u003e\u003cli\u003eWhat additional tools might be needed to respond to this particular incident?\u003c/li\u003e\u003cli\u003eWhich personnel would be involved in the containment, eradication, and/or recovery processes?\u003c/li\u003e\u003cli\u003eWhat sources of evidence, if any, should the organization acquire?\u0026nbsp; How would the evidence be acquired?\u0026nbsp; Where would it be stored?\u0026nbsp; How long should it be retained?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003ePost-Incident Activity:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWho would attend the lessons learned meeting regarding this incident?\u003c/li\u003e\u003cli\u003eWhat could be done to prevent similar incidents from occurring in the future?\u003c/li\u003e\u003cli\u003eWhat could be done to improve detection of similar incidents?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eGeneral Questions:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eHow many incident response team members would participate in handling this incident?\u003c/li\u003e\u003cli\u003eBesides the incident response team, what groups within the organization would be involved in handling this incident?\u003c/li\u003e\u003cli\u003eTo which external parties would the team report the incident?\u0026nbsp; When would each report occur?\u003c/li\u003e\u003cli\u003eHow would each report be made?\u0026nbsp; What information would you report or not report, and why?\u003c/li\u003e\u003cli\u003eWhat other communications with external parties may occur?\u003c/li\u003e\u003cli\u003eWhat tools and resources would the team use in handling this incident?\u003c/li\u003e\u003cli\u003eWhat aspects of the handling would have been different if the incident had occurred at a different day and time (on-hours versus off-hours)?\u003c/li\u003e\u003cli\u003eWhat aspects of the handling would have been different if the incident had occurred at a different physical location (onsite versus offsite)?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePlan Being Exercise\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name and location of the incident response plan being exercised\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eExercise Agenda\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIntroductions\u003c/li\u003e\u003cli\u003eReview Exercise Scope and Logistics\u003c/li\u003e\u003cli\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/li\u003e\u003cli\u003eData Collector records observations (on-going)\u003c/li\u003e\u003cli\u003eConduct exercise debrief/hotwash\u003c/li\u003e\u003cli\u003eExercise Participants released\u003c/li\u003e\u003cli\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Plan Approval\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert signature by approval authority (e.g., Business Owner or ISSO)\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Participant Guide Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT ORGANIZATION NAME\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT TABLETOP EXERCISE TITLE\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eParticipant Guide\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Location\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Date\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn an effort to validate \u0026lt;\u003cem\u003einsert organization name\u003c/em\u003e\u0026gt; \u0026lt;\u003cem\u003einsert name of plan being exercised\u003c/em\u003e\u0026gt;, \u0026lt;\u003cem\u003einsert organization name\u003c/em\u003e\u0026gt; will conduct a tabletop exercise to examine processes and procedures associated with the implementation of the \u0026lt;\u003cem\u003einsert plan name\u003c/em\u003e\u0026gt;.\u0026nbsp; This discussion-based exercise will be a \u0026lt;\u003cem\u003einsert number of hours\u003c/em\u003e\u0026gt;-hour event that will begin at \u0026lt;\u003cem\u003einsert start ti\u003c/em\u003eme\u0026gt; and will last until \u0026lt;\u003cem\u003einsert end time\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003eThe exercise is designed to facilitate communication among personnel with incident response roles and responsibilities.\u0026nbsp; The following scenarios have been chosen for this exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert scenarios from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis exercise is designed to improve the readiness of the [insert organization name] and help validate existing \u0026lt;\u003cem\u003einsert plan name\u003c/em\u003e\u0026gt; procedures.\u003c/p\u003e\u003cp\u003eParticipants should come to the exercise prepared to discuss high-level issues related to the incident handling based on the scenarios above.\u0026nbsp; To achieve the exercises stated objectives, discussion will focus on the following questions related to the scenarios and the incident response plan:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert questions from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eParticipants may choose to bring incident response narrative or reference material that will aid in answering the above questions.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eConcept of Operations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA tabletop exercise is a discussion-based event in which participants meet in a “classroom” setting to address the actions participants would take in response to an emergency.\u0026nbsp; Tabletops are an effective initial step for personnel to discuss the full range of issues related to a crisis scenario.\u0026nbsp; These exercises provide an excellent forum to examine roles and responsibilities, unearth interdependencies, and evaluate plans.\u0026nbsp; A tabletop exercise also satisfies the training requirement for personnel with incident response roles and responsibilities.\u003c/p\u003e\u003cp\u003eParticipants will be presented with a incident response.\u0026nbsp; A facilitator will help guide discussion by asking questions designed to address the exercises objectives.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eObjectives\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe exercise objectives are as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert questions from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAgenda\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:00 a.m. 9:15 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntroductions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:15 a.m. 9:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReview Exercise Scope and Logistics\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eData Collector records observations (on-going)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e11:30 a.m. 12:00 p.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eConduct exercise debrief/hotwash\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMilestone\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eExercise Participants released\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1:00 p.m. - completion\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eDebriefing/Hotwash Questions\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAn after action report identifying strengths and areas where improvements might be made will be provided after the exercise.\u0026nbsp; The following questions are designed to obtain input into the after action report from participants:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAre there any other issues you would like to discuss that were not raised?\u003c/li\u003e\u003cli\u003eWhat are the strengths of the incident response plan?\u0026nbsp; What areas require closer examination?\u003c/li\u003e\u003cli\u003eWas the exercise beneficial?\u0026nbsp; Did it help prepare you to execute on your incident response roles and responsibilities?\u003c/li\u003e\u003cli\u003eWhat did you gain from the exercise?\u003c/li\u003e\u003cli\u003eHow can we improve future exercises and tests?\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eAfter Action Report Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT ORGANIZATION NAME\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT TABLETOP EXERCISE TITLE\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAfter Action Report\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Location\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Date\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eOn \u0026lt;\u003cem\u003einsert date\u003c/em\u003e\u0026gt;, \u0026lt;insert organization name\u0026gt; participated in \u0026lt;\u003cem\u003einsert duration of exercise\u003c/em\u003e\u0026gt; - hour tabletop exercise designed to validate the organizations understanding of the \u0026lt;\u003cem\u003einsert plan name.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eObjectives\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe exercise objectives are as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eCopy objectives from approved Test Plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAgenda\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:00 a.m. 9:15 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntroductions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:15 a.m. 9:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReview Exercise Scope and Logistics\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eData Collector records observations (on-going)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e11:30 a.m. 12:00 p.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eConduct exercise debrief/hotwash\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMilestone\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eExercise Participants released\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1:00 p.m. - completion\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eDiscussion Findings\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u0026lt;\u003cem\u003einsert exercise name\u003c/em\u003e\u0026gt; provided information on \u0026lt;\u003cem\u003einsert relevant information\u003c/em\u003e\u0026gt;.\u0026nbsp; An important benefit of the exercise was the opportunity for participants to raise important questions, concerns, and issues.\u003c/p\u003e\u003cp\u003eThe discussion findings from the exercise along with any necessary recommended actions are as follows:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral Findings\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe exercise provided an excellent opportunity for participants to \u003cem\u003e\u0026lt;insert relevant information\u0026gt;\u003c/em\u003e.\u0026nbsp; As a result of the exercise, participants left with a heightened awareness of \u003cem\u003e\u0026lt;insert relevant information\u0026gt;\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpecific Findings\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSpecific observations made during the exercise, and recommendations for enhancement of the plan, are as follows:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eObservation 1. \u0026lt;\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003eInsert general topic area\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert observation\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommendation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;Insert recommendations\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eObservation 2. \u003c/strong\u003e\u003cem\u003e\u003cstrong\u003e\u0026lt;Insert general topic area\u0026gt;\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert observation\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommendation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;Insert recommendations\u0026gt;\u003c/p\u003e\u003cp\u003eBelow is an \u003cstrong\u003eexample\u003c/strong\u003e of a completed observation and recommendations, all text in blue should be deleted upon the completion of the After-Action Report.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cem\u003eExample Observations and Recommendations:\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eObservation 1.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCommunication\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eA plan identifying the process for communicating with incident response team members do not exist.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eRecommendations:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cul\u003e\u003cli\u003eThe organization should consider developing a communications plan that establishes standardized communications requirements, addresses how stolen documents will be investigated, and describes procedures for personnel incident response team working with organizations to investigate breaches.\u003c/li\u003e\u003cli\u003eThe organization should identify weaknesses in the incident handling plan and procedures to ensure that all essential personnel can be contacted in the event of sensitive document breach.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eObservation 2.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIncident Breach Handling Protocol\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eEssential personnel have not been aware of the organization impact of stolen documents, and the incident breach handling protocol to investigation and recovery.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cul\u003e\u003cli\u003eThe agency should examine the criteria for ALL personnel having access to sensitive organization documents.\u0026nbsp; In addition, all personnel might need to attend a security training and awareness course on how to report incidents or suspicious activities.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eSample Incident Scenarios\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 1: Domain Name System (DNS) Server Denial of Service (DOS)\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Saturday afternoon, external users start having problems accessing the organizations public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organizations networking staff responds to alerts from an Internet border router and determines that the organizations Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organizations public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhom should the organization contact regarding the external IP address in question?\u003c/li\u003e\u003cli\u003eSuppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were also attempting the same unusual requests to the DNS server. How would that affect the handling of this incident?\u003c/li\u003e\u003cli\u003eSuppose that two of the nine internal hosts disconnected from the network before their system owners were identified. How would the system owners be identified?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 2: Worm and Distributed Denial of Service (DDoS) Agent Infestation\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Tuesday morning, a new worm is released; it spreads itself through removable media, and it can copy itself to open Windows shares. When the worm infects a host, it installs a DDoS agent. The organization has already incurred widespread infections before antivirus signatures become available several hours after the worm started to spread.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the incident response team identify all infected hosts?\u003c/li\u003e\u003cli\u003eHow would the organization attempt to prevent the worm from entering the organization before antivirus signatures were released?\u003c/li\u003e\u003cli\u003eHow would the organization attempt to prevent the worm from being spread by infected hosts before antivirus signatures were released?\u003c/li\u003e\u003cli\u003eWould the organization attempt to patch all vulnerable machines? If so, how would this be done?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if infected hosts that had received the DDoS agent had been configured to attack another organizations website the next morning?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if one or more of the infected hosts contained sensitive personally identifiable information regarding the organizations employees?\u003c/li\u003e\u003cli\u003eHow would the incident response team keep the organizations users informed about the status of the incident?\u003c/li\u003e\u003cli\u003eWhat additional measures would the team perform for hosts that are not currently connected to the network (e.g., staff members on vacation, offsite employees who connect occasionally)?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 3: Stolen Documents\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Monday morning, the organizations legal department receives a call from the Federal Bureau of Investigation (FBI) regarding some suspicious activity involving the organizations systems. Later that day, an FBI agent meets with members of management and the legal department to discuss the activity. The FBI has been investigating activity involving public posting of sensitive government documents, and some of the documents reportedly belong to the organization. The agent asks for the organizations assistance, and management asks for the incident response teams assistance in acquiring the necessary evidence to determine if these documents are legitimate or not and how they might have been leaked.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eFrom what sources might the incident response team gather evidence?\u003c/li\u003e\u003cli\u003eWhat would the team do to keep the investigation confidential?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team identified an internal host responsible for the leaks?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found a rootkit installed on the internal host responsible for the leaks?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 4: Compromised Database Server\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Tuesday night, a database administrator performs some off-hours maintenance on several production database servers. The administrator notices some unfamiliar and unusual directory names on one of the servers. After reviewing the directory listings and viewing some of the files, the administrator concludes that the server has been attacked and calls the incident response team for assistance. The teams investigation determines that the attacker successfully gained root access to the server six weeks ago.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat sources might the team use to determine when the compromise had occurred?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found that the database server had been running a packet sniffer and capturing passwords from the network?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found that the server was running a process that would copy a database containing sensitive customer information (including personally identifiable information) each night and transfer it to an external address?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team discovered a rootkit on the server?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 5: Unknown Exfiltration\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Sunday night, one of the organizations network intrusion detection sensors alerts on anomalous outbound network activity involving large file transfers. The intrusion analyst reviews the alerts; it appears that thousands of .RAR files are being copied from an internal host to an external host, and the external host is located in another country. The analyst contacts the incident response team so that it can investigate the activity further. The team is unable to see what the .RAR files hold because their contents are encrypted. Analysis of the internal host containing the .RAR files shows signs of a bot installation.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the team determine what was most likely inside the .RAR files? Which other teams might assist the incident response team?\u003c/li\u003e\u003cli\u003eIf the incident response team determined that the initial compromise had been performed through a wireless network card in the internal host, how would the team further investigate this activity?\u003c/li\u003e\u003cli\u003eIf the incident response team determined that the internal host was being used to stage sensitive files from other hosts within the enterprise, how would the team further investigate this activity?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 6: Unauthorized Access to Payroll Records\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Wednesday evening, the organizations physical security team receives a call from a payroll administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the team determine what actions had been performed?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the payroll administrator had recognized the person leaving her office as a former payroll department employee?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the team had reason to believe that the person was a current employee?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the physical security team determined that the person had used social engineering techniques to gain physical access to the building?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if logs from the previous week showed an unusually large number of failed remote login attempts using the payroll administrators user ID?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the incident response team discovered that a keystroke logger was installed on the computer two weeks earlier?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 7: Disappearing Host\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Thursday afternoon, a network intrusion detection sensor records vulnerability scanning activity directed at internal hosts that is being generated by an internal IP address. Because the intrusion detection analyst is unaware of any authorized, scheduled vulnerability scanning activity, she reports the activity to the incident response team. When the team begins the analysis, it discovers that the activity has stopped and that there is no longer a host using the IP address.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat data sources might contain information regarding the identity of the vulnerability scanning host?\u003c/li\u003e\u003cli\u003eHow would the team identify who had been performing the vulnerability scans?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the vulnerability scanning were directed at the organizations most critical hosts?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the vulnerability scanning were directed at external hosts?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the internal IP address was associated with the organizations wireless guest network?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the physical security staff discovered that someone had broken into the facility half an hour before the vulnerability scanning occurred?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 8: Telecommuting Compromise\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Saturday night, network intrusion detection software records an inbound connection originating from a watchlist IP address. The intrusion detection analyst determines that the connection is being made to the organizations VPN server and contacts the incident response team. The team reviews the intrusion detection, firewall, and VPN server logs and identifies the user ID that was authenticated for the session and the name of the user associated with the user ID.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should the teams next step be (e.g., calling the user at home, disabling the user ID, disconnecting the VPN session)? Why should this step be performed first? What step should be performed second?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the external IP address belonged to an open proxy?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the ID had been used to initiate VPN connections from several external IP addresses without the knowledge of the user?\u003c/li\u003e\u003cli\u003eSuppose that the identified users computer had become compromised by a game containing a Trojan horse that was downloaded by a family member. How would this affect the teams analysis of the incident? How would this affect evidence gathering and handling? What should the team do in terms of eradicating the incident from the users computer?\u003c/li\u003e\u003cli\u003eSuppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident? How would this affect the handling of the incident if the user were a system administrator? How would this affect the handling of the incident if the user were a high-ranking executive in the organization?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 9: Anonymous Threat\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Thursday afternoon, the organizations physical security team receives a call from an IT manager, reporting that two of her employees just received anonymous threats against the organizations systems. Based on an investigation, the physical security team believes that the threats should be taken seriously and notifies the appropriate internal teams, including the incident response team, of the threats.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should the incident response team do differently, if anything, in response to the notification of the threats?\u003c/li\u003e\u003cli\u003eWhat impact could heightened physical security controls have on the teams responses to incidents?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 10: Peer-to-Peer File Sharing\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eThe organization prohibits the use of peer-to-peer file sharing services. The organizations network intrusion detection sensors have signatures enabled that can detect the usage of several popular peer-to-peer file sharing services. On a Monday evening, an intrusion detection analyst notices that several file sharing alerts have occurred during the past three hours, all involving the same internal IP address.\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat factors should be used to prioritize the handling of this incident (e.g., the apparent content of the files that are being shared)?\u003c/li\u003e\u003cli\u003eWhat privacy considerations may impact the handling of this incident?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the computer performing peer-to-peer file sharing also contains sensitive personally identifiable information?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 11: Unknown Wireless Access Point\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Monday morning, the organizations help desk receives calls from three users on the same floor of a building who state that they are having problems with their wireless access. A network administrator who is asked to assist in resolving the problem brings a laptop with wireless access to the users floor. As he views his wireless networking configuration, he notices that there is a new access point listed as being available. He checks with his teammates and determines that this access point was not deployed by his team, so that it is most likely a rogue access point that was established without permission.\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should be the first major step in handling this incident (e.g., physically finding the rogue access point, logically attaching to the access point)?\u003c/li\u003e\u003cli\u003eWhat is the fastest way to locate the access point? What is the most covert way to locate the access point?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the access point had been deployed by an external party (e.g., contractor) temporarily working at the organizations office?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if an intrusion detection analyst reported signs of suspicious activity involving some of the workstations on the same floor of the building?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the access point had been removed while the team was still attempting to physically locate it?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1d:T23062,"])</script><script>self.__next_f.push([1,"\u003ch3\u003eIntroduction\u003c/h3\u003e\u003cp\u003eRMH Chapter 8 Incident Response documents the controls that focus on how the organization must: establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and track, document, and report incidents to appropriate organizational officials and/or authorities. Procedures addressed include incident response training, incident response testing, incident handling, monitoring and reporting, and information spillage response. Within this chapter, readers will find the CMS Cybersecurity Integration Center (CCIC) Functional Area Overview figure and how the Incident Management Team (IMT) within the CCIC works with systems to mitigate information security and privacy incidents.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLooking for templates and forms about Incident Response\u003c/strong\u003e? Within this page you can find:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#cms-security-privacy-incident-report-form\"\u003eCMS Security and Privacy Incident Report form\u003c/a\u003e (for reporting an incident)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#cms-security-privacy-incident-report-form\"\u003eIncident Response Plan Template\u003c/a\u003e (for creating your Incident Response plan)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#tabletop-exercise-test-plan-template\"\u003eTabletop Exercise Test Template\u003c/a\u003e (for creating your Tabletop Exercise that you will use to test your Incident Response Plan)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#tabletop-exercise-participant-guide-template\"\u003eTabletop Exercise Participant Guide Template\u003c/a\u003e (for creating Participant Guides that you can give to people who will be participating in your Tabletop Exercise)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#after-action-report-template\"\u003eAfter-Action Report Template\u003c/a\u003e (for summarizing the outcomes / finding of the Tabletop Exercise, along with any necessary next steps)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eCommon Control Inheritance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe inherited controls list can be used to identify common controls offered by system alternatives. The use of inherited controls is optional, the objective of this process is to identify opportunities to extract benefits (and reduce costs) by maximizing the use of already existing solutions, and minimizing duplication of efforts across the enterprise.\u003c/p\u003e\u003cp\u003eBelow is a listing of controls that can be inherited, where they can be inherited from and if they are a hybrid control for this control family.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eIncident Response Control\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eInheritable From\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eHybrid Control\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-01\u003c/td\u003e\u003ctd\u003eOCISO Inheritable Controls\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02(01)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02(02)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03(02)\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04(01)\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04(04)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-05\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-05(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-06\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-06(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-07\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-07(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-08\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(01)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(02)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(03)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(04)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eProcedures\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eProcedures assist in the implementation of the required security and privacy controls.\u003c/p\u003e\u003cp\u003eIn this section, the IR family procedures are outlined. To increase traceability, each procedure maps to the associated National Institute of Standards and Technology (NIST) controls using the control number from the CMS Acceptable Risk Safeguards (ARS).\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Training (IR-02)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Response Training is to prepare individuals to prevent, detect, and respond to security and privacy incidents, and ensure that CMS fulfills Federal Information Security Modernization Act (FISMA) requirements. Incident response training should be consistent with the roles and responsibilities assigned in the incident response plan. For example, incident response training is applicable to Information System Owners (SO), Business Owners (BO), and Information System Security Officers (ISSO). CMS personnel (i.e., employees and contractors) who routinely access sensitive data, such as names, Social Security numbers, and health records to carry out the CMS mission receive incident response training annually as part of the general information security awareness training.\u003c/p\u003e\u003cp\u003eThe CMS Chief Information Officer (CIO), CMS Chief Information Security Officer (CISO), and the CMS Senior Official for Privacy (SOP) shall endorse and promote an organizational- wide information systems security and privacy awareness training. According to \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e the CIO, shall establish, implement, and enforce a CMS-wide framework to facilitate an incident response program including Personal Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) breaches that ensures proper and timely reporting to HHS. In the CMS IS2P2, the CISO and the SOP shall ensure the CMS-wide implementation of Department and CMS policies and procedures that relate to information security and privacy incident response.\u003c/p\u003e\u003cp\u003eUsers must be aware that the Internal Revenue Code (IRC), Section 6103(p) (4) (D) requires that agencies receiving FTI provide appropriate safeguard measures to ensure the confidentiality of the FTI. Incident response training is one of the safeguards for implementing this requirement.\u003c/p\u003e\u003cp\u003eThe CMS Information Security and Privacy Group (ISPG) will provide incident response training to information system users that is consistent with assigned roles and responsibilities when assuming an incident response role or responsibility and annually thereafter. For example, general users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. In addition, those responsible for identifying and responding to a security incident must understand how to recognize when PII or PHI are involved so that they can coordinate with the SOP.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally-defined parameters (ODPs) for IR-2.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Defined Parameters Control IR-2\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-2\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization provides incident response training to information system users consistent with assigned roles and responsibilities:\u003c/p\u003e\u003cp\u003ea. Within [\u003cem\u003eAssignment: organization- defined time period\u003c/em\u003e] of assuming an incident response role or responsibility;\u003c/p\u003e\u003cp\u003eb. When required by information system changes; and\u003c/p\u003e\u003cp\u003ec. [\u003cem\u003eAssignment: organization-defined frequency\u003c/em\u003e] thereafter\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization provides incident response training to information system users consistent with assigned roles and responsibilities:\u003c/p\u003e\u003cp\u003ea. Within one (1) month of assuming an incident response role or responsibility;\u003cbr\u003e\u003cbr\u003eb. When required by information system changes; and\u003c/p\u003e\u003cp\u003ec. [\u003cem\u003eAssignment: organization-defined frequency\u003c/em\u003e] thereafter\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eTraining for General Users\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFor all Enterprise User Administration (EUA) users the following steps outline the process for completing the CMS Computer-based Training (CBT), which includes IR training.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eThe incident response training is incorporated into the annual Information Systems Security and Privacy Awareness Training. All EUA users must take the CBT Training located at \u003ca href=\"https://www.cms.gov/cbt\"\u003eCMS Information Technology Security and Privacy web page\u003c/a\u003e The training will be delivered to all EUA users initially prior to account issuance and annually thereafter. It is the responsibility of users to take this training within three (3) days.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEach year based on the date of account issuance each user receives an email that requires a review and completion of the annual CBT.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eTraining records are maintained using the CBT database and include the User ID (UID) and the date the individual last completed the training\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eRole-Based Training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFor individuals with incident response roles and responsibilities, role-based training is satisfied through the execution of a tabletop exercise as long as all personnel with incident response roles and responsibilities participate in the exercise. Review Section 3.2 Incident Response Testing for procedures to conduct a tabletop exercise.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSimulated Events (IR-02(01))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to facilitate the effective response by personnel who handle crisis situations by incorporating simulated events into incident response training. Exercises involving simulated incidents can also be very useful for preparing staff for incident handling.1\u003c/p\u003e\u003cp\u003eThe selection of the scenarios should occur as a part of the test plan development; see Section 3.2 Incident Response Testing for developing the test plan. The following details the CMS specific process for incorporating simulated events/scenarios into incident response training, through the execution of a tabletop exercise.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eSelect two scenarios from the list below that will form the foundation of the tabletop exercise. Document the scenarios and a description of each in the Tabletop Exercise Test Plan. It is important to select your scenarios based upon an assessment of risk (i.e., the greatest current threats). Weaknesses identified during prior incidents might identify good candidate scenarios for future incident response tests. In addition, results from prior \u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003esecurity control assessments (SCAs)\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e or existing \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;Ms)\u003c/a\u003e might assist in selecting scenarios for incident response testing. For example, if access control was identified as a weakness during a prior SCA, a good scenario to select for incident response testing would be scenario 6 (Unauthorized Access to Payroll Records). Detailed descriptions of each of these scenarios can be found in the ISPL (Information Security and Privacy Library) and the scenarios are listed below:\u003cul\u003e\u003cli\u003e\u003cstrong\u003eScenario 1: \u003c/strong\u003eDomain Name System (DNS) Server Denial of Service (DoS)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 2: \u003c/strong\u003eWorm and Distributed Denial of Service (DDoS) Agent Infestation\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 3: \u003c/strong\u003eStolen Documents\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 4: \u003c/strong\u003eCompromised Database Server\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 5: \u003c/strong\u003eUnknown Exfiltration\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 6: \u003c/strong\u003eUnauthorized Access to Payroll Records\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 7: \u003c/strong\u003eDisappearing Host\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 8: \u003c/strong\u003eTelecommuting Compromise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 9: \u003c/strong\u003eAnonymous Threat\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 10: \u003c/strong\u003ePeer-to-Peer File Sharing\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 11: \u003c/strong\u003eUnknown Wireless Access Point\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEnsure that the material developed for the tabletop exercise supports the scenarios selected. Review Section 3.2 Incident Response Testing for more information for developing the exercise material.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eExecute the tabletop test using the procedures outlined below in Section 3.2 Incident Response Testing Automated Training Environments (IR-02(02)).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAutomated Training Environments (IR-02(02))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of Incident Response Training/Automated Training Environments is to ensure that CMS employs automated mechanisms to provide a more thorough and realistic incident training environment. At CMS, incident training and incident response testing are both satisfied through the execution of a tabletop exercise. These tabletop exercises are designed to incorporate automated mechanisms for incident response, review Section 3.2.1 Automated Testing for detailed procedure which ensure automated mechanisms are incorporated into incident response training.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Testing (IR-03)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Incident Response Testing is to ensure that CMS tests the incident response capability for the information system using testing principles to determine the incident response effectiveness and document the results.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for IR testing.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 2: CMS Defined Parameters Control IR-03\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-03\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization tests the incident response capability for the information system:\u003c/p\u003e\u003cp\u003e[Assignment: organization- defined frequency] using [Assignment: organization- defined tests] to determine the incident response effectiveness and documents the results\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe organization tests the incident response capability for the information system within every three hundred sixty- five (365) days using NIST SP 800-61, reviews, analyses, and simulations to determine the organizations incident response effectiveness, and documents its findings.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS incident response testing is accomplished through the execution of tabletop exercises. Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss roles during an emergency and the responses to a particular emergency situation.\u0026nbsp; A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for conducting a tabletop exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eComplete the Test Plan utilizing the Tabletop Exercise Test Plan Template located in the ISPL\u003cstrong\u003e. \u003c/strong\u003eTesting must include two scenario-based exercises to determine the ability of the CMS to respond to information security and privacy incidents. Scenarios should be selected which integrate the use of automated mechanisms for incident response.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eAcquire approval of the Test Plan from the Business Owner and/or ISSO. The approval is granted by signing the final row of the Test Plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eDevelop the exercise materials (e.g., briefings, Participant Guide). A sample Tabletop Exercise Participant Guide Template is located in the ISPL. For more information on functional exercise material please refer to Section 5.3 of \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/84/final\"\u003eNIST SP 800- 84\u003c/a\u003e\u003cstrong\u003e, \u003c/strong\u003e\u003cem\u003eGuide to Test, Training, and Exercise Programs for IT Plans and Capabilities.\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eConduct the tabletop exercise according to the approved Test Plan. The agenda contained within the Test Plan serves as a guide for executing the exercise. Prior to releasing the exercise participants, the Exercise Facilitator and Data Collector conduct a debrief/hotwash.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eEvaluate the tabletop exercise by completing the After-Action Report located in the ISPL. This step is completed by the Exercise Facilitator and Data Collector.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCoordination with Related Plans (IR-03(02))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of the Incident Response Testing/Coordination with Related Plans is to ensure that CMS coordinates incident response testing with organizational elements responsible for related plans. Related plans can include but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConfiguration Management Plan\u003c/li\u003e\u003cli\u003eInformation System Contingency Plan\u003c/li\u003e\u003cli\u003ePatch and Vulnerability Management Plan\u003c/li\u003e\u003cli\u003eInformation System Continuous Monitoring Strategy/Plan\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe following steps detail the CMS specific process to ensure Coordination with Related Plans:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1:\u0026nbsp; \u003c/strong\u003eIdentify the related plans and the stakeholders associated with each.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEstablish a primary method of communication. Possible methods of communication include emails, face-to-face meetings, and teleconferences.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eUsing the primary method of communication identified above, request copies of related plans. Review the related plans identifying dependencies for the IR test.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eIdentify stakeholders from related plans that will be required to participate in the incident response exercise. Coordinate with the stakeholders through the establishment, review, and execution of a test plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eConduct follow up communications as necessary. Specifically, a copy of the After-Action Report should be provided to stakeholders associated with related plans so that those plans may be updated as needed.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Handling (IR-04)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS implements an incident handling capability for security and privacy incidents that includes 1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery, and 4) post incident activity.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAll distributed Incident Response Teams (IRT) fall under the authority of the CCIC IMT, the single information security and privacy incident coordination entity. Each individual system is responsible for identifying incident responders as part of the systems Incident Response Plan (IRP). The incident responders serve as the frontline of the incident handling capability with oversight and incident response assistance provided by the IMT. This section of the document establishes the specific requirements and processes for maintaining a unified, cohesive incident handling capability across the CMS enterprise and describes the relationship between the IMT and the frontline incident responders.\u003c/p\u003e\u003cp\u003eIn the event of a suspected or confirmed privacy (PII) data breach, CCIC IMT will notify ISPG that a Breach Analysis Team (BAT) should be convened, including representatives from ISPG, IMT, and system stakeholders such as the system Business Owner. The BAT will conduct and document a formal Risk Assessment to assess the risk of harm to individuals potentially affected by the breach. The following factors are used:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNature and sensitivity of PII\u003c/li\u003e\u003cli\u003eLikelihood of access and use of PII and\u003c/li\u003e\u003cli\u003eType of breach\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the Risk Assessment concludes that there is a moderate or high risk that PII has been compromised, the CMS Senior Official for Pivacy will work with IMT and system stakeholders to develop a notification plan to notify affected individuals and mitigate their risk.\u003c/p\u003e\u003cp\u003eAffected individuals should be notified of a breach via first-class mail where possible, though depending on the nature and scale of the breach, additional methods such as email, telephone, and local media outreach may be used. The breach notification should include the following information:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSource of the breach\u003c/li\u003e\u003cli\u003eBrief description\u003c/li\u003e\u003cli\u003eDate of discovery and breach occurrence\u003c/li\u003e\u003cli\u003eType of PII involved\u003c/li\u003e\u003cli\u003eA statement whether or not the information was encrypted\u003c/li\u003e\u003cli\u003eWhat steps individuals should take to protect themselves from potential harm and services being provided to potentially affected individuals\u003c/li\u003e\u003cli\u003eWhat the agency is doing to investigate and resolve the breach\u003c/li\u003e\u003cli\u003eWho affected individuals should contact for information\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition to breach notification, CMS must also consider how best to mitigate the risk of harm to affected individuals. CMS may need to provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCountermeasures against misuse of lost PII/PHI, such as notifying a bank if credit card numbers are lost\u003c/li\u003e\u003cli\u003eGuidance on how affected individuals can protect themselves against identity theft, such as education on credit freezes and other defensive measures\u003c/li\u003e\u003cli\u003eServices, such as credit monitoring\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Breach Analysis Team may determine that some, all, or none of these mitigation techniques are appropriate for a given breach. Some breaches may require notification, but not mitigation.\u003c/p\u003e\u003cp\u003eThe SOP coordinates with HHS Privacy Incident Response Team (PIRT) for review and approval of CMS response plan, breach notification, and breach mitigation. Incident handling activities should be coordinated with contingency planning activities; and the lessons learned from ongoing incident handling activities should be incorporated into incident response procedures, training and testing. The procedure below provides an inclusive set of specific steps and requirements for handling information security and privacy incidents using the four-phase lifecycle. This lifecycle must be used by the IMT and the frontline incident responders to properly handle information security and privacy incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIncident response methodologies typically emphasize preparation, not only establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. Although the incident response team is not typically responsible for incident prevention, it is fundamental to the success of incident response programs.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for phase one (preparation) of the incident handling lifecycle:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSteps\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eActivity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 1:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eEnsure the proper preparations have been made to respond to information security and privacy incidents by completing the Incident Preparation Checklist located in the ISPL. This checklist should be reviewed annually in coordination with the update to the incident response plan.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 2:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eEnsure regular practices have been implemented to prevent information security and privacy incidents. The list below taken from NIST SP 800-61 Rev. 2 provides a brief overview of some of the main recommended practices for securing networks, systems and applications.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eRisk Assessments: \u003c/strong\u003ePeriodic risk assessments of systems and applications should determine what risks are posed by combinations of threats and vulnerabilities. This should include understanding the applicable threats, including organization-specific threats. Each risk should be prioritized, and the risks can be mitigated, transferred, or accepted until a reasonable overall level of risk is reached. Another benefit of conducting risk assessments regularly is that critical resources are identified, allowing staff to emphasize monitoring and response activities for those resources\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard for risk assessment requires that the results of the risk assessment are reviewed at least annually and that the risk assessment is updated at least every three years or when a significant change occurs.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eHost Security: \u003c/strong\u003eAll hosts should be hardened appropriately using\u003c/li\u003e\u003c/ul\u003e\u003cp\u003estandard configurations. In addition to keeping each host properly patched, hosts should be configured to follow the principle of least privilege, granting users only the privileges necessary for performing authorized tasks. Hosts should have auditing enabled and should log significant security-related events. The security of hosts and configurations should be continuously monitored. Many organizations use Security Content Automation Protocol (SCAP) configuration checklists to assist in securing hosts consistently and effectively.\u003c/p\u003e\u003cp\u003eThe CMS standard requires the implementation of the latest security configuration baselines established by the HHS, U.S. Government Configuration Baselines (USGCB), and the National Checklist Program (NCP).\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eNetwork Security: \u003c/strong\u003eThe network perimeter should be configured to deny all activity that is not expressly permitted. This includes securing all connection points, such as virtual private networks (VPNs) and dedicated connections to other organizations.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard requires that the information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMalware Prevention: \u003c/strong\u003eSoftware to detect and stop malware should be deployed throughout the organization. Malware protection should be deployed at the host level (e.g., server and workstation operating systems), the application server level (e.g., email server, web proxies), and the application client level (e.g., email clients, instant messaging clients). The CMS standard requires that malicious code protection mechanisms are implemented as follows:\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDesktops: \u003c/strong\u003eMalicious code scanning software is configured to perform critical system file scans no less often than once every twelve (12) hours and full system scans no less often than once every seventy-two (72) hours.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eServers \u003c/strong\u003e(to include databases and applications)\u003cstrong\u003e: \u003c/strong\u003eMalicious code scanning software is configured to perform critical system file scans no less often than once every twelve (12) hours and full system scans no less often than once every seventy-two (72) hours.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition, malicious code protection mechanisms should be updated whenever new releases are available in accordance with CMS configuration management policy and procedures. Antivirus definitions should be updated in near-real-time. Malicious code protection mechanisms should be configured to lock and quarantine malicious code and send alerts to administrators in response to malicious code detection.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eUser Awareness and Training: \u003c/strong\u003eUsers should be made aware of policies and procedures regarding appropriate use of networks, systems, and applications as well as the policy and procedures for safeguarding data that is not in digital form (e.g., PII in paper form). Applicable lessons learned from previous incidents should also be shared with users to evaluate how actions taken by the user could affect the organization. Improving user awareness regarding incidents should reduce the frequency of incidents. IT staff should be trained to maintain networks, systems, and applications in accordance with the organizations security standards. All users should be trained to protect printed hard/paper copies of data, including PII.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard requires all general users receive security and privacy awareness training annually. The incident response training is incorporated into the annual Information Systems Security and Privacy Awareness Training. All EUA users must take the CBT Training located at \u003ca href=\"https://www.cms.gov/cbt\"\u003eCMS Information Technology Security and Privacy web page\u003c/a\u003e\u003ca href=\"https://www.cms.gov/cbt/forms/isspa.aspx\"\u003e.\u003c/a\u003e The training must be delivered to all EUA users initially prior to account issuance and annually thereafter.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMaintain Inventory: \u003c/strong\u003eMaintain an accurate inventory of information system components identifying those components that store, transmit, and/or process PII. An accurate inventory facilitates the implementation of the appropriate information security and privacy controls and is critical to preventing, detecting and responding to information security incidents.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 3:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eEnsure that the preparation and prevention techniques listed in Steps 1 and 2 above have been incorporated into the incident response plan for the information system and exercised at least annually. Review Incident Response Plan or details on developing the incident response plan and Incident Response Testing for details on incident response testing.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eDetection and Analysis\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSteps\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eActivity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 1:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePrepare for Common Attack Vectors. The attack vectors listed below are not intended to provide definitive classification for incidents; but rather, to simply list common methods of attack, which can be used as a basis for detection:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eExternal/Removable Media: \u003c/strong\u003eAn attack executed from removable media or a peripheral device, for example, malicious code spreading onto a system from an infected universal serial bus (USB) flash drive.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAttrition: \u003c/strong\u003eAn attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services (e.g., a Distributed Denial of Service (DDoS) intended to impair or deny access to a service or application; or a brute force attack against an authentication mechanism, such as passwords, CAPTCHAS, or digital signatures).\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eWeb: \u003c/strong\u003eAn attack executed from a website or web-based application; for example, a cross-site scripting attack used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEmail: \u003c/strong\u003eAn attack executed via an email message or attachment; for example, exploit code disguised as an attached document or a link to a malicious website in the body of an email message.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImpersonation: \u003c/strong\u003eAn attack involving replacement of something benign with something malicious; for example: spoofing, man in the middle attacks, rogue wireless access points, and structured query language (SQL) injection attacks all involve impersonation.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImproper Usage: \u003c/strong\u003eAny incident resulting from violation of an organizations acceptable usage policies by an authorized user, excluding the above categories; for example, a user installs file sharing software, leading to the loss of sensitive data; or a user performs illegal activities on a system.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 2:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRecognize the Signs of an Incident.\u0026nbsp; Signs of an incident fall into one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in the future. An indicator is a sign that an incident may have occurred or may be occurring now. Precursors and indicators are identified using many different sources, with the most common being computer security software alerts, logs, publicly available information, and people. The table below, taken from \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/61/r2/final\"\u003eNIST SP 800-61 Rev. 2\u003c/a\u003e, lists common sources of precursors and indicators for each category.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: Common Sources of Precursors and Indicators\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAlerts\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIDPSs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntrusion Detection and Prevention Systems (IDPS) products identify suspicious events regarding record pertinent data, including the date and time the attack was detected, the type of attack, the source and destination IP addresses, and the username (if applicable and known). Most IDPS products use attack signatures to identify malicious activity; the signatures must be kept up to date so that the newest attacks can be detected. IDPS software often produces \u003cem\u003efalse positives, \u003c/em\u003ealerts that indicate malicious activity is occurring, when in fact there has been none. Analysts should manually validate IDPS alerts either by closely reviewing the recorded supporting data or by getting related data from other sources.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSIEMs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eSecurity Information and Event Management (SIEM) products are similar to IDPS products, and can generate alerts based on analysis of log data.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAntivirus and anti-spam software\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eAntivirus software detects various forms of malware, generates alerts, and prevents the malware from infecting hosts. Current antivirus products are effective at stopping many instances of malware if signatures are kept up to date. Anti-spam software is used to detect spam and prevent it from reaching users mailboxes. Spam may contain malware, phishing attacks, and other malicious content, so alerts from antispam software may indicate attack attempts.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eFile integrity checking software\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eFile integrity checking software can detect changes made to important files during incidents. It uses a hashing algorithm to obtain a cryptographic checksum for each designated file. If the file is altered and the checksum is recalculated, an extremely high probability exists that the new checksum will not match the old checksum. By regularly recalculating checksums and comparing checksum with previous values, changes to files can be detected.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eThird-party monitoring services\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThird parties offer a variety of subscription-based and free monitoring services. An example is fraud detection services that will notify an organization if its IP addresses, domain names, etc. are associated with current incident activity involving other organizations. There are also free real-time deny lists with similar information.\u003c/p\u003e\u003cp\u003eAnother example of a third-party monitoring service is a CSIRC notification list; these lists are often available only to other incident response teams.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003eLogs\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eOperating system, service and application logs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eLogs from operating systems, services, and applications (particularly audit-related data) are frequently of great value when an incident occurs, such as recording which accounts were accessed and what actions were performed. Organizations should require a baseline level of logging on all systems and a higher baseline level on critical systems. Logs can be used for analysis by correlating event information.\u003c/p\u003e\u003cp\u003eDepending on the event information, an alert can be generated to indicate an incident.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eNetwork device logs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLogs from network devices such as firewalls and routers are not typically a primary source of precursors or indicators. Although these devices are usually configured to log blocked connection attempts, little information is provided about the nature of the activity. Still, the devices can be valuable in identifying network trends and in correlating events detected by other devices.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eNetwork flows\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eA network flow is a particular communication session occurring between hosts. Routers and other networking devices can provide network flow information, which can be used to find anomalous network activity caused by malware, data exfiltration, and other malicious acts. There are many standards for flow data formats, including NetFlow, sFlow, and IPFIX.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003ePublicly Available Information\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eInformation on new vulnerabilities and exploits\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eKeeping up with new vulnerabilities and exploits can prevent some incidents from occurring and assist in detecting and analyzing new attacks. The National Vulnerability Database (NVD) contains information on vulnerabilities. Organizations such as US-CERT33 and CERT®/CC periodically provide threat update information through briefings, web postings, and mailing lists.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003ePeople\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePeople from within the organization\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eUsers, system administrators, network administrators, security staff, and others within the organization may report signs of incidents. It is important to validate all such reports. One approach is to ask people who provide such information is the confidence of the accuracy of the information. Recording this estimate along with the information provided can help considerably during incident analysis, particularly when conflicting data is discovered.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePeople from other organizations\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReports of incidents that originate externally should be taken seriously. For example, the organization might be contacted by a party claiming a system at the organization is attacking the other partys systems. External users may also report other indicators, such as a defaced web page or an unavailable service. Other incident response teams also may report incidents. It is important to have mechanisms in place for external parties to report indicators and for trained staff to monitor those mechanisms carefully; this may be as simple as setting up a phone number and email address, configured to forward messages to the help desk.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 3:\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eReport and Analyze the Incident. Report the incident using the procedures outlined in Section 3.5 Incident Reporting. Once reported the IMT and frontline IR responders analyze the incident. The following are recommendations taken from \u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-61\"\u003eNIST-SP 800-61 Rev. 4 \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003efor making incident analysis easier and more effective:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eProfile Networks and Systems\u003c/strong\u003e: Profiling is measuring the characteristics of expected activity so that changes to it can be more easily identified. Examples of profiling are running file integrity checking software on hosts to derive checksums for critical files and monitoring network bandwidth usage to determine what the average and peak usage levels are on various days and times. In practice, it is difficult to detect incidents accurately using most profiling techniques; organizations should use profiling as one of several detection and analysis techniques.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUnderstand Normal Behaviors\u003c/strong\u003e: Incident response team members should study networks, systems, and applications to understand what the normal behavior is so that abnormal behavior can be recognized more easily. No incident handler will have a comprehensive knowledge of all behavior throughout the environment, but handlers should know which experts could fill in the gaps. One way to gain this knowledge is through reviewing log entries and security alerts. This may be tedious if filtering is not used to condense the logs to a reasonable size.\u0026nbsp; As handlers become more familiar with the logs and alerts, handlers should be able to focus on unexplained entries, which are usually more important to investigate. Conducting frequent log reviews should keep the knowledge fresh, and the analyst should be able to notice trends and changes over time. The reviews also give the analyst an indication of the reliability of each source.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eCreate a Log Retention Policy: \u003c/strong\u003eInformation regarding an incident may be recorded in several places, such as firewall, IDPS, and application logs. Creating and implementing a log retention policy that specifies how long log data should be maintained may be extremely helpful in analysis because older log entries may show reconnaissance activity or previous instances of similar attacks. Another reason for retaining logs is that incidents may not be discovered until days, weeks, or even months later. The length of time to maintain log data is dependent on several factors, including the organizations data retention policies and the volume of data. See NIST SP 800-92, \u003cem\u003eGuide to Computer Security Log Management \u003c/em\u003efor additional recommendations related to logging.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePerform Event Correlation: \u003c/strong\u003eEvidence of an incident may be captured in several logs that each contain different types of data, firewall log may have the source IP address that was used, whereas an application log may contain a username. A network IDPS may detect that an attack was launched against a particular host, but it may not know if the attack was successful. The analyst may need to examine the hosts logs to determine that information.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCorrelating events among multiple indicator sources can be invaluable in validating whether a particular incident occurred.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eKeep All Host Clocks Synchronized\u003c/strong\u003e: Protocols such as the Network Time Protocol (NTP) synchronize clocks among hosts. Event correlation will be more complicated if the devices reporting events have inconsistent clock settings. From an evidentiary standpoint, it is preferable to have consistent timestamps in logs, for example, to have three logs that show an attack occurred at 12:07:01 a.m., rather than logs that list the attack as occurring at 12:07:01, 12:10:35, and 11:07:06.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMaintain and Use a Knowledge Base of Information: \u003c/strong\u003eThe knowledge base should include information that handlers need for referencing quickly during incident analysis. Although it is possible to build a knowledge base with a complex structure, a simple approach can be effective. Text documents, spreadsheets, and relatively simple databases provide effective, flexible, and searchable mechanisms for sharing data among team members. The knowledge base should also contain a variety of information, including explanations of the significance and validity of precursors and indicators, such as IDPS alerts, operating system log entries, and application error codes.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUse Internet Search Engines for Research: \u003c/strong\u003eInternet search engines can help analysts find information on unusual activity. For example, an analyst may see some unusual connection attempts targeting TCP port 22912. Performing a search on the terms “TCP,” “port,” and “22912” may return some hits that contain logs of similar activity or even an explanation of the significance of the port number. Note that separate workstations should be used for research to minimize the risk to the organization from conducting these searches.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRun Packet Sniffers to Collect Additional Data: \u003c/strong\u003eSometimes the indicators do not record enough detail to permit the handler to understand what is occurring. If an incident is occurring over a network, the fastest way to collect the necessary data may be to have a packet sniffer capture the network traffic. Configuring the sniffer to record traffic that matches specified criteria should keep the volume of data manageable and minimize the inadvertent capture of other information. Because of privacy concerns, some organizations may require incident handlers to request and receive permission before using packet sniffers.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eFilter the Data: \u003c/strong\u003eThere is simply not enough time to review and analyze all the indicators; at minimum, the most suspicious activity should be investigated. One effective strategy is to filter out categories of indicators that tend to be insignificant. Another filtering strategy is to show only the categories of indicators that are of the highest significance; however, this approach carries substantial risk because new malicious activity may not fall into one of the chosen indicator categories.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSeek Assistance from Others: \u003c/strong\u003eOccasionally, the team will be unable to determine the full cause and nature of an incident. If the team lacks sufficient information to contain and eradicate the incident, then it should consult with internal resources (e.g., information security staff) and external resources (e.g., US-CERT, other CSIRTs (Computer Security Incident Response Teams), contractors with incident response expertise). It is important to accurately determine the cause of each incident so that it can be fully contained.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 4\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eContinue to document updates to the incident in the Incident Response Reporting Template form.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 5\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003ePrioritize the incident using the criteria found in the \u003cem\u003e“Impact Category, Attack Vector Descriptions, \u0026amp; Attribute Category” \u003c/em\u003edocument of the Incident Response Reporting document which is located in the ISPL\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp\u003eEstablish communication method and notify the appropriate CMS personnel. The Incident Notification Table located in the Incident Response Steps for CISO (Appendix A) is a guide on notification steps per incident type. The list below provides examples of individuals that may require notification in the event of an incident:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCIO\u003c/li\u003e\u003cli\u003eCISO\u003c/li\u003e\u003cli\u003eDeputy CISO\u003c/li\u003e\u003cli\u003eSOP\u003c/li\u003e\u003cli\u003eHHS Office of the Inspector General (OIG)\u003c/li\u003e\u003cli\u003eLocal information response team within the organization\u003c/li\u003e\u003cli\u003eExternal incident response team (if appropriate)\u003c/li\u003e\u003cli\u003eSystem Owner\u003c/li\u003e\u003cli\u003eInformation System Security Owner\u003c/li\u003e\u003cli\u003eSystem Business Owner\u003c/li\u003e\u003cli\u003eSystem Cyber Risk Advisor\u003c/li\u003e\u003cli\u003eCMS Office of Human Capital (for cases involving employees, such as harassment through email)\u003c/li\u003e\u003cli\u003eCMS Office of Financial Management (in the case where extra funding is needed for investigation activities)\u003c/li\u003e\u003cli\u003eCMS Office of Communications (for incidents that may generate publicity)\u003c/li\u003e\u003cli\u003eCMS Office of Legislation (for incidents with potential legal ramifications)\u003c/li\u003e\u003cli\u003eUS-CERT (required for Federal agencies and systems operated on behalf of the Federal government).\u003c/li\u003e\u003cli\u003eIndividual (whose PII has been compromised)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe below table documents the responsibilities that should be fulfilled by employees in certain roles during an incident response event:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eRole\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eResponsibility\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCISO\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eLead the investigation and resolution of information security and privacy incidents and breaches across CMS.\u003c/li\u003e\u003cli\u003eOnce an incident has been validated, the incumbent CISO will follow the steps in the CISO Playbook which is attached as Appendix A. This playbook details the CISOs responsibilities, the scenarios to be considered and the relevant incident response contacts during an event.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIMT Lead\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eNotify and deliver incident situation reports to CMS CISO.\u003c/li\u003e\u003cli\u003eCoordinate Incident Response activities\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSenior Official for Privacy (SOP)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCoordinate/Support incident response activities with CISO.\u003c/li\u003e\u003cli\u003eIn the event of a PII/PHI breach, coordinate with the system Business Owner and HHS PIRT to handle notifying affected individuals\u003c/li\u003e\u003cli\u003eProvide overall direction for incident handling which includes all incidents involving PII/PHI.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eWorks with IMT Lead to coordinate incident response activities related to their assigned CMS information systems.\u003c/li\u003e\u003cli\u003eIn the event of a PII/PHI breach, coordinate with the Senior Official for Privacy and HHS PIRT to handle notifying affected individuals\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCMS IT Service Desk\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eNotify IMT of incident situation\u003c/li\u003e\u003cli\u003eEnsure Incident Response form has been completed as accurately as possible at the time of the initial report.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDesignated Appointee\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eUpdate the ServiceNow ticket as the situation arises and follow up with the CMS IT Helpdesk until incident has been resolved.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eContainment, Eradication and Recovery\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eChoose a containment strategy. The containment strategy is determined based on the type of the incident (e.g., disconnect system from the network, or disable certain functions). Frontline incident responders should work with the IMT to select an appropriate containment strategy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eGather and handle evidence. The CCIC Forensic, Malware and Analysis Team (FMAT) maintain the criteria for evidence collection and a procedure to ensure a chain of custody. The IMT will coordinate with the FMAT to provide incident responders with assistance to collect and handle evidence.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eIdentify the attacking host. The following items taken from NIST-SP 800-61 Rev. 2 \u003cem\u003eComputer Security Incident Handling Guide \u003c/em\u003edescribe the most commonly performed activities for attacking host identification:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eValidating the Attacking Hosts IP Address: \u003c/strong\u003eNew incident handlers often focus on the attacking hosts IP address. The handler may attempt to validate that the address was not spoofed by verifying connectivity to it; however, this simply indicates that a host at that address does or does not respond to the requests. A failure to respond does not mean the address is not real, for example, a host may be configured to ignore pings and traceroutes. Also, the attacker may have received a dynamic address that has already been reassigned to someone else.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eResearching the Attacking Host through Search Engines: \u003c/strong\u003ePerforming an Internet search using the apparent source IP address of an attack may lead to more information on the attack, for example, a mailing list message regarding a similar attack.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUsing Incident Databases: \u003c/strong\u003eSeveral groups collect and consolidate incident data from various organizations into incident databases. This information sharing may take place in many forms, such as trackers and real-time deny lists. The organization can also check its own knowledge base or issue tracking system for related activity.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitoring Possible Attacker Communication Channels: \u003c/strong\u003eIncident handlers can monitor communication channels that may be used by an attacking host. For example, many bots use IRC as the primary means of communication. Also, attackers may congregate on certain IRC channels to brag about compromises and share information. However, incident handlers should treat any such information acquired only as a potential lead, not as fact.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eEradicate the incident and recover. Eliminate components of the incident (e.g. delete malware, disable breached accounts, identify and mitigate vulnerabilities that were exploited). Incident responders should coordinate with the IMT to identify and execute a strategy for eradication of the incident. Once eradication has been completed restore systems to normal operation, confirm that systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePost-Incident Activity\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eConduct a lessons learned meeting. Learning and improving, one of the most important parts of incident response is also the most often omitted. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Holding a “lessons learned” meeting with all involved parties after a major incident, and optionally periodically after lesser incidents as resources permit, can be extremely helpful in improving security measures and the incident handling process itself. Multiple incidents can be covered in a single lessons learned meeting. This meeting provides a chance to achieve closure with respect to an incident by reviewing what occurred, what was done to intervene, and how well intervention worked. The meeting should be held within several days of the end of the incident. Questions to be answered in the meeting include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eExactly what happened, and at what times?\u003c/li\u003e\u003cli\u003eHow well did staff and management perform in dealing with the incident? Were the documented procedures followed and adequate?\u003c/li\u003e\u003cli\u003eWhat information was needed sooner?\u003c/li\u003e\u003cli\u003eWere any steps or actions taken that might have inhibited the recovery?\u003c/li\u003e\u003cli\u003eWhat would the staff and management do differently the next time a similar incident occurs?\u003c/li\u003e\u003cli\u003eHow could information sharing with other organizations have been improved?\u003c/li\u003e\u003cli\u003eWhat corrective actions can prevent similar incidents in the future?\u003c/li\u003e\u003cli\u003eWhat precursors or indicators should be watched for in the future to detect similar incidents?\u003c/li\u003e\u003cli\u003eWhat additional tools or resources are needed to detect, analyze, and mitigate future incidents?\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eDocument the lessons learned and update IRP and associated procedures as necessary.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eEnsure evidence is retained and archived. The criteria for evidence collection, a procedure to ensure a chain of custody, and archival instructions are maintained by the CCIC Forensic, Malware and Analysis Team (FMAT). The IMT will coordinate with the FMAT to provide incident responders with assistance to collect and handle evidence.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAutomated Incident Handling Processes (IR-04(01))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS employs automated mechanisms to support the incident handling process. CMS employs automated mechanism (e.g., online incident management systems) to support the organizations incident handling process. The following table provides examples of tools used for automated incident handling processes at CMS.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: Automated Tools\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTools\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eUsers\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eHHS RSA Archer\u003c/td\u003e\u003ctd\u003eThe HHS tool used for all incident/tracking and reporting. Users do not access HHS Archer directly.\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCCIC IMT and CCIC SOC\u003c/p\u003e\u003cp\u003eAnalysts\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eServiceNow\u003c/td\u003e\u003ctd\u003eThe CMS ServiceNow ticket is used by the CMS IT Service Desk to track changes and problems within the CMS environment.\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS IT Service Desk CCIC IMT and CCIC SOC\u003c/p\u003e\u003cp\u003eAnalysts\u003c/p\u003e\u003cp\u003eCMS Users\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSplunk\u003c/td\u003e\u003ctd\u003eIs a logging solution for security (CMS Enterprise Security) and Operations and Maintenance (O\u0026amp;M) log management OCISO Systems Security Management (OSSM). It used as an audit reduction tool by the agency to review audit logs.\u003c/td\u003e\u003ctd\u003eCCIC\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eInformation Correlation (IR-04(04))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of Information Correlation is to ensure that CMS correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. To achieve this,\u003c/p\u003e\u003col\u003e\u003cli\u003eAll tickets submitted in ServiceNow are thoroughly worked through to determine the validity of being classified as an incident. The submitted tickets are correlated and analyzed for trends.\u003c/li\u003e\u003cli\u003eCCIC uses the SIEM tool, Splunk, to correlate data from various sources to receive alerts associated with incident breaches.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eIncident Monitoring (IR-05)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Monitoring is to ensure that CMS documents information system security incidents and maintains records about each incident such as the status of the incident, and pertinent information necessary for forensics (evaluating incident details, trends, and handling). At CMS, the CCIC delivers a number of important, agency-wide security services. One of such services is Continuous Diagnostics and Mitigation (CDM), which is still in development and not all data centers have been transitioned. Other services include vulnerability management, security engineering, incident management, forensics and malware analysis, information sharing, cyber-threat intelligence, penetration testing, and software assurance.\u003c/p\u003e\u003cp\u003eThe IMT is the group responsible for tracking and documenting security and privacy incidents. Stakeholders outside of the IMT (e.g., incident responders, ISSO, system owners, etc.) are responsible for providing the information necessary to track and monitor information security and privacy incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAutomated Tracking/Data Collection/Analysis (IR-05(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automated Tracking/Data Collection/Analysis is to ensure that CMS employs automated mechanism to assist in the tracking of security incidents and in the collection and analysis of incident information. At CMS, the RSA Archer/CFACTS SecOps Module is utilized for tracking potential incidents under investigation by the CCIC SOC. The IMT is responsible for maintaining the data in RSA Archer/CFACTS along with reviewing, updating, and analyzing the data and producing the trends analysis.\u003c/p\u003e\u003cp\u003eThe following list details automated tools utilized at CMS to assist in the tracking of security incidents and in the collection and analysis of incident information. Once an incident has been reported, the external stakeholders will be able to leverage the benefits of these tools via the support provided by the IMT.\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS uses a ServiceNow ticketing system for all privacy and security incidents for incident/tracking and reporting.\u003c/li\u003e\u003cli\u003eThe CMS ServiceNow ticket is used by the CMS IT Service Desk to track changes and problems within the CMS environment.\u003c/li\u003e\u003cli\u003eThe HHS Archer is the incident response tool used to notifiy HHS of an incident. A shell ticket is automatically created in HHS Archer when CMS IMT is assigned a ticket in ServiceNow.\u003c/li\u003e\u003cli\u003eThe CCIC IMT updates the incident information in ServiceNow which will post automatically to HHS Archer. This will occur till the incident has been resolved.\u003c/li\u003e\u003cli\u003eCMS RSA Archer/CFACTS SecOps Module is used for investigating potential incidents discovered by the CCIC SOC.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Reporting (IR-06)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe intent of this control is to ensure that CMS requires employees and contractors to report suspected or confirmed information security and privacy incidents to appropriate authorities and to ensure that a formal incident reporting process exists.\u003c/p\u003e\u003cp\u003eAs part of a robust, enterprise security operations program designed to reduce the risks of malicious activity, CMS established the CCIC to provide enterprise-wide situational awareness and near real-time risk management. The CCIC also provides information security and aggregated monitoring of security events across all CMS information systems. Finally, the CCIC notifies appropriate security operations staff of detected configuration weaknesses, vulnerabilities open to exploitation, relevant threat intelligence, including indicators of compromise (IOCs) and security patches. For purposes of incident response, the IMT as a sub- component of the CCIC provides incident response assistance and support. All information security and privacy incidents are to be reported to CMS IT Service Helpdesk. The CMS IT Service Helpdesk will notify the IMT as appropriate.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters for IR reporting.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters Control IR-6\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-6\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eRequires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]\u003c/li\u003e\u003cli\u003eReports security, privacy and supply chain incident information to [Assignment: organization-defined authorities]\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003col\u003e\u003cli\u003eRequires personnel to report actual or suspected security and privacy incidents to the organizational incident response capability within 1 hour of discovery/notification; and\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eReports security, privacy and supply chain incident information to CMS IT Service Help Desk.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe following process details the CMS procedure for reporting suspected security and privacy incidents:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eReport the suspected information security and privacy incident to the CMS IT Service Desk at (410) 786-2580 (internal only) or (800) 562-1963 (internal and external) and/or ema\u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eil CMS_IT_Service@cms.hhs.gov.\u003c/a\u003e Additionally, contact your ISSO as soon as possible and apprise them of the situation. All suspected information security and privacy incidents must be reported to the CMS IT Service Desk within one hour of discovery.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eAfter notifiying the CMS IT Service Desk, collect as much supporting information as possible on the suspected security and privacy incident using the Incident Response Reporting Template located in the ISPL. Provide the information contained on the completed incident reporting form to the CMS IT Service Desk.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThis template replaces the previous HHS CMS Computer Security Incident Report form that was published separately to the information security library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3:\u003c/strong\u003eThe CMS IT Service Desk creates a ServiceNow ticket and enters the details on the suspected security and privacy incident. This ServiceNow ticket creates a shell ticket in HHS Archer, which is the HHS incident response tool.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 4:\u003c/strong\u003eThe IMT will update the ServiceNow ticket, as necessary, which will automatically populate in HHS Archer until the incident has been resolved.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eThe IMT analyzes the suspected incident, working with the SOC analyst as necessary, and if confirmed as an actual incident executes the incident handling procedures located in Section 3.5 Incident Handling.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAutomated Reporting (IR-06(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automated Reporting is to ensure that CMS employs automated mechanisms to assist in the reporting of security and privacy incidents. The following steps detail the CMS specific process for Automated Reporting:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eUser will contact the CMS IT Service Helpdesk and report the information security incident.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eThe CMS IT Service Helpdesk will open a ServiceNow ticket and record the incident. This ServiceNow ticket automatically generates an Archer ticket notifying HHS CSIRC.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eThe CMS IT Service Helpdesk will then assign the ticket to the IMT and they will evaluate the incident report while providing updates to CMS CISO and HHS CSIRC.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eThe user (reporter) will continue to update the incident report in ServiceNow or contact the CMS IT Service Helpdesk.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eIf the IMT finds that the event is valid, the user will be contacted and the mitigation process will start.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 6: \u003c/strong\u003eIf the IMT finds that the event is not valid, the IMT will close out the ticket and contact the user.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 7: \u003c/strong\u003eThe user (reporter) will work with the IMT until remediation of the security incident.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Assistance (IR-07)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Response Assistance is to ensure that CMS provides an incident response support resource, integral to the CMS incident capability that offers advice and assistance to users of the information system for handling and reporting of security and privacy incidents. The following steps detail the CMS specific process for Incident Response assistance:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eUser will contact the CMS IT Service Helpdesk for incident response assistance. The CMS IT Service Desk notifies the IMT as appropriate.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eThe IMT will evaluate, validate the incident and assist with the mitigation.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAutomation Support for Availability of Information/Support (IR-07(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automation Support for Availability of Information Support is to ensure that CMS employs automated mechanisms to increase the availability of incident response-related information and support.\u003c/p\u003e\u003cp\u003eCMS uses multiple resources to provide the user community information/support. These include but are not limited to intranets, mailboxes, and online libraries.\u003c/p\u003e\u003cp\u003eUsers may use the following resources for Automation Support for Availability of Information/Support:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/\"\u003eThe CMS website\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThe CMS CISO mailbox at \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCMS IT Service Desk at \u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eCMS_IT_Service@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCMS Incident Management Team (IMT) at \u003ca href=\"mailto:IncidentManagement@cms.hhs.gov\"\u003eIncidentManagement@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"http://intranet.cms.gov/\"\u003eThe CMS Intranet \u003c/a\u003e(this service is available ONLY to personnel who have access to a GFE issued device, (i.e., laptop, desktop))\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.hhs.gov/ocio\"\u003eThe HHS.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThe \u003ca href=\"https://intranet.hhs.gov/\"\u003eHHS Intranet \u003c/a\u003e(this service is available ONLY to personnel who have access to a GFE issued device, (i.e., laptop, desktop))\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Plan (IR-08)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Incident Response Plan (IRP) is to provide a roadmap for implementing the incident response capability. Each organization needs a plan that meets its unique requirements, which relates to the organizations mission, size, structure, and functions. The plan should lay out the necessary resources and management support. The incident response plan should include the following elements:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePurpose\u003c/li\u003e\u003cli\u003eScope\u003c/li\u003e\u003cli\u003eDefinitions\u003c/li\u003e\u003cli\u003eRoles and Responsibilities\u003c/li\u003e\u003cli\u003eUnderstanding an Incident\u003c/li\u003e\u003cli\u003eIncident Life Cycle\u003cul\u003e\u003cli\u003ePreparation\u003c/li\u003e\u003cli\u003eDetection and Analysis\u003c/li\u003e\u003cli\u003eContainment, Eradication and Recovery\u003c/li\u003e\u003cli\u003ePost-Incident Activity\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReporting Requirements\u003c/li\u003e\u003cli\u003ePoints of Contact\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe incident response policy is established in the CMS IS2P2 and has been included in this handbook. The Incident Response Plan template is attached to this document as Appendix B. This document provides incident response procedure to facilitate the implementation of incident response controls. Incident response plan, policy, and procedure creation are an important part of establishing a team and permits incident response to be performed effectively, efficiently, and consistently; and so that the team is empowered to do what needs to be done.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters for IR planning.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters - Control IR-8\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-8\u003c/td\u003e\u003ctd\u003e\u003cp\u003ea. Incident Response Plan is reviewed and approved by [Assignment: organization- defined personnel or role];\u003c/p\u003e\u003cp\u003eb. Distributes copies of the incident response plan to [Assignment organization- defined incident response personnel (identified by name and/or role) and organizational elements]\u003c/p\u003e\u003cp\u003ec. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;\u003c/p\u003e\u003cp\u003ed. Communicates incident response plan changes to [Assignment: organization- defined incident response personnel (identified by name and/or by role) and organizational elements]; and Protects the incident response plan from unauthorized disclosure and modification\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003ea. Incident Response Plan is reviewed and approved by the applicable Business Owner at least annually.\u003c/p\u003e\u003cp\u003eb. Distributes copies of the incident response plan to CMS CIO, CMS CISO, ISSO, CMS OIG Computer Crime Unit (CCU), All personnel within the CMS Incident Response Team, PII Breach Response Team and Operations Centers.\u003c/p\u003e\u003cp\u003ec. Reviewed annually updated as required\u003c/p\u003e\u003cp\u003ed. Communicates incident response plan changes to all stakeholders.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CCIC IMT created an IRP that provides the CMS with a roadmap for implementing its incident response capability and outlines the incident response process for the IMT. In addition, each information system is responsible for maintaining a separate IRP that describes the systems internal processes for incident response and leverages the capability of the IMT. The following steps details the process for creating an IRP using the template located in the ISPL:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eComplete a draft IRP by leveraging the template and instructions located in Appendix B.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eSubmit the draft IRP to the information systems assigned CRA for ISPG approval. Update that plan as necessary based on the feedback received from ISPG.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eDocument the plan approval by having the Business Owner and ISSO sign the plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eDisseminate the plan to all appropriate stakeholders to include: the CRA, ISSO, BO, Incident Responders, System Developers, and System Administrators.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eCMS Security \u0026amp; Privacy Incident Report Form\u003c/h2\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Security and Privacy Incident Report\u003c/strong\u003e is a form to be filled out when someone has an incident to report. \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/info-security-library-items/rmh-chapter-08-incident-response-appendix-k-incident-report-template\"\u003eYou can access the form and instructions here\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Steps for CISO\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eSignificant Event/Potential Incident Reported\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive notification from DCTSO Director or IR Fed Lead\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eDoes this incident potentially include a criminal element and, therefore, require notification of law enforcement? If so, engage HHS Office of the Inspector General.\u003c/li\u003e\u003cli\u003eWas this incident reported to HHS Office of Civil Rights (OCR) in accordance with HIPAA and for Protected Health Information (PHI)? Refer to the OCR website for any details about the event / incident.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e2\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eObtain situational awareness \u003c/strong\u003eof the potential incident and the likely\u003c/p\u003e\u003cp\u003eimpact(s) on CMS data and /or CMS FISMA systems.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident situation reports from IMT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eWhen engaging an external partner, consider including or informing HHS Office of the Secretary (OS), Office of the Assistant Secretary for Preparedness and Response (ASPR), which executes the Federal coordination responsibilities on behalf of HHS regarding the critical infrastructure public-private partnership for the Healthcare and Public Healthcare Sector (identified in PPD-21 and the National Infrastructure Protection Plan (NIPP)).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e3\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConduct security bridge with stakeholders to review incident \u003c/strong\u003eto obtain a greater understanding of the incidents impacts and implications. Also,\u003c/p\u003e\u003cp\u003ediscuss potential response needs, such as deployment of response capabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eCISO/Deputy CISO will coordinate with IMT to ensure all stakeholders are on security bridge (e.g., SOP, OL, OA, HHS)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eDoes this incident potentially include a criminal element and, therefore, require notification of law enforcement? If so, engage HHS Office of the Inspector General.\u003c/li\u003e\u003cli\u003eDoes CMS have relevant experience or capabilities that it could deploy?\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e4\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eTriage and determine if risk analysis should be performed\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eOC/OL will keep the response teams apprised of public or legislative affairs matters related to the event/incident (e.g., Congressional inquiries and media monitoring)\u003c/li\u003e\u003cli\u003eIf communication of CMS risks or potential impacts is necessary, coordinate development of messaging and identify communication channels\u003c/li\u003e\u003cli\u003eReceive impact analysis and make a decision regarding additional analysis of impacts to CMS\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e5\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eDetermine specific CMS impacts \u003c/strong\u003e(e.g., PII, PHI, FTI, contracts, \u0026amp; other business partners) and \u003cstrong\u003eDetermine specific impacts to CMS data \u003c/strong\u003e(e.g., PII,\u003c/p\u003e\u003cp\u003ePHI, FTI)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eProvide guidance to IR staff about cadence of status reporting\u003c/li\u003e\u003cli\u003eEscalate incident to HHS leadership\u003c/li\u003e\u003cli\u003eWhen findings are presented, consider if public and/or external communication may be appropriate (even if it is not legally necessary or required)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIn accordance with OMB M-20-04, report “\u003cem\u003emajor incidents” \u003c/em\u003eto Congress within seven days.\u003c/li\u003e\u003cli\u003eWhen evaluating impacts to CMS systems, engage business owners and system owners (including ISSOs) and include the impacts to their environments in status reports.\u003c/li\u003e\u003cli\u003eIf sensitive information other than PII, PHI, or FTI (e.g., proprietary information) is at risk, consider the risk to the agency and determine appropriate next steps.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e6\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConduct security bridge with stakeholders to review incident \u003c/strong\u003eto obtain a greater understanding of the incidents impacts and implications. Also,\u003c/p\u003e\u003cp\u003ediscuss potential response needs, such as deployment of response capabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eCISO/Deputy CISO will likely lead the meeting(s)/call(s), with\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e7\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eExecute SOPs to contain and eradicate cause of the event/incident\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT and provide additional guidance/direction as necessary\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDoes CMS have relevant experience or capabilities that it could deploy or offer to assist the external partner(s)?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e8\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eMonitor event/incident to assess changes in risk to CMS systems and/or data\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf changes in risk to CMS systems and/or data are evident, go to \u003cstrong\u003eStep 2A\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT and provide counsel to leadership and response teams as appropriate\u003c/li\u003e\u003cli\u003eOC/OL: Determine if monitoring of media and Congressional sources is necessary, and communicate requests or news to leadership and response teams. Coordinate requests for information or messages that may need to be communicated externally\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDevelop lessons learned and recommend program enhancements\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eParticipate in IMT-led lessons learned development process and inform recommendations\u003c/li\u003e\u003cli\u003eReview lessons learned and submit to business \u0026amp; system owners\u003c/li\u003e\u003cli\u003eReview and support POA\u0026amp;Ms as required\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDetermine if policy changes need to occur in order to further safeguard CMS data.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e10\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eConclude incident and complete external communications activities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReview final Security Incident Report (SIR)\u003c/li\u003e\u003cli\u003eReport closure of incident as appropriate/necessary\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eContacts\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContact\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eNumber\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIncident Management Team (IMT)\u003c/td\u003e\u003ctd\u003e443-316-5005\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSenior Official for Privacy (SOP)\u003c/td\u003e\u003ctd\u003e410-786-5759\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDCTSO Director\u003c/td\u003e\u003ctd\u003e410-786-5956\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDSPC Director\u003c/td\u003e\u003ctd\u003e410-786-6918\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDSPPG Director\u003c/td\u003e\u003ctd\u003e410-786-5759\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of Communications (OC)\u003c/td\u003e\u003ctd\u003e410-786-8126\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of Legislation (OL)\u003c/td\u003e\u003ctd\u003e202-619-0630\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of the Administrator (OA)\u003c/td\u003e\u003ctd\u003e410-786-3000\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHHS Office of the Secretary (OS), Office of the Assistant Secretary for Preparedness and Response (ASPR)\u003c/td\u003e\u003ctd\u003e202-205-8114\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHHS Office of Inspector General (OIG)\u003c/td\u003e\u003ctd\u003e800-447-8477\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBridge\u003c/td\u003e\u003ctd\u003e877-267-1577 (meeting ID will be shared by IMT upon notification)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eIncident Notification Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIncident\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eNotification\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eWho Notifies?\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll incidents\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT\u003c/li\u003e\u003cli\u003eHHS CSIRC\u003c/li\u003e\u003cli\u003eCIO\u003c/li\u003e\u003cli\u003eCISO\u003c/li\u003e\u003cli\u003eSOP\u003c/li\u003e\u003cli\u003eDeputy CISO\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCMS IT Service Desk notifies IMT of an incident\u003c/li\u003e\u003cli\u003eCMS incident tickets are mirrored in the HHS Archer, which notifies HHS CSIRC\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving a CMS System\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eSO\u003c/li\u003e\u003cli\u003eBO\u003c/li\u003e\u003cli\u003eISSO\u003c/li\u003e\u003cli\u003eDG\u003c/li\u003e\u003cli\u003eCRA\u003c/li\u003e\u003cli\u003eUS-CERT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT alerts CMS Personnel.\u003c/li\u003e\u003cli\u003eHHS CSIRC handles US- CERT reporting.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving suspected criminal activity\u003c/td\u003e\u003ctd\u003eHHS OIG\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving employees\u003c/td\u003e\u003ctd\u003eCMS Office of Human Capital\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving legal ramifications\u003c/td\u003e\u003ctd\u003eCMS Office of Legislation\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eISPG (to convene Breach Analysis Team)\u003c/li\u003e\u003cli\u003eIndividuals affected by PII/PHI compromise\u003c/li\u003e\u003cli\u003eHHS PIRT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT alerts ISPG of suspected breach\u003c/li\u003e\u003cli\u003eCMS SOP and BO create a notification plan for affected individuals, subject to review by HHS PIRT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches affecting 500 or more people\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eHHS OCR\u003c/li\u003e\u003cli\u003eMedia outlets, as appropriate\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003eCMS SOP\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches requiring Media Outreach\u003c/td\u003e\u003ctd\u003eCMS Office of Communications\u003c/td\u003e\u003ctd\u003eCMS SOP\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Plan Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe objective of this Incident Response Plan (IRP) is to outline the incident handling and response process for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; in accordance with the requirements outlined in the CMS Acceptable Risk Safeguards (ARS) and CMS Risk Management Handbook (RMH) Chapter 8, Incident Response. This plan covers all assets within the information system boundary, transmitting, storing, or processing CMS information. Furthermore, this plan describes how to manage incident response according to all Federal, Departmental and Agency requirements, policies, directives, and guidelines.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThis IRP is written for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; stakeholders with incident response roles and responsibilities and describes those responsibilities for each phase of the incident life cycle. This plan establishes a quick reference for security and privacy incident handling and response.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDefinitions\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eThe following key terms and definitions relate to incident response:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdministrative Vulnerability: \u003c/strong\u003eAn administrative vulnerability is a security weakness caused by incorrect or inadequate implementation of a systems existing security features by the system administrator, security officer, or users. An administrative vulnerability is not the result of a design deficiency. It is characterized by the fact that the full correction of the vulnerability is possible through a change in the implementation of the system or the establishment of a special administrative or security procedure for the system administrators and users. Poor passwords and inadequately maintained systems are the leading causes of this type of vulnerability.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eBreach: \u003c/strong\u003eA breach is an incident that poses a reasonable risk of harm to the applicable individuals. For the purposes of Office of Management and Budget (OMB) OMB M-17-12 (for PII incidents) and Health Information Technology for Economic and Clinical Health (HITECH) Act (for PHI incidents) reporting requirements, a privacy incident does not rise to the level of a breach until it has been determined that the use or disclosure of the protected information compromises the security or privacy of the protected individual(s) and poses a reasonable risk of harm to the applicable individuals. For any CMS privacy incident, the determination of whether it may rise to the level of a breach is made (exclusively) by the CMS Breach Analysis Team (BAT), which determines whether the privacy incident poses a significant risk of financial, reputational, or other harm to the individual(s).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent: \u003c/strong\u003eAn event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal Tax Information (FTI): \u003c/strong\u003eGenerally, Federal Tax Returns and return information are confidential,\u003c/p\u003e\u003cp\u003eas required by Internal Revenue Code (IRC) Section 6103. The information is used by the Internal Revenue Service (IRS) is considered FTI and ensure that agencies, bodies, and commissions are\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDefinitions\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003emaintaining appropriate safeguards to protect the information confidentiality. [IRS 1075] Tax return information that is not provided by the IRS falls under PII.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Response: \u003c/strong\u003eIncident response outlines steps for reporting incidents and lists actions to be taken to resolve information systems security and privacy related incidents.\u0026nbsp; Handling an incident entails forming a team with the necessary technical capabilities to resolve an incident, engaging the appropriate personnel to aid in the resolution and reporting of such incidents to the proper authorities as required, and report closeout after an incident has been resolved.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Incident: \u003c/strong\u003eA Privacy Incident is a Security Incident that involves Personally Identifiable Information (PII) or Protected Health Information (PHI), or Federal Tax Information (FTI) where there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users or any other than authorized purposes. Users must have access or potential access to PII, PHI and/or FTI in usable form whether physical or electronic.\u003c/p\u003e\u003cp\u003ePrivacy incident scenarios include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLoss of federal, contractor, or personal electronic devices that store PII, PHI and/or FTI affiliated with CMS activities (i.e., laptops, cell phones that can store data, disks, thumb-drives, flash drives, compact disks, etc.)\u003c/li\u003e\u003cli\u003eLoss of hard copy documents containing PII, PHI and/or FTI\u003c/li\u003e\u003cli\u003eSharing paper or electronic documents containing PII, PHI and/or FTI with individuals who are not authorized to access it\u003c/li\u003e\u003cli\u003eAccessing paper or electronic documents containing PII, PHI and/or FTI without authorization or for reasons not related to job performance\u003c/li\u003e\u003cli\u003eEmailing or faxing documents containing PII, PHI and/or FTI to inappropriate recipients, whether intentionally or unintentionally\u003c/li\u003e\u003cli\u003ePosting PII, PHI and/or FTI, whether intentionally or unintentionally, to a public website\u003c/li\u003e\u003cli\u003eMailing hard copy documents containing PII, PHI and/or FTI to the incorrect address\u003c/li\u003e\u003cli\u003eLeaving documents containing PII, PHI and/or FTI exposed in an area where individuals without approved access could read, copy, or move for future use\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSecurity Incident: \u003c/strong\u003eIn accordance with \u003cem\u003eNIST SP 800-61 Revision 2, Computer Security Incident Handling Guide\u003c/em\u003e, a Security Incident is defined as an event that meets one or more of the following criteria:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in any information system processing information on behalf of CMS. It also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents and misrouting of mail, all of which may have the potential to put CMS data at risk of unauthorized access, use, disclosure, modification, or destruction\u003c/li\u003e\u003cli\u003eAn occurrence that jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits\u003c/li\u003e\u003cli\u003eA violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTechnical Vulnerability: \u003c/strong\u003eA technical vulnerability is a hardware, firmware, or software weakness or design deficiency that leaves a system open to potential exploitation, either externally or internally, thus increasing the risk of compromise, alteration of information, or denial of service.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert the roles and responsibilities associated with this plan. Possible roles include:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eBusiness Owners:\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eInformation System Owner(s)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eCyber Risk Advisors (CRA)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eInformation System Security Officer (i.e., ISSO)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eCCIC Incident Management Team (i.e., CCIC IMT)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eFor a detailed description of the responsibilities associated with these role please refer to the CMS IS2P2 located at: \u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003e\u003cem\u003e\u003cstrong\u003ehttps://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\u003c/strong\u003e\u003c/em\u003e\u003c/a\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eUnderstanding an Incident\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe following lists a small subset of common well known incidents:\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTypes of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eData Destruction or Corruption: \u003c/strong\u003eThe loss of data integrity can take many forms including changing permissions on files making the files writable by non-privileged users, deleting data files and or programs, changing audit files to cover-up an intrusion, changing configuration files that determine how and what data is stored and ingesting information from other sources that may be corrupt\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eData Compromise and Data Spills: \u003c/strong\u003eData compromise is the exposure of information to a person not authorized to access that information either through clearance level or formal authorization. This could happen when a person accesses a system not authorized to access or through a data spill. Data spill is the release of information to another system or person not authorized to access that information, even though the person is authorized to access the system on which the data was released. This can occur through the loss of control, improper storage, improper classification, or improper escorting of media, computer equipment (with memory), and computer generated output\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMalicious Software (Malware): \u003c/strong\u003eMalicious code is software based attacks used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs to exclude unauthorized activity. Malicious code is particularly troublesome in that it is typically written to masquerade its presence and, thus, is often difficult to detect. Self-replicating malicious code such as viruses and worms can replicate rapidly, thereby making containment an especially difficult problem. The following is a brief listing of various software attacks:\u003col\u003e\u003cli\u003e\u003cstrong\u003eVirus: \u003c/strong\u003eIt is propagated via a triggering mechanism (e.g., event time) with a mission (e.g., delete files, corrupt data, send data).\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eWorm: \u003c/strong\u003eAn unwanted, self-replicating autonomous process (or set of processes) that penetrates computers using automated hacking techniques.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eTrojan Horse: \u003c/strong\u003eA useful and innocent program containing additional hidden code that allows unauthorized computer network exploitation (CNE), falsification, or destruction of data.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTypes of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eSpyware: \u003c/strong\u003eSurreptitiously installed malicious software that is intended to track and report the usage of a target system or collect other data the author wishes to obtain.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRootkit Software: \u003c/strong\u003eSoftware that is intended to take full or partial control of a system at the lowest levels. Contamination is defined as inappropriate introduction of data into a system.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePrivileged User Misuse: \u003c/strong\u003ePrivileged user misuse occurs when a trusted user or operator attempts to damage the system or compromise the information it contains.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSecurity Support Structure Configuration Modification: \u003c/strong\u003eSoftware, hardware and system configurations contributing to the Security Support Structure (SSS) are controlled. SSS are essential to maintaining the security policies of the system Unauthorized modifications to these configurations can increase the risk to the system.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eNote: These categories of incidents are not necessarily mutually exclusive.\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eCauses of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMalicious Code: \u003c/strong\u003eMalicious code is software or firmware intentionally inserted into an information system for an unauthorized purpose\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSystem Failures: \u003c/strong\u003eProcedures Failures or Improper Acts. A secure operating environment depends upon proper operation and use of systems. Failure to comply with established procedures, or errors/limitations in the procedures for a CMS system, can damage CMS reputation and increase vulnerability/risk to the system or application. While advances in computer technology enable the building of increased security into the CMS architecture, much still depends upon the people operating and using the system(s). Improper acts may be differentiated from insider attack according to intent. With improper acts, someone may knowingly violate policy and procedures, but is not intending to damage the system or compromise the information it contains\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eIntrusions or Break-Ins: \u003c/strong\u003eAn intrusion or break-in is entry into and use of a system by an unauthorized individual\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eInsider Attack: \u003c/strong\u003eInsider attacks can provide the greatest risk. In an insider attack, a trusted user or operator attempts to damage the system or compromise the information it contains\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eAvenues of Attack\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAs with any information system, attacks can originate through certain avenues or routes. An attack avenue is a path or means by which an attacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack avenues enable attackers to exploit system vulnerabilities, including the human element. If a system were locked in a vault with security personnel surrounding it, and if the system were not connected to any other system or network, there would be virtually no avenue of attack. However, there are numerous avenues of attack.\u003c/p\u003e\u003cul\u003e\u003cli\u003eLocal and/or partner networks\u003c/li\u003e\u003cli\u003eUnauthorized devices (including non-approved connections to a local network)\u003c/li\u003e\u003cli\u003eGateways to outside networks\u003c/li\u003e\u003cli\u003eCommunications devices\u003c/li\u003e\u003cli\u003eShared disks\u003c/li\u003e\u003cli\u003eRemovable media\u003c/li\u003e\u003cli\u003eDownloaded software\u003c/li\u003e\u003cli\u003eDirect physical access\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePossible Impacts of an Attack\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOne of the major concerns of a verifiable computer security attack is that sensitive PII is compromised. The release of sensitive information to people without the proper need-to-know or formal authorization jeopardizes the tenant of Confidentiality, Integrity and Availability (CIA). In addition, users may lose trust in computing systems and become hesitant to use one that has a high frequency of incidents or even a high frequency of events that cause the user to distrust the integrity of the federal system. Moreover, users become disenfranchised with any action that causes all or part of the networks service to be stopped entirely, interrupted, or degraded sufficiently to impact operations; as with a DoS attack. The list of impacts from attacks that compromise computer security include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDenial of Service\u003c/li\u003e\u003cli\u003eLoss or Alteration of Data or Programs\u003c/li\u003e\u003cli\u003ePrivacy Incident, including those resulting in identity theft or data breach\u003c/li\u003e\u003cli\u003eLoss of Trust in Computing Systems\u003c/li\u003e\u003cli\u003eThe loss of intellectual property and CMS confidential information\u003c/li\u003e\u003cli\u003eReputational damage to the organization\u003c/li\u003e\u003cli\u003eThe additional cost of securing networks, insurance, and recovery from attacks\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eIncident Life Cycles\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe incident response process has four phases. Review the \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/61/r2/final\"\u003eNIST SP 800-61 Incident Lifecycle\u003c/a\u003e.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003ePreparation ensures that the organization is ready to respond to incidents, but can also prevent incidents by ensuring that systems, networks, and applications are sufficiently secure. The following describes the techniques utilized by the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; and to prepare for security and privacy incidents.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to prepare for information security incidents. Examples of preparation methods are, implementing incident response tools, establishing security baselines, and running periodic announced training and/or unannounced drills. For additional information on preparation activities please review Section 3.3.1 Preparation of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe how incidents involving PII are to be handled, including the policies and procedures that have been developed and how those policies and procedures are communicated to the staff. Staff should be informed of the consequences of their actions for inappropriate use and handling of PII. Describe how it is determined that the existing processes are adequate and that staff understand their responsibilities. Describe how suspected or known incidents involving PII are reported to the business owner, information system owner, CRA, ISSO, and CCIC IMT. Describe what information needs to be reported, and to whom.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDetection and Analysis\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eIncidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling every incident. Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Different types of incidents merit different response strategies. The following section describes the techniques utilized by the \u0026lt;system name\u0026gt; to detect and analyze security incidents\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to detect and analyze for information security incidents. Examples of detection and analysis methods are, prepare for common attack vectors, recognize the signs of an incident, and document and prioritize the incident. For additional information on preparation, activities please review Section 3.3.2 Detection and Analysis of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the activities and methods in place to detect and analyze incidents involving PII that are the responsibility of the information staff. Describe how it is ensured that the analysis process includes an evaluation of whether an incident involved PII, focusing on both known and suspected breaches of PII. Detection of an incident involving PII also requires reporting internally, to US-CERT, and externally, as appropriate; this is a CCIC IMT responsibility.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContainment, Eradication \u0026amp; Recovery\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eContainment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eContainment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making. Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. The following section describes the containment strategies and procedures for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt;:\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the strategies and procedures in place for the information system to contain information security incidents. Examples of containment strategies are, shut down a system, disconnect it from a network, and/or disable certain functions. For additional information on Containment activities, review Section 3.3.3 Containment, Eradication and Recovery of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the strategies and procedures in place for containing incidents involving PII.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContainment, Eradication \u0026amp; Recovery\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAfter an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts, as well as identifying and mitigating all vulnerabilities that were exploited. During eradication, it is important to identify all affected hosts within the organization so that the hosts can be remediated. For some incidents, eradication is either not necessary or is performed during recovery.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to eradicate and recover from information security incidents. Examples methods for eradication are delete malware, disable breached accounts, identify and mitigate vulnerabilities that were exploited. Examples activities associated with recovering from information security incidents are restore systems to normal operation, confirm that systems are functioning normally, and remediate vulnerabilities to prevent similar incidents. For additional information on Eradication and Recovery activities review Section 3.3.3 Containment, Eradication and Recovery of the CMS RMH Chapter 8 Incident Response\u003c/em\u003e.\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe if media sanitization steps are performed when PII needs to be deleted from media during recovery. PII should not be sanitized until a determination has been made about whether the PII must be preserved as evidence. Describe if forensics techniques are needed to ensure preservation of evidence. If PII was accessed, how is it determined how many records or individuals were affected. These activities should be coordinated with the CCIC IMT.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePost-Incident Activity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAfter an incident has been eradicated and recovery completed, each incident response team should evolve to reflect upon new threats, improve technology, and document lessons learned. Holding a lessons learned meeting with all involved parties after a major incident, and optionally after lesser incidents, can be extremely helpful in improving information security measures and the incident handling process.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to conduct post-incident activity after information security incidents. Examples methods for post-incident activity are: to conduct a lesson learned meeting, document the lessons learned, update the IRP and associated procedures as necessary, and ensure evidence is retained and archived. For additional information on post-incident activity review Post-Incident Activity of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the activities and methods in place to conduct post-incident activity after incidents involving PII. This should include how the IRP is continually updated and improved based on the lessons learned during each incident. Sharing information within CMS and US-CERT to help protect against future incidents is a CCIC responsibility.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eReporting Requirements\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eDescribe the information system process for reporting information security incidents. Incident should be reported to the \u003c/em\u003eCMS IT Service Desk within one hour, by calling at (410) 786-2580 (i.e., internal) or (1- 800) 562-1963 (internal and external) or email \u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eCMS_IT_Service@cms.hhs.gov.\u003c/a\u003e For information on reporting requirements \u003cem\u003efor information security and privacy incidents, \u003c/em\u003ereview Section 3.5 Incident Reporting and for the Incident Response Reporting Template in \u003cem\u003eThe CMS RMH Chapter 8 Incident Response\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePoints of Contact\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS IT Service Desk\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Risk Advisor (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Management Team\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Responders\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem Administrators\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem Developers\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePlan Approval\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003cbr\u003e\u003cem\u003e\u0026lt;insert signature\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert title\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert signature\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert title\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Test Plan Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Topic\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cem\u003e\u0026lt;Insert Topic\u0026gt;\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Scope\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eDescribe the scope of the incident response test to include who will participate in the exercise, the purpose of the test, and the expected outcome.\u0026nbsp; All personnel with responsibilities under the incident response plan should participate in the exercise.\u0026nbsp; The exercise should apply to the roles and responsibilities.\u0026nbsp; This includes personnel within the incident response plan being exercised and focus on validating that the documented roles, responsibilities, and interdependencies are accurate and current.\u0026nbsp; To ensure that the knowledge of the roles and responsibilities identified in the plan being exercised is current, it is often effective to conduct a training session in conjunction with any tabletop exercise\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Objectives\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eThe objectives of this test is as follows:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo validate the content of the incident response plan and the related policies and procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e2\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eValidate participants roles and responsibilities as documented in the incident response plan and validate the interdependencies documented in the incident response plan.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e3\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo meet regulatory requirements specifically the NIST SP 800-53 Rev. 4 requirements for incident response testing and incident response training.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e4\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo document lessons learned that may be utilized to update the incident response plan and related policies and procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eParticipants\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert participants, the participants should be comprised of personnel with roles and responsibilities identified in the incident response plan.\u0026nbsp; For example, training staff, validation staff, and evaluation staff\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eExercise Facilitator\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name of the individual who will lead the discussion among the exercise participants\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eData Collector\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name of the individual who records information about the actions that occur during the exercise\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate of Testing\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date and time of testing\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eLocation\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert Location\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eEquipment Required\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert required equipment, for example, audio visual equipment, whiteboard, flipchart\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMaterial Required\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert required material, for example, participant guides, PowerPoint presentations, handouts\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Scenarios\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert a sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives.\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Questions\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert a list of questions regarding the scenario that address the exercise objective.\u0026nbsp; Below are sample questions taken from NIST Special Publication 800-61 Computer Security Incident Handling Guide\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePreparation:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWould the organization consider this activity to be an incident?\u0026nbsp; If so, which of the organizations policies does this activity violate?\u003c/li\u003e\u003cli\u003eWhat measures are in place to attempt to prevent this type of incident from occurring or to limit its impact?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eDetection and Analysis:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat precursors of the incident, if any, might the organization detect?\u0026nbsp; Would any precursors cause the organization to take action before the incident occurred?\u003c/li\u003e\u003cli\u003eWhat indicators of the incident might the organization detect?\u0026nbsp; Which indicators would cause someone to think that an incident might have occurred?\u003c/li\u003e\u003cli\u003eWhat additional tools might be needed to detect this particular incident?\u003c/li\u003e\u003cli\u003eHow would the incident response team analyze and validate this incident?\u0026nbsp; What personnel would be involved in the analysis and validation process?\u003c/li\u003e\u003cli\u003eTo which people and groups within the organization would the team report the incident?\u003c/li\u003e\u003cli\u003eHow would the team prioritize the handling of this incident?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eContainment, Eradication, and Recovery:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat strategy should the organization take to contain the incident?\u0026nbsp; Why is this strategy preferable to others?\u003c/li\u003e\u003cli\u003eWhat could happen if the incident were not contained?\u003c/li\u003e\u003cli\u003eWhat additional tools might be needed to respond to this particular incident?\u003c/li\u003e\u003cli\u003eWhich personnel would be involved in the containment, eradication, and/or recovery processes?\u003c/li\u003e\u003cli\u003eWhat sources of evidence, if any, should the organization acquire?\u0026nbsp; How would the evidence be acquired?\u0026nbsp; Where would it be stored?\u0026nbsp; How long should it be retained?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003ePost-Incident Activity:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWho would attend the lessons learned meeting regarding this incident?\u003c/li\u003e\u003cli\u003eWhat could be done to prevent similar incidents from occurring in the future?\u003c/li\u003e\u003cli\u003eWhat could be done to improve detection of similar incidents?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eGeneral Questions:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eHow many incident response team members would participate in handling this incident?\u003c/li\u003e\u003cli\u003eBesides the incident response team, what groups within the organization would be involved in handling this incident?\u003c/li\u003e\u003cli\u003eTo which external parties would the team report the incident?\u0026nbsp; When would each report occur?\u003c/li\u003e\u003cli\u003eHow would each report be made?\u0026nbsp; What information would you report or not report, and why?\u003c/li\u003e\u003cli\u003eWhat other communications with external parties may occur?\u003c/li\u003e\u003cli\u003eWhat tools and resources would the team use in handling this incident?\u003c/li\u003e\u003cli\u003eWhat aspects of the handling would have been different if the incident had occurred at a different day and time (on-hours versus off-hours)?\u003c/li\u003e\u003cli\u003eWhat aspects of the handling would have been different if the incident had occurred at a different physical location (onsite versus offsite)?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePlan Being Exercise\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name and location of the incident response plan being exercised\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eExercise Agenda\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIntroductions\u003c/li\u003e\u003cli\u003eReview Exercise Scope and Logistics\u003c/li\u003e\u003cli\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/li\u003e\u003cli\u003eData Collector records observations (on-going)\u003c/li\u003e\u003cli\u003eConduct exercise debrief/hotwash\u003c/li\u003e\u003cli\u003eExercise Participants released\u003c/li\u003e\u003cli\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Plan Approval\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert signature by approval authority (e.g., Business Owner or ISSO)\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Participant Guide Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT ORGANIZATION NAME\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT TABLETOP EXERCISE TITLE\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eParticipant Guide\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Location\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Date\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn an effort to validate \u0026lt;\u003cem\u003einsert organization name\u003c/em\u003e\u0026gt; \u0026lt;\u003cem\u003einsert name of plan being exercised\u003c/em\u003e\u0026gt;, \u0026lt;\u003cem\u003einsert organization name\u003c/em\u003e\u0026gt; will conduct a tabletop exercise to examine processes and procedures associated with the implementation of the \u0026lt;\u003cem\u003einsert plan name\u003c/em\u003e\u0026gt;.\u0026nbsp; This discussion-based exercise will be a \u0026lt;\u003cem\u003einsert number of hours\u003c/em\u003e\u0026gt;-hour event that will begin at \u0026lt;\u003cem\u003einsert start ti\u003c/em\u003eme\u0026gt; and will last until \u0026lt;\u003cem\u003einsert end time\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003eThe exercise is designed to facilitate communication among personnel with incident response roles and responsibilities.\u0026nbsp; The following scenarios have been chosen for this exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert scenarios from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis exercise is designed to improve the readiness of the [insert organization name] and help validate existing \u0026lt;\u003cem\u003einsert plan name\u003c/em\u003e\u0026gt; procedures.\u003c/p\u003e\u003cp\u003eParticipants should come to the exercise prepared to discuss high-level issues related to the incident handling based on the scenarios above.\u0026nbsp; To achieve the exercises stated objectives, discussion will focus on the following questions related to the scenarios and the incident response plan:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert questions from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eParticipants may choose to bring incident response narrative or reference material that will aid in answering the above questions.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eConcept of Operations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA tabletop exercise is a discussion-based event in which participants meet in a “classroom” setting to address the actions participants would take in response to an emergency.\u0026nbsp; Tabletops are an effective initial step for personnel to discuss the full range of issues related to a crisis scenario.\u0026nbsp; These exercises provide an excellent forum to examine roles and responsibilities, unearth interdependencies, and evaluate plans.\u0026nbsp; A tabletop exercise also satisfies the training requirement for personnel with incident response roles and responsibilities.\u003c/p\u003e\u003cp\u003eParticipants will be presented with a incident response.\u0026nbsp; A facilitator will help guide discussion by asking questions designed to address the exercises objectives.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eObjectives\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe exercise objectives are as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert questions from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAgenda\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:00 a.m. 9:15 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntroductions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:15 a.m. 9:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReview Exercise Scope and Logistics\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eData Collector records observations (on-going)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e11:30 a.m. 12:00 p.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eConduct exercise debrief/hotwash\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMilestone\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eExercise Participants released\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1:00 p.m. - completion\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eDebriefing/Hotwash Questions\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAn after action report identifying strengths and areas where improvements might be made will be provided after the exercise.\u0026nbsp; The following questions are designed to obtain input into the after action report from participants:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAre there any other issues you would like to discuss that were not raised?\u003c/li\u003e\u003cli\u003eWhat are the strengths of the incident response plan?\u0026nbsp; What areas require closer examination?\u003c/li\u003e\u003cli\u003eWas the exercise beneficial?\u0026nbsp; Did it help prepare you to execute on your incident response roles and responsibilities?\u003c/li\u003e\u003cli\u003eWhat did you gain from the exercise?\u003c/li\u003e\u003cli\u003eHow can we improve future exercises and tests?\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eAfter Action Report Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT ORGANIZATION NAME\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT TABLETOP EXERCISE TITLE\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAfter Action Report\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Location\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Date\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eOn \u0026lt;\u003cem\u003einsert date\u003c/em\u003e\u0026gt;, \u0026lt;insert organization name\u0026gt; participated in \u0026lt;\u003cem\u003einsert duration of exercise\u003c/em\u003e\u0026gt; - hour tabletop exercise designed to validate the organizations understanding of the \u0026lt;\u003cem\u003einsert plan name.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eObjectives\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe exercise objectives are as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eCopy objectives from approved Test Plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAgenda\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:00 a.m. 9:15 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntroductions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:15 a.m. 9:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReview Exercise Scope and Logistics\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eData Collector records observations (on-going)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e11:30 a.m. 12:00 p.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eConduct exercise debrief/hotwash\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMilestone\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eExercise Participants released\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1:00 p.m. - completion\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eDiscussion Findings\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u0026lt;\u003cem\u003einsert exercise name\u003c/em\u003e\u0026gt; provided information on \u0026lt;\u003cem\u003einsert relevant information\u003c/em\u003e\u0026gt;.\u0026nbsp; An important benefit of the exercise was the opportunity for participants to raise important questions, concerns, and issues.\u003c/p\u003e\u003cp\u003eThe discussion findings from the exercise along with any necessary recommended actions are as follows:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral Findings\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe exercise provided an excellent opportunity for participants to \u003cem\u003e\u0026lt;insert relevant information\u0026gt;\u003c/em\u003e.\u0026nbsp; As a result of the exercise, participants left with a heightened awareness of \u003cem\u003e\u0026lt;insert relevant information\u0026gt;\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpecific Findings\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSpecific observations made during the exercise, and recommendations for enhancement of the plan, are as follows:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eObservation 1. \u0026lt;\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003eInsert general topic area\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert observation\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommendation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;Insert recommendations\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eObservation 2. \u003c/strong\u003e\u003cem\u003e\u003cstrong\u003e\u0026lt;Insert general topic area\u0026gt;\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert observation\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommendation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;Insert recommendations\u0026gt;\u003c/p\u003e\u003cp\u003eBelow is an \u003cstrong\u003eexample\u003c/strong\u003e of a completed observation and recommendations, all text in blue should be deleted upon the completion of the After-Action Report.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cem\u003eExample Observations and Recommendations:\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eObservation 1.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCommunication\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eA plan identifying the process for communicating with incident response team members do not exist.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eRecommendations:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cul\u003e\u003cli\u003eThe organization should consider developing a communications plan that establishes standardized communications requirements, addresses how stolen documents will be investigated, and describes procedures for personnel incident response team working with organizations to investigate breaches.\u003c/li\u003e\u003cli\u003eThe organization should identify weaknesses in the incident handling plan and procedures to ensure that all essential personnel can be contacted in the event of sensitive document breach.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eObservation 2.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIncident Breach Handling Protocol\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eEssential personnel have not been aware of the organization impact of stolen documents, and the incident breach handling protocol to investigation and recovery.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cul\u003e\u003cli\u003eThe agency should examine the criteria for ALL personnel having access to sensitive organization documents.\u0026nbsp; In addition, all personnel might need to attend a security training and awareness course on how to report incidents or suspicious activities.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eSample Incident Scenarios\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 1: Domain Name System (DNS) Server Denial of Service (DOS)\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Saturday afternoon, external users start having problems accessing the organizations public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organizations networking staff responds to alerts from an Internet border router and determines that the organizations Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organizations public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhom should the organization contact regarding the external IP address in question?\u003c/li\u003e\u003cli\u003eSuppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were also attempting the same unusual requests to the DNS server. How would that affect the handling of this incident?\u003c/li\u003e\u003cli\u003eSuppose that two of the nine internal hosts disconnected from the network before their system owners were identified. How would the system owners be identified?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 2: Worm and Distributed Denial of Service (DDoS) Agent Infestation\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Tuesday morning, a new worm is released; it spreads itself through removable media, and it can copy itself to open Windows shares. When the worm infects a host, it installs a DDoS agent. The organization has already incurred widespread infections before antivirus signatures become available several hours after the worm started to spread.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the incident response team identify all infected hosts?\u003c/li\u003e\u003cli\u003eHow would the organization attempt to prevent the worm from entering the organization before antivirus signatures were released?\u003c/li\u003e\u003cli\u003eHow would the organization attempt to prevent the worm from being spread by infected hosts before antivirus signatures were released?\u003c/li\u003e\u003cli\u003eWould the organization attempt to patch all vulnerable machines? If so, how would this be done?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if infected hosts that had received the DDoS agent had been configured to attack another organizations website the next morning?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if one or more of the infected hosts contained sensitive personally identifiable information regarding the organizations employees?\u003c/li\u003e\u003cli\u003eHow would the incident response team keep the organizations users informed about the status of the incident?\u003c/li\u003e\u003cli\u003eWhat additional measures would the team perform for hosts that are not currently connected to the network (e.g., staff members on vacation, offsite employees who connect occasionally)?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 3: Stolen Documents\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Monday morning, the organizations legal department receives a call from the Federal Bureau of Investigation (FBI) regarding some suspicious activity involving the organizations systems. Later that day, an FBI agent meets with members of management and the legal department to discuss the activity. The FBI has been investigating activity involving public posting of sensitive government documents, and some of the documents reportedly belong to the organization. The agent asks for the organizations assistance, and management asks for the incident response teams assistance in acquiring the necessary evidence to determine if these documents are legitimate or not and how they might have been leaked.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eFrom what sources might the incident response team gather evidence?\u003c/li\u003e\u003cli\u003eWhat would the team do to keep the investigation confidential?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team identified an internal host responsible for the leaks?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found a rootkit installed on the internal host responsible for the leaks?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 4: Compromised Database Server\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Tuesday night, a database administrator performs some off-hours maintenance on several production database servers. The administrator notices some unfamiliar and unusual directory names on one of the servers. After reviewing the directory listings and viewing some of the files, the administrator concludes that the server has been attacked and calls the incident response team for assistance. The teams investigation determines that the attacker successfully gained root access to the server six weeks ago.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat sources might the team use to determine when the compromise had occurred?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found that the database server had been running a packet sniffer and capturing passwords from the network?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found that the server was running a process that would copy a database containing sensitive customer information (including personally identifiable information) each night and transfer it to an external address?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team discovered a rootkit on the server?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 5: Unknown Exfiltration\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Sunday night, one of the organizations network intrusion detection sensors alerts on anomalous outbound network activity involving large file transfers. The intrusion analyst reviews the alerts; it appears that thousands of .RAR files are being copied from an internal host to an external host, and the external host is located in another country. The analyst contacts the incident response team so that it can investigate the activity further. The team is unable to see what the .RAR files hold because their contents are encrypted. Analysis of the internal host containing the .RAR files shows signs of a bot installation.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the team determine what was most likely inside the .RAR files? Which other teams might assist the incident response team?\u003c/li\u003e\u003cli\u003eIf the incident response team determined that the initial compromise had been performed through a wireless network card in the internal host, how would the team further investigate this activity?\u003c/li\u003e\u003cli\u003eIf the incident response team determined that the internal host was being used to stage sensitive files from other hosts within the enterprise, how would the team further investigate this activity?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 6: Unauthorized Access to Payroll Records\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Wednesday evening, the organizations physical security team receives a call from a payroll administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the team determine what actions had been performed?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the payroll administrator had recognized the person leaving her office as a former payroll department employee?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the team had reason to believe that the person was a current employee?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the physical security team determined that the person had used social engineering techniques to gain physical access to the building?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if logs from the previous week showed an unusually large number of failed remote login attempts using the payroll administrators user ID?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the incident response team discovered that a keystroke logger was installed on the computer two weeks earlier?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 7: Disappearing Host\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Thursday afternoon, a network intrusion detection sensor records vulnerability scanning activity directed at internal hosts that is being generated by an internal IP address. Because the intrusion detection analyst is unaware of any authorized, scheduled vulnerability scanning activity, she reports the activity to the incident response team. When the team begins the analysis, it discovers that the activity has stopped and that there is no longer a host using the IP address.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat data sources might contain information regarding the identity of the vulnerability scanning host?\u003c/li\u003e\u003cli\u003eHow would the team identify who had been performing the vulnerability scans?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the vulnerability scanning were directed at the organizations most critical hosts?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the vulnerability scanning were directed at external hosts?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the internal IP address was associated with the organizations wireless guest network?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the physical security staff discovered that someone had broken into the facility half an hour before the vulnerability scanning occurred?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 8: Telecommuting Compromise\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Saturday night, network intrusion detection software records an inbound connection originating from a watchlist IP address. The intrusion detection analyst determines that the connection is being made to the organizations VPN server and contacts the incident response team. The team reviews the intrusion detection, firewall, and VPN server logs and identifies the user ID that was authenticated for the session and the name of the user associated with the user ID.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should the teams next step be (e.g., calling the user at home, disabling the user ID, disconnecting the VPN session)? Why should this step be performed first? What step should be performed second?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the external IP address belonged to an open proxy?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the ID had been used to initiate VPN connections from several external IP addresses without the knowledge of the user?\u003c/li\u003e\u003cli\u003eSuppose that the identified users computer had become compromised by a game containing a Trojan horse that was downloaded by a family member. How would this affect the teams analysis of the incident? How would this affect evidence gathering and handling? What should the team do in terms of eradicating the incident from the users computer?\u003c/li\u003e\u003cli\u003eSuppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident? How would this affect the handling of the incident if the user were a system administrator? How would this affect the handling of the incident if the user were a high-ranking executive in the organization?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 9: Anonymous Threat\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Thursday afternoon, the organizations physical security team receives a call from an IT manager, reporting that two of her employees just received anonymous threats against the organizations systems. Based on an investigation, the physical security team believes that the threats should be taken seriously and notifies the appropriate internal teams, including the incident response team, of the threats.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should the incident response team do differently, if anything, in response to the notification of the threats?\u003c/li\u003e\u003cli\u003eWhat impact could heightened physical security controls have on the teams responses to incidents?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 10: Peer-to-Peer File Sharing\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eThe organization prohibits the use of peer-to-peer file sharing services. The organizations network intrusion detection sensors have signatures enabled that can detect the usage of several popular peer-to-peer file sharing services. On a Monday evening, an intrusion detection analyst notices that several file sharing alerts have occurred during the past three hours, all involving the same internal IP address.\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat factors should be used to prioritize the handling of this incident (e.g., the apparent content of the files that are being shared)?\u003c/li\u003e\u003cli\u003eWhat privacy considerations may impact the handling of this incident?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the computer performing peer-to-peer file sharing also contains sensitive personally identifiable information?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 11: Unknown Wireless Access Point\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Monday morning, the organizations help desk receives calls from three users on the same floor of a building who state that they are having problems with their wireless access. A network administrator who is asked to assist in resolving the problem brings a laptop with wireless access to the users floor. As he views his wireless networking configuration, he notices that there is a new access point listed as being available. He checks with his teammates and determines that this access point was not deployed by his team, so that it is most likely a rogue access point that was established without permission.\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should be the first major step in handling this incident (e.g., physically finding the rogue access point, logically attaching to the access point)?\u003c/li\u003e\u003cli\u003eWhat is the fastest way to locate the access point? What is the most covert way to locate the access point?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the access point had been deployed by an external party (e.g., contractor) temporarily working at the organizations office?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if an intrusion detection analyst reported signs of suspicious activity involving some of the workstations on the same floor of the building?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the access point had been removed while the team was still attempting to physically locate it?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1f:{\"self\":\"$20\"}\n23:[\"menu_ui\",\"scheduler\"]\n22:{\"module\":\"$23\"}\n26:[]\n25:{\"available_menus\":\"$26\",\"parent\":\"\"}\n27:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n24:{\"menu_ui\":\"$25\",\"scheduler\":\"$27\"}\n21:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$22\",\"third_party_settings\":\"$24\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1f\",\"attributes\":\"$21\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/663db243-0ec9-4d3f-9589-5a0ed308fbbc\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"alex.kerr\"}\n28:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2d:{\"self\":\"$2e\"}\n2f:{\"display_name\":\"meg - retired\"}\n2c:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2d\",\"attributes\":\"$2f\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n31:{\"self\":\"$32\"}\n34:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n33:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:0"])</script><script>self.__next_f.push([1,"0\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$34\"}\n38:{\"drupal_internal__target_id\":\"resource_type\"}\n37:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$38\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n36:{\"data\":\"$37\",\"links\":\"$39\"}\n3e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3d:{\"related\":\"$3e\",\"self\":\"$3f\"}\n3c:{\"data\":null,\"links\":\"$3d\"}\n46:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n45:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$46\"}\n44:{\"help\":\"$45\"}\n43:{\"links\":\"$44\"}\n42:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$43\"}\n41:[\"$42\"]\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n49:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n47:{\"related\":\"$48\",\"self\":\"$49\"}\n40:{\"data\":\"$41\",\"links\":\"$47\"}\n35:{\"vid\":\"$36\",\"revision_user\":\"$3c\",\"parent\":\"$40\"}\n30:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$31\",\"attributes\":\"$33\",\"relationships\":\"$35\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n4b:{\"self\":\"$4c\"}\n4e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4d:{\"drupal_inter"])</script><script>self.__next_f.push([1,"nal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4e\"}\n52:{\"drupal_internal__target_id\":\"roles\"}\n51:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$52\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n50:{\"data\":\"$51\",\"links\":\"$53\"}\n58:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n59:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n57:{\"related\":\"$58\",\"self\":\"$59\"}\n56:{\"data\":null,\"links\":\"$57\"}\n60:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$60\"}\n5e:{\"help\":\"$5f\"}\n5d:{\"links\":\"$5e\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5d\"}\n5b:[\"$5c\"]\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n63:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n61:{\"related\":\"$62\",\"self\":\"$63\"}\n5a:{\"data\":\"$5b\",\"links\":\"$61\"}\n4f:{\"vid\":\"$50\",\"revision_user\":\"$56\",\"parent\":\"$5a\"}\n4a:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$4b\",\"attributes\":\"$4d\",\"relationships\":\"$4f\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/role"])</script><script>self.__next_f.push([1,"s/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n65:{\"self\":\"$66\"}\n68:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n67:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$68\"}\n6c:{\"drupal_internal__target_id\":\"roles\"}\n6b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6c\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6a:{\"data\":\"$6b\",\"links\":\"$6d\"}\n72:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n71:{\"related\":\"$72\",\"self\":\"$73\"}\n70:{\"data\":null,\"links\":\"$71\"}\n7a:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n79:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7a\"}\n78:{\"help\":\"$79\"}\n77:{\"links\":\"$78\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$77\"}\n75:[\"$76\"]\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n7b:{\"related\":\"$7c\",\"self\":\"$7d\"}\n74:{\"data\":\"$75\",\"links\":\"$7b\"}\n69:{\"vid\":\"$6a\",\"revision_user\":\"$70\",\"parent\":\"$74\"}\n64:{\"type\":\"taxonomy_term--roles\",\""])</script><script>self.__next_f.push([1,"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$65\",\"attributes\":\"$67\",\"relationships\":\"$69\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7f:{\"self\":\"$80\"}\n82:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n81:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$82\"}\n86:{\"drupal_internal__target_id\":\"roles\"}\n85:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$86\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n84:{\"data\":\"$85\",\"links\":\"$87\"}\n8c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n8b:{\"related\":\"$8c\",\"self\":\"$8d\"}\n8a:{\"data\":null,\"links\":\"$8b\"}\n94:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n93:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$94\"}\n92:{\"help\":\"$93\"}\n91:{\"links\":\"$92\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$91\"}\n8f:[\"$90\"]\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n95:{\"relate"])</script><script>self.__next_f.push([1,"d\":\"$96\",\"self\":\"$97\"}\n8e:{\"data\":\"$8f\",\"links\":\"$95\"}\n83:{\"vid\":\"$84\",\"revision_user\":\"$8a\",\"parent\":\"$8e\"}\n7e:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7f\",\"attributes\":\"$81\",\"relationships\":\"$83\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n99:{\"self\":\"$9a\"}\n9c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9b:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9c\"}\na0:{\"drupal_internal__target_id\":\"roles\"}\n9f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$a0\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\n9e:{\"data\":\"$9f\",\"links\":\"$a1\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na4:{\"data\":null,\"links\":\"$a5\"}\nae:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nad:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ae\"}\nac:{\"help\":\"$ad\"}\nab:{\"links\":\"$ac\"}\naa:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$ab\"}\na9:[\"$aa\"]\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nb1:{\"href\":\"https://cybergee"])</script><script>self.__next_f.push([1,"k.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\naf:{\"related\":\"$b0\",\"self\":\"$b1\"}\na8:{\"data\":\"$a9\",\"links\":\"$af\"}\n9d:{\"vid\":\"$9e\",\"revision_user\":\"$a4\",\"parent\":\"$a8\"}\n98:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$99\",\"attributes\":\"$9b\",\"relationships\":\"$9d\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5?resourceVersion=id%3A46\"}\nb3:{\"self\":\"$b4\"}\nb6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb5:{\"drupal_internal__tid\":46,\"drupal_internal__revision_id\":46,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:13+00:00\",\"status\":true,\"name\":\"Security Operations\",\"description\":null,\"weight\":6,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b6\"}\nba:{\"drupal_internal__target_id\":\"topics\"}\nb9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ba\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/vid?resourceVersion=id%3A46\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/vid?resourceVersion=id%3A46\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nb8:{\"data\":\"$b9\",\"links\":\"$bb\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/revision_user?resourceVersion=id%3A46\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/revision_user?resourceVersion=id%3A46\"}\nbf:{\"related\":\"$c0\",\"self\":\"$c1\"}\nbe:{\"data\":null,\"links\":\"$bf\"}\nc8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c8\"}\nc6:{\"help\":\"$c7\"}\nc5:{\"links\":\"$c6\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c5\"}\nc3:[\"$c4\"]\nca:{\"href\":\"https"])</script><script>self.__next_f.push([1,"://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/parent?resourceVersion=id%3A46\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/parent?resourceVersion=id%3A46\"}\nc9:{\"related\":\"$ca\",\"self\":\"$cb\"}\nc2:{\"data\":\"$c3\",\"links\":\"$c9\"}\nb7:{\"vid\":\"$b8\",\"revision_user\":\"$be\",\"parent\":\"$c2\"}\nb2:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"links\":\"$b3\",\"attributes\":\"$b5\",\"relationships\":\"$b7\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4?resourceVersion=id%3A16462\"}\ncd:{\"self\":\"$ce\"}\nd0:[]\nd1:{\"value\":\"\u003ch2\u003e\u003cstrong\u003eWhat is the CCIC?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS Cybersecurity Integration Center (CCIC) is the hub of cybersecurity strategy and response at CMS. The CCIC works with System/Business Owners, ISSOs, CRAs, and Data Guardians to manage how cyber threats are found and understood throughout our agency and works to educate users about best practices in continuous monitoring, risk management, and cybersecurity.\u0026nbsp;\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003e\u003cstrong\u003eWhat is the CCIC?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS Cybersecurity Integration Center (CCIC) is the hub of cybersecurity strategy and response at CMS. The CCIC works with System/Business Owners, ISSOs, CRAs, and Data Guardians to manage how cyber threats are found and understood throughout our agency and works to educate users about best practices in continuous monitoring, risk management, and cybersecurity.\u0026nbsp;\u003c/p\u003e\"}\ncf:{\"drupal_internal__id\":3363,\"drupal_internal__revision_id\":16462,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:13:37+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$d0\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$d1\"}\nd5:{\"drupal_internal__target_id\":\"page_section\"}\nd4:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\""])</script><script>self.__next_f.push([1,",\"meta\":\"$d5\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4/paragraph_type?resourceVersion=id%3A16462\"}\nd8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4/relationships/paragraph_type?resourceVersion=id%3A16462\"}\nd6:{\"related\":\"$d7\",\"self\":\"$d8\"}\nd3:{\"data\":\"$d4\",\"links\":\"$d6\"}\ndb:{\"target_revision_id\":16461,\"drupal_internal__target_id\":3362}\nda:{\"type\":\"paragraph--call_out_box\",\"id\":\"80be8345-ad19-448f-83b6-3c5d0681969a\",\"meta\":\"$db\"}\ndd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4/field_specialty_item?resourceVersion=id%3A16462\"}\nde:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4/relationships/field_specialty_item?resourceVersion=id%3A16462\"}\ndc:{\"related\":\"$dd\",\"self\":\"$de\"}\nd9:{\"data\":\"$da\",\"links\":\"$dc\"}\nd2:{\"paragraph_type\":\"$d3\",\"field_specialty_item\":\"$d9\"}\ncc:{\"type\":\"paragraph--page_section\",\"id\":\"59fda20c-2255-44ef-9fb0-d0834c579aa4\",\"links\":\"$cd\",\"attributes\":\"$cf\",\"relationships\":\"$d2\"}\ne1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67?resourceVersion=id%3A16464\"}\ne0:{\"self\":\"$e1\"}\ne3:[]\ne5:Ta5c,"])</script><script>self.__next_f.push([1,"\u003cp\u003eThe CCIC is owned and managed by the Information Security and Privacy Group (ISPG) and is responsible for the following activities as determined by the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentifying cyber threats\u0026nbsp;\u003c/li\u003e\u003cli\u003eDisseminating cybersecurity advisories and guidance\u003c/li\u003e\u003cli\u003eCoordinating incident response activities in response to ongoing threats\u003c/li\u003e\u003cli\u003eDeveloping containment and mitigation approaches for cyber threats\u003c/li\u003e\u003cli\u003eDefining minimum interoperable defensive technology requirements for CMS systems\u003c/li\u003e\u003cli\u003eReporting CMS information security and privacy incidents and breaches to HHS\u0026nbsp;\u003c/li\u003e\u003cli\u003ePerforming malware analysis and advanced analytics\u003c/li\u003e\u003cli\u003eAdhering to federal law, regulations, mandates, and directives for continual assessment and incident response activities\u003c/li\u003e\u003cli\u003eDefining information security and privacy requirements for all phases of the system development life cycle (SDLC)\u003c/li\u003e\u003cli\u003eValidating incident response processes and procedures\u003c/li\u003e\u003cli\u003eDefining reporting metrics for Penetration Testing, continuous monitoring, incident and breach response, and cyber threat intelligence\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CCIC is made up of a collection of resources and teams that provide continuous monitoring, incident response, and threat intelligence services to System Teams across the enterprise and access to the following resources:\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Operations Center (SOC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eISPG Security Operations Center (SOC) \u003c/strong\u003eoffers 24/7, 365 continuous monitoring activities for FISMA systems throughout CMS. The teams within the SOC serve as a second set of eyes for security operations teams across the agency. System Teams throughout CMS can benefit from the services offered by the SOC including:\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSOC-as-a-Service\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs the premier SOC at CMS, the ISPG SOC provides resources and training to System Teams across CMS. The SOC-as-a-Service was designed to provide SOC services and capabilities to CMS FISMA System Teams that are not able to provide those capabilities themselves or that do not wish to incur the costs associated with these services directly. Systems can be onboarded to the ISPG SOC through an \u003ca href=\"https://security.cms.gov/learn/cms-memorandum-understanding-mou\"\u003eMOU\u003c/a\u003e to provide a direct response to incidents, breaches, and threats. With improved access to information, tools, and resources, teams can develop better response capabilities.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"e6:Ta5c,"])</script><script>self.__next_f.push([1,"\u003cp\u003eThe CCIC is owned and managed by the Information Security and Privacy Group (ISPG) and is responsible for the following activities as determined by the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentifying cyber threats\u0026nbsp;\u003c/li\u003e\u003cli\u003eDisseminating cybersecurity advisories and guidance\u003c/li\u003e\u003cli\u003eCoordinating incident response activities in response to ongoing threats\u003c/li\u003e\u003cli\u003eDeveloping containment and mitigation approaches for cyber threats\u003c/li\u003e\u003cli\u003eDefining minimum interoperable defensive technology requirements for CMS systems\u003c/li\u003e\u003cli\u003eReporting CMS information security and privacy incidents and breaches to HHS\u0026nbsp;\u003c/li\u003e\u003cli\u003ePerforming malware analysis and advanced analytics\u003c/li\u003e\u003cli\u003eAdhering to federal law, regulations, mandates, and directives for continual assessment and incident response activities\u003c/li\u003e\u003cli\u003eDefining information security and privacy requirements for all phases of the system development life cycle (SDLC)\u003c/li\u003e\u003cli\u003eValidating incident response processes and procedures\u003c/li\u003e\u003cli\u003eDefining reporting metrics for Penetration Testing, continuous monitoring, incident and breach response, and cyber threat intelligence\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CCIC is made up of a collection of resources and teams that provide continuous monitoring, incident response, and threat intelligence services to System Teams across the enterprise and access to the following resources:\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Operations Center (SOC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eISPG Security Operations Center (SOC) \u003c/strong\u003eoffers 24/7, 365 continuous monitoring activities for FISMA systems throughout CMS. The teams within the SOC serve as a second set of eyes for security operations teams across the agency. System Teams throughout CMS can benefit from the services offered by the SOC including:\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSOC-as-a-Service\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs the premier SOC at CMS, the ISPG SOC provides resources and training to System Teams across CMS. The SOC-as-a-Service was designed to provide SOC services and capabilities to CMS FISMA System Teams that are not able to provide those capabilities themselves or that do not wish to incur the costs associated with these services directly. Systems can be onboarded to the ISPG SOC through an \u003ca href=\"https://security.cms.gov/learn/cms-memorandum-understanding-mou\"\u003eMOU\u003c/a\u003e to provide a direct response to incidents, breaches, and threats. With improved access to information, tools, and resources, teams can develop better response capabilities.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"e4:{\"value\":\"$e5\",\"format\":\"body_text\",\"processed\":\"$e6\"}\ne2:{\"drupal_internal__id\":3365,\"drupal_internal__revision_id\":16464,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:22:20+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$e3\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e4\"}\nea:{\"drupal_internal__target_id\":\"page_section\"}\ne9:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ea\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67/paragraph_type?resourceVersion=id%3A16464\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67/relationships/paragraph_type?resourceVersion=id%3A16464\"}\neb:{\"related\":\"$ec\",\"self\":\"$ed\"}\ne8:{\"data\":\"$e9\",\"links\":\"$eb\"}\nf0:{\"target_revision_id\":16463,\"drupal_internal__target_id\":3364}\nef:{\"type\":\"paragraph--call_out_box\",\"id\":\"bdb43863-9f16-4af9-b178-8587c253cc97\",\"meta\":\"$f0\"}\nf2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67/field_specialty_item?resourceVersion=id%3A16464\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67/relationships/field_specialty_item?resourceVersion=id%3A16464\"}\nf1:{\"related\":\"$f2\",\"self\":\"$f3\"}\nee:{\"data\":\"$ef\",\"links\":\"$f1\"}\ne7:{\"paragraph_type\":\"$e8\",\"field_specialty_item\":\"$ee\"}\ndf:{\"type\":\"paragraph--page_section\",\"id\":\"859d0236-1261-46a5-b0de-417573614a67\",\"links\":\"$e0\",\"attributes\":\"$e2\",\"relationships\":\"$e7\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2?resourceVersion=id%3A16466\"}\nf5:{\"self\":\"$f6\"}\nf8:[]\nfa:T16bf,"])</script><script>self.__next_f.push([1,"\u003ch4\u003e\u003cstrong\u003eThreat Hunting Services\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThreat Hunting Teams within the SOC routinely conduct different types of cyber hunts, looking for bad actors and threats. These teams proactively look for signs of compromise within CMS FISMA systems and provide reports to System Teams about appropriate mitigations and procedures to address gaps that lead to threats.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eContent Creation and Management Services\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Content Creation and Management Team provides subject-matter expertise in the areas of producing alert signatures, establishing dashboards, and developing reports for data sets. With help from Splunk, SOC Content Developers create signatures, look for known threats, and generate new alerts based on new indicators of compromise.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMarketplace SOC\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Marketplace SOC reports twice per week during non-open enrollment times regarding attacks to various spaces in the marketplace. Members of this team review data to identify weaknesses in FISMA systems across CMS. They then help System Teams drive \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;Ms)\u003c/a\u003e to closure prior to open enrollment and provide risk management services for POA\u0026amp;Ms.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInsider Threat\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSome threats to CMS systems and data do not come from external bad actors, but from CMS employees or contractors. Whether intentional or unintentional, these threats need to be handled strategically by the organization. The Insider Threat Team within the SOC coordinates and shares information with the Division of Strategic Information (DSI) to triage insider threats and plan for appropriate response and mitigation efforts.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePhishing Prevention Analysis\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eWorking with the Training and Awareness Team, this SOC service triages reports of phishing activity across CMS. When users report phishing activity (using the Cofense button located on the ribbon of their Outlook email), the SOC analyzes each report and makes recommendations or takes specific action based on the findings.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eServiceNOW Security Incident Response\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis service within the SOC provides Incident Response Breach Response (IRBR) activities with improved ticketing to enhance response time. This resource also helps System Teams improve their overall incident response capabilities and update the content and accuracy of their tabletop exercises.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncident Management\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Incident Management Team (IMT) is responsible for incident response at CMS. They triage tickets that come to the service desk when there is a potential compromise to the security of CMS systems or data. The IMT helps speed response time and supports System Teams through the appropriate handling of incidents.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Testing\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CCIC is the home of ISPGs in-house \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e Team. Penetration Testing (PenTesting) helps to identify areas where system security has been compromised or could be compromised in the future. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe ISPG Penetration Testing Team has knowledge of FISMA systems theyre testing, so theyre a great place to start for your Penetration Testing needs.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eForensics\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Forensics Team offers memory and disk forensics and malware analysis for CMS FISMA systems. With the data and evidence gathered, the Forensics Team can determine the source of an attack, identify the malware used, and understand the attacker's techniques. This information can be used in internal incident response efforts and shared with the Office of the Inspector General (OIG). The Forensics Team will also work with System Teams to\u0026nbsp; strengthen security defenses after an attack.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCyber Threat Intelligence\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Cyber Threat Intelligence Team was created to identify emerging cyber threats in the healthcare sector. These threat hunters scan the dark web and other sources to seek out bad actors and threats before they materialize and impact CMS systems.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVulnerability Analysis\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Vulnerability Analysis Team provides compliance and vulnerability scans for FISMA Systems across CMS. Using external-facing tool sets like DB Protect and Invicty, the team initiates system scans every 72 hours to assess the overall security posture of each system. They share vulnerability scan data with System Teams so that teams have the information they need to make decisions about their systems.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCCIC Engineering\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CCIC Engineering Team helps to build and test tools used by System Teams across the enterprise. As part of this work, they run proof-of-concept for outside vendors and tools to identify what might be a good fit for use at CMS. This team also creates, reviews, and manages network monitoring tools for all of CMS.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConnecting with the CCIC\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS System Teams can find many of the resources, services, and tools offered by the CCIC in the ServiceNOW catalog. Teams are encouraged to review the available resources and engage with the CCIC early and often to ensure that they understand the correct procedures to follow in the event of an incident, breach, or cyber threat.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"fb:T16bf,"])</script><script>self.__next_f.push([1,"\u003ch4\u003e\u003cstrong\u003eThreat Hunting Services\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThreat Hunting Teams within the SOC routinely conduct different types of cyber hunts, looking for bad actors and threats. These teams proactively look for signs of compromise within CMS FISMA systems and provide reports to System Teams about appropriate mitigations and procedures to address gaps that lead to threats.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eContent Creation and Management Services\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Content Creation and Management Team provides subject-matter expertise in the areas of producing alert signatures, establishing dashboards, and developing reports for data sets. With help from Splunk, SOC Content Developers create signatures, look for known threats, and generate new alerts based on new indicators of compromise.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eMarketplace SOC\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Marketplace SOC reports twice per week during non-open enrollment times regarding attacks to various spaces in the marketplace. Members of this team review data to identify weaknesses in FISMA systems across CMS. They then help System Teams drive \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;Ms)\u003c/a\u003e to closure prior to open enrollment and provide risk management services for POA\u0026amp;Ms.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInsider Threat\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSome threats to CMS systems and data do not come from external bad actors, but from CMS employees or contractors. Whether intentional or unintentional, these threats need to be handled strategically by the organization. The Insider Threat Team within the SOC coordinates and shares information with the Division of Strategic Information (DSI) to triage insider threats and plan for appropriate response and mitigation efforts.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePhishing Prevention Analysis\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eWorking with the Training and Awareness Team, this SOC service triages reports of phishing activity across CMS. When users report phishing activity (using the Cofense button located on the ribbon of their Outlook email), the SOC analyzes each report and makes recommendations or takes specific action based on the findings.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eServiceNOW Security Incident Response\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis service within the SOC provides Incident Response Breach Response (IRBR) activities with improved ticketing to enhance response time. This resource also helps System Teams improve their overall incident response capabilities and update the content and accuracy of their tabletop exercises.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncident Management\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Incident Management Team (IMT) is responsible for incident response at CMS. They triage tickets that come to the service desk when there is a potential compromise to the security of CMS systems or data. The IMT helps speed response time and supports System Teams through the appropriate handling of incidents.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Testing\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CCIC is the home of ISPGs in-house \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e Team. Penetration Testing (PenTesting) helps to identify areas where system security has been compromised or could be compromised in the future. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe ISPG Penetration Testing Team has knowledge of FISMA systems theyre testing, so theyre a great place to start for your Penetration Testing needs.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eForensics\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Forensics Team offers memory and disk forensics and malware analysis for CMS FISMA systems. With the data and evidence gathered, the Forensics Team can determine the source of an attack, identify the malware used, and understand the attacker's techniques. This information can be used in internal incident response efforts and shared with the Office of the Inspector General (OIG). The Forensics Team will also work with System Teams to\u0026nbsp; strengthen security defenses after an attack.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCyber Threat Intelligence\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Cyber Threat Intelligence Team was created to identify emerging cyber threats in the healthcare sector. These threat hunters scan the dark web and other sources to seek out bad actors and threats before they materialize and impact CMS systems.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVulnerability Analysis\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Vulnerability Analysis Team provides compliance and vulnerability scans for FISMA Systems across CMS. Using external-facing tool sets like DB Protect and Invicty, the team initiates system scans every 72 hours to assess the overall security posture of each system. They share vulnerability scan data with System Teams so that teams have the information they need to make decisions about their systems.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCCIC Engineering\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CCIC Engineering Team helps to build and test tools used by System Teams across the enterprise. As part of this work, they run proof-of-concept for outside vendors and tools to identify what might be a good fit for use at CMS. This team also creates, reviews, and manages network monitoring tools for all of CMS.\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConnecting with the CCIC\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS System Teams can find many of the resources, services, and tools offered by the CCIC in the ServiceNOW catalog. Teams are encouraged to review the available resources and engage with the CCIC early and often to ensure that they understand the correct procedures to follow in the event of an incident, breach, or cyber threat.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"f9:{\"value\":\"$fa\",\"format\":\"body_text\",\"processed\":\"$fb\"}\nf7:{\"drupal_internal__id\":3367,\"drupal_internal__revision_id\":16466,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:24:22+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$f8\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$f9\"}\nff:{\"drupal_internal__target_id\":\"page_section\"}\nfe:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ff\"}\n101:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2/paragraph_type?resourceVersion=id%3A16466\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2/relationships/paragraph_type?resourceVersion=id%3A16466\"}\n100:{\"related\":\"$101\",\"self\":\"$102\"}\nfd:{\"data\":\"$fe\",\"links\":\"$100\"}\n105:{\"target_revision_id\":16465,\"drupal_internal__target_id\":3366}\n104:{\"type\":\"paragraph--call_out_box\",\"id\":\"caef88fe-5113-4c14-affc-37cc1c84cded\",\"meta\":\"$105\"}\n107:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2/field_specialty_item?resourceVersion=id%3A16466\"}\n108:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2/relationships/field_specialty_item?resourceVersion=id%3A16466\"}\n106:{\"related\":\"$107\",\"self\":\"$108\"}\n103:{\"data\":\"$104\",\"links\":\"$106\"}\nfc:{\"paragraph_type\":\"$fd\",\"field_specialty_item\":\"$103\"}\nf4:{\"type\":\"paragraph--page_section\",\"id\":\"b4617ce8-95fc-4897-818b-c27cc6651aa2\",\"links\":\"$f5\",\"attributes\":\"$f7\",\"relationships\":\"$fc\"}\n10b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/80be8345-ad19-448f-83b6-3c5d0681969a?resourceVersion=id%3A16461\"}\n10a:{\"self\":\"$10b\"}\n10d:[]\n10f:[]\n10e:{\"uri\":\"https://cmsitsm.servicenowservices.com/connect\",\"title\":\"\",\"options\":\"$10f\",\"url\":\"https://cmsitsm.servicenowservices.com/connect\"}\n110:{\"value\":\"Do you need to report an incident? "])</script><script>self.__next_f.push([1,"The ServiceNOW Catalog provides a space to quickly create a ticket, which will be sent to the CCIC for review. \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDo you need to report an incident? The ServiceNOW Catalog provides a space to quickly create a ticket, which will be sent to the CCIC for review.\u003c/p\u003e\\n\"}\n10c:{\"drupal_internal__id\":3362,\"drupal_internal__revision_id\":16461,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:14:25+00:00\",\"parent_id\":\"3363\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$10d\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$10e\",\"field_call_out_link_text\":\"Create a ticket\",\"field_call_out_text\":\"$110\",\"field_header\":\"Report an incident\"}\n114:{\"drupal_internal__target_id\":\"call_out_box\"}\n113:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$114\"}\n116:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/80be8345-ad19-448f-83b6-3c5d0681969a/paragraph_type?resourceVersion=id%3A16461\"}\n117:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/80be8345-ad19-448f-83b6-3c5d0681969a/relationships/paragraph_type?resourceVersion=id%3A16461\"}\n115:{\"related\":\"$116\",\"self\":\"$117\"}\n112:{\"data\":\"$113\",\"links\":\"$115\"}\n111:{\"paragraph_type\":\"$112\"}\n109:{\"type\":\"paragraph--call_out_box\",\"id\":\"80be8345-ad19-448f-83b6-3c5d0681969a\",\"links\":\"$10a\",\"attributes\":\"$10c\",\"relationships\":\"$111\"}\n11a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/bdb43863-9f16-4af9-b178-8587c253cc97?resourceVersion=id%3A16463\"}\n119:{\"self\":\"$11a\"}\n11c:[]\n11e:[]\n11d:{\"uri\":\"https://cmsitsm.servicenowservices.com/connect?page=cat_item\u0026sys_id=8d414c9f1bd4e4100888ed7bbc4bcbed\u0026sysparm_category=5d2681841b17e0100888ed7bbc4bcb7f\",\"title\":\"\",\"options\":\"$11e\",\"url\":\"https://cmsitsm.servicenowservices.com/connect?page=cat_item\u0026sys_id=8d414c9f1bd4e4100888ed7bbc4bcbed\u0026sysparm_category=5d2681841b17e0100888ed7bbc4bcb7f\"}\n11f:{\"value\":\"Access the latest tools and resources f"])</script><script>self.__next_f.push([1,"or your FISMA system -- connect with the SOC to onboard your team. \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAccess the latest tools and resources for your FISMA system -- connect with the SOC to onboard your team.\u003c/p\u003e\\n\"}\n11b:{\"drupal_internal__id\":3364,\"drupal_internal__revision_id\":16463,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:23:07+00:00\",\"parent_id\":\"3365\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$11c\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$11d\",\"field_call_out_link_text\":\"Get started with SOC as a Service\",\"field_call_out_text\":\"$11f\",\"field_header\":\"Get SOC-as-a-Service for your team \"}\n123:{\"drupal_internal__target_id\":\"call_out_box\"}\n122:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$123\"}\n125:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/bdb43863-9f16-4af9-b178-8587c253cc97/paragraph_type?resourceVersion=id%3A16463\"}\n126:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/bdb43863-9f16-4af9-b178-8587c253cc97/relationships/paragraph_type?resourceVersion=id%3A16463\"}\n124:{\"related\":\"$125\",\"self\":\"$126\"}\n121:{\"data\":\"$122\",\"links\":\"$124\"}\n120:{\"paragraph_type\":\"$121\"}\n118:{\"type\":\"paragraph--call_out_box\",\"id\":\"bdb43863-9f16-4af9-b178-8587c253cc97\",\"links\":\"$119\",\"attributes\":\"$11b\",\"relationships\":\"$120\"}\n129:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/caef88fe-5113-4c14-affc-37cc1c84cded?resourceVersion=id%3A16465\"}\n128:{\"self\":\"$129\"}\n12b:[]\n12d:[]\n12c:{\"uri\":\"https://cmsitsm.servicenowservices.com/connect\",\"title\":\"\",\"options\":\"$12d\",\"url\":\"https://cmsitsm.servicenowservices.com/connect\"}\n12e:{\"value\":\"Review offerings from the CCIC in the ServiceNOW catalog (VPN required).\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReview offerings from the CCIC in the ServiceNOW catalog (VPN required).\u003c/p\u003e\\n\"}\n12a:{\"drupal_internal__id\":3366,\"drupal_internal__revision_id\":16465,\"langcode\":\"en\",\"status\":true,\"cre"])</script><script>self.__next_f.push([1,"ated\":\"2023-06-20T16:24:55+00:00\",\"parent_id\":\"3367\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$12b\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$12c\",\"field_call_out_link_text\":\"See the catalog\",\"field_call_out_text\":\"$12e\",\"field_header\":\"Get the latest from the CCIC \"}\n132:{\"drupal_internal__target_id\":\"call_out_box\"}\n131:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$132\"}\n134:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/caef88fe-5113-4c14-affc-37cc1c84cded/paragraph_type?resourceVersion=id%3A16465\"}\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/caef88fe-5113-4c14-affc-37cc1c84cded/relationships/paragraph_type?resourceVersion=id%3A16465\"}\n133:{\"related\":\"$134\",\"self\":\"$135\"}\n130:{\"data\":\"$131\",\"links\":\"$133\"}\n12f:{\"paragraph_type\":\"$130\"}\n127:{\"type\":\"paragraph--call_out_box\",\"id\":\"caef88fe-5113-4c14-affc-37cc1c84cded\",\"links\":\"$128\",\"attributes\":\"$12a\",\"relationships\":\"$12f\"}\n138:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7?resourceVersion=id%3A16467\"}\n137:{\"self\":\"$138\"}\n13a:[]\n139:{\"drupal_internal__id\":3368,\"drupal_internal__revision_id\":16467,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:25:36+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$13a\",\"default_langcode\":true,\"revision_translation_affected\":true}\n13e:{\"drupal_internal__target_id\":\"internal_link\"}\n13d:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$13e\"}\n140:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7/paragraph_type?resourceVersion=id%3A16467\"}\n141:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7/relationships/paragraph_type?resourceVersion=id%3A16467\"}\n13f:{\"related\":\"$140\""])</script><script>self.__next_f.push([1,",\"self\":\"$141\"}\n13c:{\"data\":\"$13d\",\"links\":\"$13f\"}\n144:{\"drupal_internal__target_id\":206}\n143:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":\"$144\"}\n146:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7/field_link?resourceVersion=id%3A16467\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7/relationships/field_link?resourceVersion=id%3A16467\"}\n145:{\"related\":\"$146\",\"self\":\"$147\"}\n142:{\"data\":\"$143\",\"links\":\"$145\"}\n13b:{\"paragraph_type\":\"$13c\",\"field_link\":\"$142\"}\n136:{\"type\":\"paragraph--internal_link\",\"id\":\"dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7\",\"links\":\"$137\",\"attributes\":\"$139\",\"relationships\":\"$13b\"}\n14a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2?resourceVersion=id%3A16468\"}\n149:{\"self\":\"$14a\"}\n14c:[]\n14b:{\"drupal_internal__id\":3369,\"drupal_internal__revision_id\":16468,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:25:41+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$14c\",\"default_langcode\":true,\"revision_translation_affected\":true}\n150:{\"drupal_internal__target_id\":\"internal_link\"}\n14f:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$150\"}\n152:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2/paragraph_type?resourceVersion=id%3A16468\"}\n153:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2/relationships/paragraph_type?resourceVersion=id%3A16468\"}\n151:{\"related\":\"$152\",\"self\":\"$153\"}\n14e:{\"data\":\"$14f\",\"links\":\"$151\"}\n156:{\"drupal_internal__target_id\":676}\n155:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":\"$156\"}\n158:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2/field_link?resourceVersion=id%3A1646"])</script><script>self.__next_f.push([1,"8\"}\n159:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2/relationships/field_link?resourceVersion=id%3A16468\"}\n157:{\"related\":\"$158\",\"self\":\"$159\"}\n154:{\"data\":\"$155\",\"links\":\"$157\"}\n14d:{\"paragraph_type\":\"$14e\",\"field_link\":\"$154\"}\n148:{\"type\":\"paragraph--internal_link\",\"id\":\"fc107bc4-832c-47e5-9f84-8235407eeed2\",\"links\":\"$149\",\"attributes\":\"$14b\",\"relationships\":\"$14d\"}\n15c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b?resourceVersion=id%3A16469\"}\n15b:{\"self\":\"$15c\"}\n15e:[]\n15d:{\"drupal_internal__id\":3370,\"drupal_internal__revision_id\":16469,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:25:47+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$15e\",\"default_langcode\":true,\"revision_translation_affected\":true}\n162:{\"drupal_internal__target_id\":\"internal_link\"}\n161:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$162\"}\n164:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b/paragraph_type?resourceVersion=id%3A16469\"}\n165:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b/relationships/paragraph_type?resourceVersion=id%3A16469\"}\n163:{\"related\":\"$164\",\"self\":\"$165\"}\n160:{\"data\":\"$161\",\"links\":\"$163\"}\n168:{\"drupal_internal__target_id\":771}\n167:{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"meta\":\"$168\"}\n16a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b/field_link?resourceVersion=id%3A16469\"}\n16b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b/relationships/field_link?resourceVersion=id%3A16469\"}\n169:{\"related\":\"$16a\",\"self\":\"$16b\"}\n166:{\"data\":\"$167\",\"links\":\"$169\"}\n15f:{\"paragraph_type\":\"$160\",\"field_link\":\"$166\"}\n15a:{\"type\":\"paragraph--internal_li"])</script><script>self.__next_f.push([1,"nk\",\"id\":\"d51b0447-02a5-4951-bc45-42b3b7ae745b\",\"links\":\"$15b\",\"attributes\":\"$15d\",\"relationships\":\"$15f\"}\n16e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d?resourceVersion=id%3A16470\"}\n16d:{\"self\":\"$16e\"}\n170:[]\n16f:{\"drupal_internal__id\":3371,\"drupal_internal__revision_id\":16470,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:25:52+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$170\",\"default_langcode\":true,\"revision_translation_affected\":true}\n174:{\"drupal_internal__target_id\":\"internal_link\"}\n173:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$174\"}\n176:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d/paragraph_type?resourceVersion=id%3A16470\"}\n177:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d/relationships/paragraph_type?resourceVersion=id%3A16470\"}\n175:{\"related\":\"$176\",\"self\":\"$177\"}\n172:{\"data\":\"$173\",\"links\":\"$175\"}\n17a:{\"drupal_internal__target_id\":581}\n179:{\"type\":\"node--explainer\",\"id\":\"96fa2caf-c299-4fd4-9a0a-d6d86691328e\",\"meta\":\"$17a\"}\n17c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d/field_link?resourceVersion=id%3A16470\"}\n17d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d/relationships/field_link?resourceVersion=id%3A16470\"}\n17b:{\"related\":\"$17c\",\"self\":\"$17d\"}\n178:{\"data\":\"$179\",\"links\":\"$17b\"}\n171:{\"paragraph_type\":\"$172\",\"field_link\":\"$178\"}\n16c:{\"type\":\"paragraph--internal_link\",\"id\":\"4090ef92-e750-496d-8230-dcec4f6d312d\",\"links\":\"$16d\",\"attributes\":\"$16f\",\"relationships\":\"$171\"}\n180:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72?resourceVersion=id%3A16471\"}\n17f:{\"self\":\"$180\"}\n182:[]\n181:{\"drupal_internal__id\":3372,\"drupal_internal__re"])</script><script>self.__next_f.push([1,"vision_id\":16471,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:26:11+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$182\",\"default_langcode\":true,\"revision_translation_affected\":true}\n186:{\"drupal_internal__target_id\":\"internal_link\"}\n185:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$186\"}\n188:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72/paragraph_type?resourceVersion=id%3A16471\"}\n189:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72/relationships/paragraph_type?resourceVersion=id%3A16471\"}\n187:{\"related\":\"$188\",\"self\":\"$189\"}\n184:{\"data\":\"$185\",\"links\":\"$187\"}\n18c:{\"drupal_internal__target_id\":391}\n18b:{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"meta\":\"$18c\"}\n18e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72/field_link?resourceVersion=id%3A16471\"}\n18f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72/relationships/field_link?resourceVersion=id%3A16471\"}\n18d:{\"related\":\"$18e\",\"self\":\"$18f\"}\n18a:{\"data\":\"$18b\",\"links\":\"$18d\"}\n183:{\"paragraph_type\":\"$184\",\"field_link\":\"$18a\"}\n17e:{\"type\":\"paragraph--internal_link\",\"id\":\"d8afa351-48fa-446c-9491-7865d51b2f72\",\"links\":\"$17f\",\"attributes\":\"$181\",\"relationships\":\"$183\"}\n192:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8?resourceVersion=id%3A16472\"}\n191:{\"self\":\"$192\"}\n194:[]\n193:{\"drupal_internal__id\":3373,\"drupal_internal__revision_id\":16472,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:26:28+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$194\",\"default_langcode\":true,\"revision_translation_affected\":true}\n198:{\"drupal_internal__target_id\":\"internal_link\"}\n197:{\"type\":"])</script><script>self.__next_f.push([1,"\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$198\"}\n19a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8/paragraph_type?resourceVersion=id%3A16472\"}\n19b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8/relationships/paragraph_type?resourceVersion=id%3A16472\"}\n199:{\"related\":\"$19a\",\"self\":\"$19b\"}\n196:{\"data\":\"$197\",\"links\":\"$199\"}\n19e:{\"drupal_internal__target_id\":471}\n19d:{\"type\":\"node--library\",\"id\":\"9b633ff4-47c4-453c-9669-3bcdd7c85ae3\",\"meta\":\"$19e\"}\n1a0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8/field_link?resourceVersion=id%3A16472\"}\n1a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8/relationships/field_link?resourceVersion=id%3A16472\"}\n19f:{\"related\":\"$1a0\",\"self\":\"$1a1\"}\n19c:{\"data\":\"$19d\",\"links\":\"$19f\"}\n195:{\"paragraph_type\":\"$196\",\"field_link\":\"$19c\"}\n190:{\"type\":\"paragraph--internal_link\",\"id\":\"010ab69b-b5ce-499a-a760-d3c0af6a37a8\",\"links\":\"$191\",\"attributes\":\"$193\",\"relationships\":\"$195\"}\n1a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}\n1a3:{\"self\":\"$1a4\"}\n1a6:{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"}\n1a7:{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"}\n1a8:[\"#cra-help\"]\n1a5:{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_s"])</script><script>self.__next_f.push([1,"tate\":\"published\",\"path\":\"$1a6\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$1a7\",\"field_slack_channel\":\"$1a8\"}\n1ac:{\"drupal_internal__target_id\":\"explainer\"}\n1ab:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1ac\"}\n1ae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"}\n1af:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}\n1ad:{\"related\":\"$1ae\",\"self\":\"$1af\"}\n1aa:{\"data\":\"$1ab\",\"links\":\"$1ad\"}\n1b2:{\"drupal_internal__target_id\":6}\n1b1:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1b2\"}\n1b4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"}\n1b5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}\n1b3:{\"related\":\"$1b4\",\"self\":\"$1b5\"}\n1b0:{\"data\":\"$1b1\",\"links\":\"$1b3\"}\n1b8:{\"drupal_internal__target_id\":26}\n1b7:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1b8\"}\n1ba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"}\n1bb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}\n1b9:{\"related\":\"$1ba\",\"self\":\"$1bb\"}\n1b6:{\"data\":\"$1b7\",\"links\":\"$1b9\"}\n1bf:{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}\n1be:{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":\"$1bf\"}\n1c1:{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}\n1c0:{\"type\":\"paragraph--page_section"])</script><script>self.__next_f.push([1,"\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":\"$1c1\"}\n1bd:[\"$1be\",\"$1c0\"]\n1c3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"}\n1c4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}\n1c2:{\"related\":\"$1c3\",\"self\":\"$1c4\"}\n1bc:{\"data\":\"$1bd\",\"links\":\"$1c2\"}\n1c8:{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}\n1c7:{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":\"$1c8\"}\n1ca:{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}\n1c9:{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":\"$1ca\"}\n1cc:{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}\n1cb:{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":\"$1cc\"}\n1ce:{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}\n1cd:{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":\"$1ce\"}\n1d0:{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}\n1cf:{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":\"$1d0\"}\n1c6:[\"$1c7\",\"$1c9\",\"$1cb\",\"$1cd\",\"$1cf\"]\n1d2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"}\n1d3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}\n1d1:{\"related\":\"$1d2\",\"self\":\"$1d3\"}\n1c5:{\"data\":\"$1c6\",\"links\":\"$1d1\"}\n1d6:{\"drupal_internal__target_id\":131}\n1d5:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$1d6\"}\n1d8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"}\n1d9:{\"href\":\"https://cybergeek.cms.gov/jsonap"])</script><script>self.__next_f.push([1,"i/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}\n1d7:{\"related\":\"$1d8\",\"self\":\"$1d9\"}\n1d4:{\"data\":\"$1d5\",\"links\":\"$1d7\"}\n1dd:{\"drupal_internal__target_id\":66}\n1dc:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1dd\"}\n1df:{\"drupal_internal__target_id\":61}\n1de:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1df\"}\n1e1:{\"drupal_internal__target_id\":76}\n1e0:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1e1\"}\n1db:[\"$1dc\",\"$1de\",\"$1e0\"]\n1e3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"}\n1e4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}\n1e2:{\"related\":\"$1e3\",\"self\":\"$1e4\"}\n1da:{\"data\":\"$1db\",\"links\":\"$1e2\"}\n1e8:{\"drupal_internal__target_id\":11}\n1e7:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$1e8\"}\n1e6:[\"$1e7\"]\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"}\n1eb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}\n1e9:{\"related\":\"$1ea\",\"self\":\"$1eb\"}\n1e5:{\"data\":\"$1e6\",\"links\":\"$1e9\"}\n1a9:{\"node_type\":\"$1aa\",\"revision_uid\":\"$1b0\",\"uid\":\"$1b6\",\"field_page_section\":\"$1bc\",\"field_related_collection\":\"$1c5\",\"field_resource_type\":\"$1d4\",\"field_roles\":\"$1da\",\"field_topics\":\"$1e5\"}\n1a2:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":\"$1a3\",\"attributes\":\"$1a5\",\"relationships\":\"$1a9\"}\n1ee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}\n1ed:{\"self\":\"$1ee\"}\n1f0:{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"e"])</script><script>self.__next_f.push([1,"n\"}\n1f1:{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"}\n1f2:[\"#cyber-risk-management\"]\n1ef:{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1f0\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":\"$1f1\",\"field_slack_channel\":\"$1f2\"}\n1f6:{\"drupal_internal__target_id\":\"explainer\"}\n1f5:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1f6\"}\n1f8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"}\n1f9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}\n1f7:{\"related\":\"$1f8\",\"self\":\"$1f9\"}\n1f4:{\"data\":\"$1f5\",\"links\":\"$1f7\"}\n1fc:{\"drupal_internal__target_id\":107}\n1fb:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$1fc\"}\n1fe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"}\n1ff:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}\n1fd:{\"related\":\"$1fe\",\"self\":\"$1ff\"}\n1fa:{\"data\":\"$1fb\",\"links\":\"$1fd\"}\n202:{\"drupal_internal__target_id\":6}\n201:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-4"])</script><script>self.__next_f.push([1,"7ba-af75-2c7f8302fca8\",\"meta\":\"$202\"}\n204:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"}\n205:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}\n203:{\"related\":\"$204\",\"self\":\"$205\"}\n200:{\"data\":\"$201\",\"links\":\"$203\"}\n209:{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}\n208:{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":\"$209\"}\n20b:{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}\n20a:{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":\"$20b\"}\n207:[\"$208\",\"$20a\"]\n20d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"}\n20e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}\n20c:{\"related\":\"$20d\",\"self\":\"$20e\"}\n206:{\"data\":\"$207\",\"links\":\"$20c\"}\n212:{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}\n211:{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":\"$212\"}\n214:{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}\n213:{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":\"$214\"}\n216:{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}\n215:{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":\"$216\"}\n210:[\"$211\",\"$213\",\"$215\"]\n218:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"}\n219:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}\n217:{\"related\":\"$218\",\"self\":\"$219\"}\n20f:{\"data\":\"$210\",\"links\":\"$217\"}\n21c:{\"drupal_internal__tar"])</script><script>self.__next_f.push([1,"get_id\":121}\n21b:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$21c\"}\n21e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"}\n21f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}\n21d:{\"related\":\"$21e\",\"self\":\"$21f\"}\n21a:{\"data\":\"$21b\",\"links\":\"$21d\"}\n223:{\"drupal_internal__target_id\":61}\n222:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$223\"}\n225:{\"drupal_internal__target_id\":76}\n224:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$225\"}\n221:[\"$222\",\"$224\"]\n227:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"}\n228:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}\n226:{\"related\":\"$227\",\"self\":\"$228\"}\n220:{\"data\":\"$221\",\"links\":\"$226\"}\n22c:{\"drupal_internal__target_id\":36}\n22b:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$22c\"}\n22e:{\"drupal_internal__target_id\":11}\n22d:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$22e\"}\n22a:[\"$22b\",\"$22d\"]\n230:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"}\n231:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}\n22f:{\"related\":\"$230\",\"self\":\"$231\"}\n229:{\"data\":\"$22a\",\"links\":\"$22f\"}\n1f3:{\"node_type\":\"$1f4\",\"revision_uid\":\"$1fa\",\"uid\":\"$200\",\"field_page_section\":\"$206\",\"field_related_collection\":\"$20f\",\"field_resource_type\":\"$21a\",\"field_roles\":\"$220\",\"field_topics\":\"$229\"}\n1ec:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5"])</script><script>self.__next_f.push([1,"-2cecc9300e08\",\"links\":\"$1ed\",\"attributes\":\"$1ef\",\"relationships\":\"$1f3\"}\n234:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}\n233:{\"self\":\"$234\"}\n236:{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"}\n237:{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"}\n238:[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]\n235:{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$236\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$237\",\"field_slack_channel\":\"$238\"}\n23c:{\"drupal_internal__target_id\":\"explainer\"}\n23b:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$23c\"}\n23e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"}\n23f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}\n23d:{\"related\":\"$23e\",\"self\":\"$23f\"}\n23a:{\"data\":\"$23b\",\"links\":\"$23d\"}\n242:{\"drupal_internal__target_id\":6}\n241:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$242\"}\n244:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/rev"])</script><script>self.__next_f.push([1,"ision_uid?resourceVersion=id%3A5861\"}\n245:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}\n243:{\"related\":\"$244\",\"self\":\"$245\"}\n240:{\"data\":\"$241\",\"links\":\"$243\"}\n248:{\"drupal_internal__target_id\":26}\n247:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$248\"}\n24a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"}\n24b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}\n249:{\"related\":\"$24a\",\"self\":\"$24b\"}\n246:{\"data\":\"$247\",\"links\":\"$249\"}\n24f:{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}\n24e:{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":\"$24f\"}\n251:{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}\n250:{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":\"$251\"}\n253:{\"target_revision_id\":19171,\"drupal_internal__target_id\":2386}\n252:{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":\"$253\"}\n255:{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}\n254:{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":\"$255\"}\n24d:[\"$24e\",\"$250\",\"$252\",\"$254\"]\n257:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"}\n258:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}\n256:{\"related\":\"$257\",\"self\":\"$258\"}\n24c:{\"data\":\"$24d\",\"links\":\"$256\"}\n25c:{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}\n25b:{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":\"$25c\"}\n25e:{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}\n25d:{\"type\":\"p"])</script><script>self.__next_f.push([1,"aragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":\"$25e\"}\n260:{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}\n25f:{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":\"$260\"}\n262:{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}\n261:{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":\"$262\"}\n264:{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}\n263:{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":\"$264\"}\n266:{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}\n265:{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":\"$266\"}\n25a:[\"$25b\",\"$25d\",\"$25f\",\"$261\",\"$263\",\"$265\"]\n268:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"}\n269:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_related_collection?resourceVersion=id%3A5861\"}\n267:{\"related\":\"$268\",\"self\":\"$269\"}\n259:{\"data\":\"$25a\",\"links\":\"$267\"}\n26c:{\"drupal_internal__target_id\":131}\n26b:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$26c\"}\n26e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"}\n26f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}\n26d:{\"related\":\"$26e\",\"self\":\"$26f\"}\n26a:{\"data\":\"$26b\",\"links\":\"$26d\"}\n273:{\"drupal_internal__target_id\":66}\n272:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$273\"}\n275:{\"drupal_internal__target_id\":61}\n274:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$275\"}\n277:{\"drupal_internal__target_id\":76}\n276:{\"type\":\"taxonomy_term--roles\",\"id\":\"f5"])</script><script>self.__next_f.push([1,"91f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$277\"}\n271:[\"$272\",\"$274\",\"$276\"]\n279:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"}\n27a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}\n278:{\"related\":\"$279\",\"self\":\"$27a\"}\n270:{\"data\":\"$271\",\"links\":\"$278\"}\n27e:{\"drupal_internal__target_id\":36}\n27d:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$27e\"}\n280:{\"drupal_internal__target_id\":11}\n27f:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$280\"}\n27c:[\"$27d\",\"$27f\"]\n282:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"}\n283:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_topics?resourceVersion=id%3A5861\"}\n281:{\"related\":\"$282\",\"self\":\"$283\"}\n27b:{\"data\":\"$27c\",\"links\":\"$281\"}\n239:{\"node_type\":\"$23a\",\"revision_uid\":\"$240\",\"uid\":\"$246\",\"field_page_section\":\"$24c\",\"field_related_collection\":\"$259\",\"field_resource_type\":\"$26a\",\"field_roles\":\"$270\",\"field_topics\":\"$27b\"}\n232:{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":\"$233\",\"attributes\":\"$235\",\"relationships\":\"$239\"}\n286:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e?resourceVersion=id%3A5460\"}\n285:{\"self\":\"$286\"}\n288:{\"alias\":\"/learn/threat-modeling\",\"pid\":571,\"langcode\":\"en\"}\n289:{\"value\":\"Design practices that facilitate secure software development through organization and collaboration \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDesign practices that facilitate secure software development through organization and collaboration\u003c/p\u003e\\n\"}\n28a:[\"#cms-threat-modeling\"]\n287:{\"drupal_internal__nid\":581,\"drupal_internal__vid\":5460,\"langcode\":\"en\",\"revision_timestamp\":\"2024-05-17T21:42:11+00:00\""])</script><script>self.__next_f.push([1,",\"status\":true,\"title\":\"Threat Modeling\",\"created\":\"2022-08-29T18:53:20+00:00\",\"changed\":\"2024-05-17T15:09:41+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$288\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ThreatModeling@cms.hhs.gov\",\"field_contact_name\":\"CMS Threat Modeling Team\",\"field_short_description\":\"$289\",\"field_slack_channel\":\"$28a\"}\n28e:{\"drupal_internal__target_id\":\"explainer\"}\n28d:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$28e\"}\n290:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/node_type?resourceVersion=id%3A5460\"}\n291:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/node_type?resourceVersion=id%3A5460\"}\n28f:{\"related\":\"$290\",\"self\":\"$291\"}\n28c:{\"data\":\"$28d\",\"links\":\"$28f\"}\n294:{\"drupal_internal__target_id\":100}\n293:{\"type\":\"user--user\",\"id\":\"ee0c4536-bc99-4440-92eb-6256599174e5\",\"meta\":\"$294\"}\n296:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/revision_uid?resourceVersion=id%3A5460\"}\n297:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/revision_uid?resourceVersion=id%3A5460\"}\n295:{\"related\":\"$296\",\"self\":\"$297\"}\n292:{\"data\":\"$293\",\"links\":\"$295\"}\n29a:{\"drupal_internal__target_id\":26}\n299:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$29a\"}\n29c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/uid?resourceVersion=id%3A5460\"}\n29d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/uid?resourceVersion=id%3A5460\"}\n29b:{\"related\":\"$29c\",\"self\":\"$29d\"}\n298:{\"data\":\"$299\",\"links\":\"$29b\"}\n2a1:{\"target_revision_i"])</script><script>self.__next_f.push([1,"d\":17491,\"drupal_internal__target_id\":3306}\n2a0:{\"type\":\"paragraph--page_section\",\"id\":\"72d40c3c-330d-4194-ad1e-c61c29f5a60d\",\"meta\":\"$2a1\"}\n2a3:{\"target_revision_id\":17498,\"drupal_internal__target_id\":3313}\n2a2:{\"type\":\"paragraph--page_section\",\"id\":\"b46cc06c-9584-4143-8dc1-4e95c87edf2b\",\"meta\":\"$2a3\"}\n29f:[\"$2a0\",\"$2a2\"]\n2a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_page_section?resourceVersion=id%3A5460\"}\n2a6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_page_section?resourceVersion=id%3A5460\"}\n2a4:{\"related\":\"$2a5\",\"self\":\"$2a6\"}\n29e:{\"data\":\"$29f\",\"links\":\"$2a4\"}\n2aa:{\"target_revision_id\":17499,\"drupal_internal__target_id\":3314}\n2a9:{\"type\":\"paragraph--internal_link\",\"id\":\"362b0424-2e7e-47f8-9515-4e33c749a551\",\"meta\":\"$2aa\"}\n2ac:{\"target_revision_id\":17500,\"drupal_internal__target_id\":3315}\n2ab:{\"type\":\"paragraph--internal_link\",\"id\":\"de10201a-15bc-4af2-bde0-d2b2f67f3596\",\"meta\":\"$2ac\"}\n2ae:{\"target_revision_id\":17501,\"drupal_internal__target_id\":3316}\n2ad:{\"type\":\"paragraph--internal_link\",\"id\":\"ded08c1c-6476-43b1-a316-7c38a1746aa4\",\"meta\":\"$2ae\"}\n2a8:[\"$2a9\",\"$2ab\",\"$2ad\"]\n2b0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_related_collection?resourceVersion=id%3A5460\"}\n2b1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_related_collection?resourceVersion=id%3A5460\"}\n2af:{\"related\":\"$2b0\",\"self\":\"$2b1\"}\n2a7:{\"data\":\"$2a8\",\"links\":\"$2af\"}\n2b4:{\"drupal_internal__target_id\":121}\n2b3:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$2b4\"}\n2b6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_resource_type?resourceVersion=id%3A5460\"}\n2b7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_resource_type?resourceVers"])</script><script>self.__next_f.push([1,"ion=id%3A5460\"}\n2b5:{\"related\":\"$2b6\",\"self\":\"$2b7\"}\n2b2:{\"data\":\"$2b3\",\"links\":\"$2b5\"}\n2bb:{\"drupal_internal__target_id\":66}\n2ba:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2bb\"}\n2bd:{\"drupal_internal__target_id\":61}\n2bc:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2bd\"}\n2bf:{\"drupal_internal__target_id\":76}\n2be:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2bf\"}\n2c1:{\"drupal_internal__target_id\":71}\n2c0:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$2c1\"}\n2b9:[\"$2ba\",\"$2bc\",\"$2be\",\"$2c0\"]\n2c3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_roles?resourceVersion=id%3A5460\"}\n2c4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_roles?resourceVersion=id%3A5460\"}\n2c2:{\"related\":\"$2c3\",\"self\":\"$2c4\"}\n2b8:{\"data\":\"$2b9\",\"links\":\"$2c2\"}\n2c8:{\"drupal_internal__target_id\":41}\n2c7:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$2c8\"}\n2ca:{\"drupal_internal__target_id\":46}\n2c9:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$2ca\"}\n2c6:[\"$2c7\",\"$2c9\"]\n2cc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_topics?resourceVersion=id%3A5460\"}\n2cd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_topics?resourceVersion=id%3A5460\"}\n2cb:{\"related\":\"$2cc\",\"self\":\"$2cd\"}\n2c5:{\"data\":\"$2c6\",\"links\":\"$2cb\"}\n28b:{\"node_type\":\"$28c\",\"revision_uid\":\"$292\",\"uid\":\"$298\",\"field_page_section\":\"$29e\",\"field_related_collection\":\"$2a7\",\"field_resource_type\":\"$2b2\",\"field_roles\":\"$2b8\",\"field_topics\":\"$2c5\"}\n284:{\"type\":\"node--explainer\",\"id\":\"96fa2caf-c299-4fd4-9a0a-d6d86691328e\",\"links\":\"$285\",\"attributes\":\"$287\",\"relationships\":\"$28b\"}\n2d0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/exp"])</script><script>self.__next_f.push([1,"lainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}\n2cf:{\"self\":\"$2d0\"}\n2d2:{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"}\n2d3:{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"}\n2d4:[\"#ccic_sec_eng_and_soc\"]\n2d1:{\"drupal_internal__nid\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$2d2\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_name\":\"Penetration Testing Team\",\"field_short_description\":\"$2d3\",\"field_slack_channel\":\"$2d4\"}\n2d8:{\"drupal_internal__target_id\":\"explainer\"}\n2d7:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2d8\"}\n2da:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"}\n2db:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}\n2d9:{\"related\":\"$2da\",\"self\":\"$2db\"}\n2d6:{\"data\":\"$2d7\",\"links\":\"$2d9\"}\n2de:{\"drupal_internal__target_id\":122}\n2dd:{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":\"$2de\"}\n2e0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"}\n2e1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-"])</script><script>self.__next_f.push([1,"9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}\n2df:{\"related\":\"$2e0\",\"self\":\"$2e1\"}\n2dc:{\"data\":\"$2dd\",\"links\":\"$2df\"}\n2e4:{\"drupal_internal__target_id\":26}\n2e3:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$2e4\"}\n2e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"}\n2e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?resourceVersion=id%3A5886\"}\n2e5:{\"related\":\"$2e6\",\"self\":\"$2e7\"}\n2e2:{\"data\":\"$2e3\",\"links\":\"$2e5\"}\n2eb:{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}\n2ea:{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":\"$2eb\"}\n2ed:{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}\n2ec:{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":\"$2ed\"}\n2e9:[\"$2ea\",\"$2ec\"]\n2ef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"}\n2f0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}\n2ee:{\"related\":\"$2ef\",\"self\":\"$2f0\"}\n2e8:{\"data\":\"$2e9\",\"links\":\"$2ee\"}\n2f4:{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}\n2f3:{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":\"$2f4\"}\n2f6:{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}\n2f5:{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":\"$2f6\"}\n2f8:{\"target_revision_id\":19221,\"drupal_internal__target_id\":2031}\n2f7:{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":\"$2f8\"}\n2fa:{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}\n2f9:{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":\"$2fa\"}\n2fc:{\"target_revision_id\":19223,\"drupal_internal"])</script><script>self.__next_f.push([1,"__target_id\":3388}\n2fb:{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":\"$2fc\"}\n2fe:{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}\n2fd:{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":\"$2fe\"}\n2f2:[\"$2f3\",\"$2f5\",\"$2f7\",\"$2f9\",\"$2fb\",\"$2fd\"]\n300:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"}\n301:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}\n2ff:{\"related\":\"$300\",\"self\":\"$301\"}\n2f1:{\"data\":\"$2f2\",\"links\":\"$2ff\"}\n304:{\"drupal_internal__target_id\":121}\n303:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$304\"}\n306:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"}\n307:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_resource_type?resourceVersion=id%3A5886\"}\n305:{\"related\":\"$306\",\"self\":\"$307\"}\n302:{\"data\":\"$303\",\"links\":\"$305\"}\n30b:{\"drupal_internal__target_id\":66}\n30a:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$30b\"}\n30d:{\"drupal_internal__target_id\":61}\n30c:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$30d\"}\n30f:{\"drupal_internal__target_id\":76}\n30e:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$30f\"}\n311:{\"drupal_internal__target_id\":71}\n310:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$311\"}\n309:[\"$30a\",\"$30c\",\"$30e\",\"$310\"]\n313:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"}\n314:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relatio"])</script><script>self.__next_f.push([1,"nships/field_roles?resourceVersion=id%3A5886\"}\n312:{\"related\":\"$313\",\"self\":\"$314\"}\n308:{\"data\":\"$309\",\"links\":\"$312\"}\n318:{\"drupal_internal__target_id\":6}\n317:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$318\"}\n31a:{\"drupal_internal__target_id\":46}\n319:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$31a\"}\n316:[\"$317\",\"$319\"]\n31c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?resourceVersion=id%3A5886\"}\n31d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}\n31b:{\"related\":\"$31c\",\"self\":\"$31d\"}\n315:{\"data\":\"$316\",\"links\":\"$31b\"}\n2d5:{\"node_type\":\"$2d6\",\"revision_uid\":\"$2dc\",\"uid\":\"$2e2\",\"field_page_section\":\"$2e8\",\"field_related_collection\":\"$2f1\",\"field_resource_type\":\"$302\",\"field_roles\":\"$308\",\"field_topics\":\"$315\"}\n2ce:{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":\"$2cf\",\"attributes\":\"$2d1\",\"relationships\":\"$2d5\"}\n320:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3?resourceVersion=id%3A5758\"}\n31f:{\"self\":\"$320\"}\n322:{\"alias\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"pid\":461,\"langcode\":\"en\"}\n324:T23062,"])</script><script>self.__next_f.push([1,"\u003ch3\u003eIntroduction\u003c/h3\u003e\u003cp\u003eRMH Chapter 8 Incident Response documents the controls that focus on how the organization must: establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and track, document, and report incidents to appropriate organizational officials and/or authorities. Procedures addressed include incident response training, incident response testing, incident handling, monitoring and reporting, and information spillage response. Within this chapter, readers will find the CMS Cybersecurity Integration Center (CCIC) Functional Area Overview figure and how the Incident Management Team (IMT) within the CCIC works with systems to mitigate information security and privacy incidents.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLooking for templates and forms about Incident Response\u003c/strong\u003e? Within this page you can find:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#cms-security-privacy-incident-report-form\"\u003eCMS Security and Privacy Incident Report form\u003c/a\u003e (for reporting an incident)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#cms-security-privacy-incident-report-form\"\u003eIncident Response Plan Template\u003c/a\u003e (for creating your Incident Response plan)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#tabletop-exercise-test-plan-template\"\u003eTabletop Exercise Test Template\u003c/a\u003e (for creating your Tabletop Exercise that you will use to test your Incident Response Plan)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#tabletop-exercise-participant-guide-template\"\u003eTabletop Exercise Participant Guide Template\u003c/a\u003e (for creating Participant Guides that you can give to people who will be participating in your Tabletop Exercise)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#after-action-report-template\"\u003eAfter-Action Report Template\u003c/a\u003e (for summarizing the outcomes / finding of the Tabletop Exercise, along with any necessary next steps)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eCommon Control Inheritance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe inherited controls list can be used to identify common controls offered by system alternatives. The use of inherited controls is optional, the objective of this process is to identify opportunities to extract benefits (and reduce costs) by maximizing the use of already existing solutions, and minimizing duplication of efforts across the enterprise.\u003c/p\u003e\u003cp\u003eBelow is a listing of controls that can be inherited, where they can be inherited from and if they are a hybrid control for this control family.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eIncident Response Control\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eInheritable From\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eHybrid Control\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-01\u003c/td\u003e\u003ctd\u003eOCISO Inheritable Controls\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02(01)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02(02)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03(02)\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04(01)\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04(04)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-05\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-05(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-06\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-06(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-07\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-07(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-08\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(01)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(02)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(03)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(04)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eProcedures\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eProcedures assist in the implementation of the required security and privacy controls.\u003c/p\u003e\u003cp\u003eIn this section, the IR family procedures are outlined. To increase traceability, each procedure maps to the associated National Institute of Standards and Technology (NIST) controls using the control number from the CMS Acceptable Risk Safeguards (ARS).\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Training (IR-02)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Response Training is to prepare individuals to prevent, detect, and respond to security and privacy incidents, and ensure that CMS fulfills Federal Information Security Modernization Act (FISMA) requirements. Incident response training should be consistent with the roles and responsibilities assigned in the incident response plan. For example, incident response training is applicable to Information System Owners (SO), Business Owners (BO), and Information System Security Officers (ISSO). CMS personnel (i.e., employees and contractors) who routinely access sensitive data, such as names, Social Security numbers, and health records to carry out the CMS mission receive incident response training annually as part of the general information security awareness training.\u003c/p\u003e\u003cp\u003eThe CMS Chief Information Officer (CIO), CMS Chief Information Security Officer (CISO), and the CMS Senior Official for Privacy (SOP) shall endorse and promote an organizational- wide information systems security and privacy awareness training. According to \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e the CIO, shall establish, implement, and enforce a CMS-wide framework to facilitate an incident response program including Personal Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) breaches that ensures proper and timely reporting to HHS. In the CMS IS2P2, the CISO and the SOP shall ensure the CMS-wide implementation of Department and CMS policies and procedures that relate to information security and privacy incident response.\u003c/p\u003e\u003cp\u003eUsers must be aware that the Internal Revenue Code (IRC), Section 6103(p) (4) (D) requires that agencies receiving FTI provide appropriate safeguard measures to ensure the confidentiality of the FTI. Incident response training is one of the safeguards for implementing this requirement.\u003c/p\u003e\u003cp\u003eThe CMS Information Security and Privacy Group (ISPG) will provide incident response training to information system users that is consistent with assigned roles and responsibilities when assuming an incident response role or responsibility and annually thereafter. For example, general users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. In addition, those responsible for identifying and responding to a security incident must understand how to recognize when PII or PHI are involved so that they can coordinate with the SOP.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally-defined parameters (ODPs) for IR-2.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Defined Parameters Control IR-2\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-2\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization provides incident response training to information system users consistent with assigned roles and responsibilities:\u003c/p\u003e\u003cp\u003ea. Within [\u003cem\u003eAssignment: organization- defined time period\u003c/em\u003e] of assuming an incident response role or responsibility;\u003c/p\u003e\u003cp\u003eb. When required by information system changes; and\u003c/p\u003e\u003cp\u003ec. [\u003cem\u003eAssignment: organization-defined frequency\u003c/em\u003e] thereafter\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization provides incident response training to information system users consistent with assigned roles and responsibilities:\u003c/p\u003e\u003cp\u003ea. Within one (1) month of assuming an incident response role or responsibility;\u003cbr\u003e\u003cbr\u003eb. When required by information system changes; and\u003c/p\u003e\u003cp\u003ec. [\u003cem\u003eAssignment: organization-defined frequency\u003c/em\u003e] thereafter\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eTraining for General Users\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFor all Enterprise User Administration (EUA) users the following steps outline the process for completing the CMS Computer-based Training (CBT), which includes IR training.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eThe incident response training is incorporated into the annual Information Systems Security and Privacy Awareness Training. All EUA users must take the CBT Training located at \u003ca href=\"https://www.cms.gov/cbt\"\u003eCMS Information Technology Security and Privacy web page\u003c/a\u003e The training will be delivered to all EUA users initially prior to account issuance and annually thereafter. It is the responsibility of users to take this training within three (3) days.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEach year based on the date of account issuance each user receives an email that requires a review and completion of the annual CBT.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eTraining records are maintained using the CBT database and include the User ID (UID) and the date the individual last completed the training\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eRole-Based Training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFor individuals with incident response roles and responsibilities, role-based training is satisfied through the execution of a tabletop exercise as long as all personnel with incident response roles and responsibilities participate in the exercise. Review Section 3.2 Incident Response Testing for procedures to conduct a tabletop exercise.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSimulated Events (IR-02(01))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to facilitate the effective response by personnel who handle crisis situations by incorporating simulated events into incident response training. Exercises involving simulated incidents can also be very useful for preparing staff for incident handling.1\u003c/p\u003e\u003cp\u003eThe selection of the scenarios should occur as a part of the test plan development; see Section 3.2 Incident Response Testing for developing the test plan. The following details the CMS specific process for incorporating simulated events/scenarios into incident response training, through the execution of a tabletop exercise.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eSelect two scenarios from the list below that will form the foundation of the tabletop exercise. Document the scenarios and a description of each in the Tabletop Exercise Test Plan. It is important to select your scenarios based upon an assessment of risk (i.e., the greatest current threats). Weaknesses identified during prior incidents might identify good candidate scenarios for future incident response tests. In addition, results from prior \u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003esecurity control assessments (SCAs)\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e or existing \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;Ms)\u003c/a\u003e might assist in selecting scenarios for incident response testing. For example, if access control was identified as a weakness during a prior SCA, a good scenario to select for incident response testing would be scenario 6 (Unauthorized Access to Payroll Records). Detailed descriptions of each of these scenarios can be found in the ISPL (Information Security and Privacy Library) and the scenarios are listed below:\u003cul\u003e\u003cli\u003e\u003cstrong\u003eScenario 1: \u003c/strong\u003eDomain Name System (DNS) Server Denial of Service (DoS)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 2: \u003c/strong\u003eWorm and Distributed Denial of Service (DDoS) Agent Infestation\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 3: \u003c/strong\u003eStolen Documents\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 4: \u003c/strong\u003eCompromised Database Server\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 5: \u003c/strong\u003eUnknown Exfiltration\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 6: \u003c/strong\u003eUnauthorized Access to Payroll Records\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 7: \u003c/strong\u003eDisappearing Host\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 8: \u003c/strong\u003eTelecommuting Compromise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 9: \u003c/strong\u003eAnonymous Threat\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 10: \u003c/strong\u003ePeer-to-Peer File Sharing\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 11: \u003c/strong\u003eUnknown Wireless Access Point\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEnsure that the material developed for the tabletop exercise supports the scenarios selected. Review Section 3.2 Incident Response Testing for more information for developing the exercise material.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eExecute the tabletop test using the procedures outlined below in Section 3.2 Incident Response Testing Automated Training Environments (IR-02(02)).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAutomated Training Environments (IR-02(02))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of Incident Response Training/Automated Training Environments is to ensure that CMS employs automated mechanisms to provide a more thorough and realistic incident training environment. At CMS, incident training and incident response testing are both satisfied through the execution of a tabletop exercise. These tabletop exercises are designed to incorporate automated mechanisms for incident response, review Section 3.2.1 Automated Testing for detailed procedure which ensure automated mechanisms are incorporated into incident response training.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Testing (IR-03)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Incident Response Testing is to ensure that CMS tests the incident response capability for the information system using testing principles to determine the incident response effectiveness and document the results.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for IR testing.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 2: CMS Defined Parameters Control IR-03\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-03\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization tests the incident response capability for the information system:\u003c/p\u003e\u003cp\u003e[Assignment: organization- defined frequency] using [Assignment: organization- defined tests] to determine the incident response effectiveness and documents the results\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe organization tests the incident response capability for the information system within every three hundred sixty- five (365) days using NIST SP 800-61, reviews, analyses, and simulations to determine the organizations incident response effectiveness, and documents its findings.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS incident response testing is accomplished through the execution of tabletop exercises. Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss roles during an emergency and the responses to a particular emergency situation.\u0026nbsp; A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for conducting a tabletop exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eComplete the Test Plan utilizing the Tabletop Exercise Test Plan Template located in the ISPL\u003cstrong\u003e. \u003c/strong\u003eTesting must include two scenario-based exercises to determine the ability of the CMS to respond to information security and privacy incidents. Scenarios should be selected which integrate the use of automated mechanisms for incident response.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eAcquire approval of the Test Plan from the Business Owner and/or ISSO. The approval is granted by signing the final row of the Test Plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eDevelop the exercise materials (e.g., briefings, Participant Guide). A sample Tabletop Exercise Participant Guide Template is located in the ISPL. For more information on functional exercise material please refer to Section 5.3 of \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/84/final\"\u003eNIST SP 800- 84\u003c/a\u003e\u003cstrong\u003e, \u003c/strong\u003e\u003cem\u003eGuide to Test, Training, and Exercise Programs for IT Plans and Capabilities.\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eConduct the tabletop exercise according to the approved Test Plan. The agenda contained within the Test Plan serves as a guide for executing the exercise. Prior to releasing the exercise participants, the Exercise Facilitator and Data Collector conduct a debrief/hotwash.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eEvaluate the tabletop exercise by completing the After-Action Report located in the ISPL. This step is completed by the Exercise Facilitator and Data Collector.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCoordination with Related Plans (IR-03(02))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of the Incident Response Testing/Coordination with Related Plans is to ensure that CMS coordinates incident response testing with organizational elements responsible for related plans. Related plans can include but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConfiguration Management Plan\u003c/li\u003e\u003cli\u003eInformation System Contingency Plan\u003c/li\u003e\u003cli\u003ePatch and Vulnerability Management Plan\u003c/li\u003e\u003cli\u003eInformation System Continuous Monitoring Strategy/Plan\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe following steps detail the CMS specific process to ensure Coordination with Related Plans:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1:\u0026nbsp; \u003c/strong\u003eIdentify the related plans and the stakeholders associated with each.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEstablish a primary method of communication. Possible methods of communication include emails, face-to-face meetings, and teleconferences.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eUsing the primary method of communication identified above, request copies of related plans. Review the related plans identifying dependencies for the IR test.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eIdentify stakeholders from related plans that will be required to participate in the incident response exercise. Coordinate with the stakeholders through the establishment, review, and execution of a test plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eConduct follow up communications as necessary. Specifically, a copy of the After-Action Report should be provided to stakeholders associated with related plans so that those plans may be updated as needed.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Handling (IR-04)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS implements an incident handling capability for security and privacy incidents that includes 1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery, and 4) post incident activity.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAll distributed Incident Response Teams (IRT) fall under the authority of the CCIC IMT, the single information security and privacy incident coordination entity. Each individual system is responsible for identifying incident responders as part of the systems Incident Response Plan (IRP). The incident responders serve as the frontline of the incident handling capability with oversight and incident response assistance provided by the IMT. This section of the document establishes the specific requirements and processes for maintaining a unified, cohesive incident handling capability across the CMS enterprise and describes the relationship between the IMT and the frontline incident responders.\u003c/p\u003e\u003cp\u003eIn the event of a suspected or confirmed privacy (PII) data breach, CCIC IMT will notify ISPG that a Breach Analysis Team (BAT) should be convened, including representatives from ISPG, IMT, and system stakeholders such as the system Business Owner. The BAT will conduct and document a formal Risk Assessment to assess the risk of harm to individuals potentially affected by the breach. The following factors are used:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNature and sensitivity of PII\u003c/li\u003e\u003cli\u003eLikelihood of access and use of PII and\u003c/li\u003e\u003cli\u003eType of breach\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the Risk Assessment concludes that there is a moderate or high risk that PII has been compromised, the CMS Senior Official for Pivacy will work with IMT and system stakeholders to develop a notification plan to notify affected individuals and mitigate their risk.\u003c/p\u003e\u003cp\u003eAffected individuals should be notified of a breach via first-class mail where possible, though depending on the nature and scale of the breach, additional methods such as email, telephone, and local media outreach may be used. The breach notification should include the following information:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSource of the breach\u003c/li\u003e\u003cli\u003eBrief description\u003c/li\u003e\u003cli\u003eDate of discovery and breach occurrence\u003c/li\u003e\u003cli\u003eType of PII involved\u003c/li\u003e\u003cli\u003eA statement whether or not the information was encrypted\u003c/li\u003e\u003cli\u003eWhat steps individuals should take to protect themselves from potential harm and services being provided to potentially affected individuals\u003c/li\u003e\u003cli\u003eWhat the agency is doing to investigate and resolve the breach\u003c/li\u003e\u003cli\u003eWho affected individuals should contact for information\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition to breach notification, CMS must also consider how best to mitigate the risk of harm to affected individuals. CMS may need to provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCountermeasures against misuse of lost PII/PHI, such as notifying a bank if credit card numbers are lost\u003c/li\u003e\u003cli\u003eGuidance on how affected individuals can protect themselves against identity theft, such as education on credit freezes and other defensive measures\u003c/li\u003e\u003cli\u003eServices, such as credit monitoring\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Breach Analysis Team may determine that some, all, or none of these mitigation techniques are appropriate for a given breach. Some breaches may require notification, but not mitigation.\u003c/p\u003e\u003cp\u003eThe SOP coordinates with HHS Privacy Incident Response Team (PIRT) for review and approval of CMS response plan, breach notification, and breach mitigation. Incident handling activities should be coordinated with contingency planning activities; and the lessons learned from ongoing incident handling activities should be incorporated into incident response procedures, training and testing. The procedure below provides an inclusive set of specific steps and requirements for handling information security and privacy incidents using the four-phase lifecycle. This lifecycle must be used by the IMT and the frontline incident responders to properly handle information security and privacy incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIncident response methodologies typically emphasize preparation, not only establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. Although the incident response team is not typically responsible for incident prevention, it is fundamental to the success of incident response programs.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for phase one (preparation) of the incident handling lifecycle:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSteps\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eActivity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 1:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eEnsure the proper preparations have been made to respond to information security and privacy incidents by completing the Incident Preparation Checklist located in the ISPL. This checklist should be reviewed annually in coordination with the update to the incident response plan.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 2:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eEnsure regular practices have been implemented to prevent information security and privacy incidents. The list below taken from NIST SP 800-61 Rev. 2 provides a brief overview of some of the main recommended practices for securing networks, systems and applications.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eRisk Assessments: \u003c/strong\u003ePeriodic risk assessments of systems and applications should determine what risks are posed by combinations of threats and vulnerabilities. This should include understanding the applicable threats, including organization-specific threats. Each risk should be prioritized, and the risks can be mitigated, transferred, or accepted until a reasonable overall level of risk is reached. Another benefit of conducting risk assessments regularly is that critical resources are identified, allowing staff to emphasize monitoring and response activities for those resources\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard for risk assessment requires that the results of the risk assessment are reviewed at least annually and that the risk assessment is updated at least every three years or when a significant change occurs.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eHost Security: \u003c/strong\u003eAll hosts should be hardened appropriately using\u003c/li\u003e\u003c/ul\u003e\u003cp\u003estandard configurations. In addition to keeping each host properly patched, hosts should be configured to follow the principle of least privilege, granting users only the privileges necessary for performing authorized tasks. Hosts should have auditing enabled and should log significant security-related events. The security of hosts and configurations should be continuously monitored. Many organizations use Security Content Automation Protocol (SCAP) configuration checklists to assist in securing hosts consistently and effectively.\u003c/p\u003e\u003cp\u003eThe CMS standard requires the implementation of the latest security configuration baselines established by the HHS, U.S. Government Configuration Baselines (USGCB), and the National Checklist Program (NCP).\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eNetwork Security: \u003c/strong\u003eThe network perimeter should be configured to deny all activity that is not expressly permitted. This includes securing all connection points, such as virtual private networks (VPNs) and dedicated connections to other organizations.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard requires that the information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMalware Prevention: \u003c/strong\u003eSoftware to detect and stop malware should be deployed throughout the organization. Malware protection should be deployed at the host level (e.g., server and workstation operating systems), the application server level (e.g., email server, web proxies), and the application client level (e.g., email clients, instant messaging clients). The CMS standard requires that malicious code protection mechanisms are implemented as follows:\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDesktops: \u003c/strong\u003eMalicious code scanning software is configured to perform critical system file scans no less often than once every twelve (12) hours and full system scans no less often than once every seventy-two (72) hours.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eServers \u003c/strong\u003e(to include databases and applications)\u003cstrong\u003e: \u003c/strong\u003eMalicious code scanning software is configured to perform critical system file scans no less often than once every twelve (12) hours and full system scans no less often than once every seventy-two (72) hours.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition, malicious code protection mechanisms should be updated whenever new releases are available in accordance with CMS configuration management policy and procedures. Antivirus definitions should be updated in near-real-time. Malicious code protection mechanisms should be configured to lock and quarantine malicious code and send alerts to administrators in response to malicious code detection.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eUser Awareness and Training: \u003c/strong\u003eUsers should be made aware of policies and procedures regarding appropriate use of networks, systems, and applications as well as the policy and procedures for safeguarding data that is not in digital form (e.g., PII in paper form). Applicable lessons learned from previous incidents should also be shared with users to evaluate how actions taken by the user could affect the organization. Improving user awareness regarding incidents should reduce the frequency of incidents. IT staff should be trained to maintain networks, systems, and applications in accordance with the organizations security standards. All users should be trained to protect printed hard/paper copies of data, including PII.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard requires all general users receive security and privacy awareness training annually. The incident response training is incorporated into the annual Information Systems Security and Privacy Awareness Training. All EUA users must take the CBT Training located at \u003ca href=\"https://www.cms.gov/cbt\"\u003eCMS Information Technology Security and Privacy web page\u003c/a\u003e\u003ca href=\"https://www.cms.gov/cbt/forms/isspa.aspx\"\u003e.\u003c/a\u003e The training must be delivered to all EUA users initially prior to account issuance and annually thereafter.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMaintain Inventory: \u003c/strong\u003eMaintain an accurate inventory of information system components identifying those components that store, transmit, and/or process PII. An accurate inventory facilitates the implementation of the appropriate information security and privacy controls and is critical to preventing, detecting and responding to information security incidents.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 3:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eEnsure that the preparation and prevention techniques listed in Steps 1 and 2 above have been incorporated into the incident response plan for the information system and exercised at least annually. Review Incident Response Plan or details on developing the incident response plan and Incident Response Testing for details on incident response testing.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eDetection and Analysis\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSteps\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eActivity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 1:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePrepare for Common Attack Vectors. The attack vectors listed below are not intended to provide definitive classification for incidents; but rather, to simply list common methods of attack, which can be used as a basis for detection:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eExternal/Removable Media: \u003c/strong\u003eAn attack executed from removable media or a peripheral device, for example, malicious code spreading onto a system from an infected universal serial bus (USB) flash drive.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAttrition: \u003c/strong\u003eAn attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services (e.g., a Distributed Denial of Service (DDoS) intended to impair or deny access to a service or application; or a brute force attack against an authentication mechanism, such as passwords, CAPTCHAS, or digital signatures).\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eWeb: \u003c/strong\u003eAn attack executed from a website or web-based application; for example, a cross-site scripting attack used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEmail: \u003c/strong\u003eAn attack executed via an email message or attachment; for example, exploit code disguised as an attached document or a link to a malicious website in the body of an email message.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImpersonation: \u003c/strong\u003eAn attack involving replacement of something benign with something malicious; for example: spoofing, man in the middle attacks, rogue wireless access points, and structured query language (SQL) injection attacks all involve impersonation.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImproper Usage: \u003c/strong\u003eAny incident resulting from violation of an organizations acceptable usage policies by an authorized user, excluding the above categories; for example, a user installs file sharing software, leading to the loss of sensitive data; or a user performs illegal activities on a system.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 2:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRecognize the Signs of an Incident.\u0026nbsp; Signs of an incident fall into one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in the future. An indicator is a sign that an incident may have occurred or may be occurring now. Precursors and indicators are identified using many different sources, with the most common being computer security software alerts, logs, publicly available information, and people. The table below, taken from \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/61/r2/final\"\u003eNIST SP 800-61 Rev. 2\u003c/a\u003e, lists common sources of precursors and indicators for each category.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: Common Sources of Precursors and Indicators\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAlerts\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIDPSs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntrusion Detection and Prevention Systems (IDPS) products identify suspicious events regarding record pertinent data, including the date and time the attack was detected, the type of attack, the source and destination IP addresses, and the username (if applicable and known). Most IDPS products use attack signatures to identify malicious activity; the signatures must be kept up to date so that the newest attacks can be detected. IDPS software often produces \u003cem\u003efalse positives, \u003c/em\u003ealerts that indicate malicious activity is occurring, when in fact there has been none. Analysts should manually validate IDPS alerts either by closely reviewing the recorded supporting data or by getting related data from other sources.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSIEMs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eSecurity Information and Event Management (SIEM) products are similar to IDPS products, and can generate alerts based on analysis of log data.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAntivirus and anti-spam software\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eAntivirus software detects various forms of malware, generates alerts, and prevents the malware from infecting hosts. Current antivirus products are effective at stopping many instances of malware if signatures are kept up to date. Anti-spam software is used to detect spam and prevent it from reaching users mailboxes. Spam may contain malware, phishing attacks, and other malicious content, so alerts from antispam software may indicate attack attempts.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eFile integrity checking software\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eFile integrity checking software can detect changes made to important files during incidents. It uses a hashing algorithm to obtain a cryptographic checksum for each designated file. If the file is altered and the checksum is recalculated, an extremely high probability exists that the new checksum will not match the old checksum. By regularly recalculating checksums and comparing checksum with previous values, changes to files can be detected.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eThird-party monitoring services\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThird parties offer a variety of subscription-based and free monitoring services. An example is fraud detection services that will notify an organization if its IP addresses, domain names, etc. are associated with current incident activity involving other organizations. There are also free real-time deny lists with similar information.\u003c/p\u003e\u003cp\u003eAnother example of a third-party monitoring service is a CSIRC notification list; these lists are often available only to other incident response teams.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003eLogs\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eOperating system, service and application logs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eLogs from operating systems, services, and applications (particularly audit-related data) are frequently of great value when an incident occurs, such as recording which accounts were accessed and what actions were performed. Organizations should require a baseline level of logging on all systems and a higher baseline level on critical systems. Logs can be used for analysis by correlating event information.\u003c/p\u003e\u003cp\u003eDepending on the event information, an alert can be generated to indicate an incident.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eNetwork device logs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLogs from network devices such as firewalls and routers are not typically a primary source of precursors or indicators. Although these devices are usually configured to log blocked connection attempts, little information is provided about the nature of the activity. Still, the devices can be valuable in identifying network trends and in correlating events detected by other devices.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eNetwork flows\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eA network flow is a particular communication session occurring between hosts. Routers and other networking devices can provide network flow information, which can be used to find anomalous network activity caused by malware, data exfiltration, and other malicious acts. There are many standards for flow data formats, including NetFlow, sFlow, and IPFIX.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003ePublicly Available Information\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eInformation on new vulnerabilities and exploits\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eKeeping up with new vulnerabilities and exploits can prevent some incidents from occurring and assist in detecting and analyzing new attacks. The National Vulnerability Database (NVD) contains information on vulnerabilities. Organizations such as US-CERT33 and CERT®/CC periodically provide threat update information through briefings, web postings, and mailing lists.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003ePeople\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePeople from within the organization\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eUsers, system administrators, network administrators, security staff, and others within the organization may report signs of incidents. It is important to validate all such reports. One approach is to ask people who provide such information is the confidence of the accuracy of the information. Recording this estimate along with the information provided can help considerably during incident analysis, particularly when conflicting data is discovered.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePeople from other organizations\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReports of incidents that originate externally should be taken seriously. For example, the organization might be contacted by a party claiming a system at the organization is attacking the other partys systems. External users may also report other indicators, such as a defaced web page or an unavailable service. Other incident response teams also may report incidents. It is important to have mechanisms in place for external parties to report indicators and for trained staff to monitor those mechanisms carefully; this may be as simple as setting up a phone number and email address, configured to forward messages to the help desk.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 3:\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eReport and Analyze the Incident. Report the incident using the procedures outlined in Section 3.5 Incident Reporting. Once reported the IMT and frontline IR responders analyze the incident. The following are recommendations taken from \u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-61\"\u003eNIST-SP 800-61 Rev. 4 \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003efor making incident analysis easier and more effective:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eProfile Networks and Systems\u003c/strong\u003e: Profiling is measuring the characteristics of expected activity so that changes to it can be more easily identified. Examples of profiling are running file integrity checking software on hosts to derive checksums for critical files and monitoring network bandwidth usage to determine what the average and peak usage levels are on various days and times. In practice, it is difficult to detect incidents accurately using most profiling techniques; organizations should use profiling as one of several detection and analysis techniques.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUnderstand Normal Behaviors\u003c/strong\u003e: Incident response team members should study networks, systems, and applications to understand what the normal behavior is so that abnormal behavior can be recognized more easily. No incident handler will have a comprehensive knowledge of all behavior throughout the environment, but handlers should know which experts could fill in the gaps. One way to gain this knowledge is through reviewing log entries and security alerts. This may be tedious if filtering is not used to condense the logs to a reasonable size.\u0026nbsp; As handlers become more familiar with the logs and alerts, handlers should be able to focus on unexplained entries, which are usually more important to investigate. Conducting frequent log reviews should keep the knowledge fresh, and the analyst should be able to notice trends and changes over time. The reviews also give the analyst an indication of the reliability of each source.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eCreate a Log Retention Policy: \u003c/strong\u003eInformation regarding an incident may be recorded in several places, such as firewall, IDPS, and application logs. Creating and implementing a log retention policy that specifies how long log data should be maintained may be extremely helpful in analysis because older log entries may show reconnaissance activity or previous instances of similar attacks. Another reason for retaining logs is that incidents may not be discovered until days, weeks, or even months later. The length of time to maintain log data is dependent on several factors, including the organizations data retention policies and the volume of data. See NIST SP 800-92, \u003cem\u003eGuide to Computer Security Log Management \u003c/em\u003efor additional recommendations related to logging.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePerform Event Correlation: \u003c/strong\u003eEvidence of an incident may be captured in several logs that each contain different types of data, firewall log may have the source IP address that was used, whereas an application log may contain a username. A network IDPS may detect that an attack was launched against a particular host, but it may not know if the attack was successful. The analyst may need to examine the hosts logs to determine that information.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCorrelating events among multiple indicator sources can be invaluable in validating whether a particular incident occurred.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eKeep All Host Clocks Synchronized\u003c/strong\u003e: Protocols such as the Network Time Protocol (NTP) synchronize clocks among hosts. Event correlation will be more complicated if the devices reporting events have inconsistent clock settings. From an evidentiary standpoint, it is preferable to have consistent timestamps in logs, for example, to have three logs that show an attack occurred at 12:07:01 a.m., rather than logs that list the attack as occurring at 12:07:01, 12:10:35, and 11:07:06.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMaintain and Use a Knowledge Base of Information: \u003c/strong\u003eThe knowledge base should include information that handlers need for referencing quickly during incident analysis. Although it is possible to build a knowledge base with a complex structure, a simple approach can be effective. Text documents, spreadsheets, and relatively simple databases provide effective, flexible, and searchable mechanisms for sharing data among team members. The knowledge base should also contain a variety of information, including explanations of the significance and validity of precursors and indicators, such as IDPS alerts, operating system log entries, and application error codes.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUse Internet Search Engines for Research: \u003c/strong\u003eInternet search engines can help analysts find information on unusual activity. For example, an analyst may see some unusual connection attempts targeting TCP port 22912. Performing a search on the terms “TCP,” “port,” and “22912” may return some hits that contain logs of similar activity or even an explanation of the significance of the port number. Note that separate workstations should be used for research to minimize the risk to the organization from conducting these searches.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRun Packet Sniffers to Collect Additional Data: \u003c/strong\u003eSometimes the indicators do not record enough detail to permit the handler to understand what is occurring. If an incident is occurring over a network, the fastest way to collect the necessary data may be to have a packet sniffer capture the network traffic. Configuring the sniffer to record traffic that matches specified criteria should keep the volume of data manageable and minimize the inadvertent capture of other information. Because of privacy concerns, some organizations may require incident handlers to request and receive permission before using packet sniffers.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eFilter the Data: \u003c/strong\u003eThere is simply not enough time to review and analyze all the indicators; at minimum, the most suspicious activity should be investigated. One effective strategy is to filter out categories of indicators that tend to be insignificant. Another filtering strategy is to show only the categories of indicators that are of the highest significance; however, this approach carries substantial risk because new malicious activity may not fall into one of the chosen indicator categories.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSeek Assistance from Others: \u003c/strong\u003eOccasionally, the team will be unable to determine the full cause and nature of an incident. If the team lacks sufficient information to contain and eradicate the incident, then it should consult with internal resources (e.g., information security staff) and external resources (e.g., US-CERT, other CSIRTs (Computer Security Incident Response Teams), contractors with incident response expertise). It is important to accurately determine the cause of each incident so that it can be fully contained.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 4\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eContinue to document updates to the incident in the Incident Response Reporting Template form.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 5\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003ePrioritize the incident using the criteria found in the \u003cem\u003e“Impact Category, Attack Vector Descriptions, \u0026amp; Attribute Category” \u003c/em\u003edocument of the Incident Response Reporting document which is located in the ISPL\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp\u003eEstablish communication method and notify the appropriate CMS personnel. The Incident Notification Table located in the Incident Response Steps for CISO (Appendix A) is a guide on notification steps per incident type. The list below provides examples of individuals that may require notification in the event of an incident:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCIO\u003c/li\u003e\u003cli\u003eCISO\u003c/li\u003e\u003cli\u003eDeputy CISO\u003c/li\u003e\u003cli\u003eSOP\u003c/li\u003e\u003cli\u003eHHS Office of the Inspector General (OIG)\u003c/li\u003e\u003cli\u003eLocal information response team within the organization\u003c/li\u003e\u003cli\u003eExternal incident response team (if appropriate)\u003c/li\u003e\u003cli\u003eSystem Owner\u003c/li\u003e\u003cli\u003eInformation System Security Owner\u003c/li\u003e\u003cli\u003eSystem Business Owner\u003c/li\u003e\u003cli\u003eSystem Cyber Risk Advisor\u003c/li\u003e\u003cli\u003eCMS Office of Human Capital (for cases involving employees, such as harassment through email)\u003c/li\u003e\u003cli\u003eCMS Office of Financial Management (in the case where extra funding is needed for investigation activities)\u003c/li\u003e\u003cli\u003eCMS Office of Communications (for incidents that may generate publicity)\u003c/li\u003e\u003cli\u003eCMS Office of Legislation (for incidents with potential legal ramifications)\u003c/li\u003e\u003cli\u003eUS-CERT (required for Federal agencies and systems operated on behalf of the Federal government).\u003c/li\u003e\u003cli\u003eIndividual (whose PII has been compromised)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe below table documents the responsibilities that should be fulfilled by employees in certain roles during an incident response event:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eRole\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eResponsibility\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCISO\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eLead the investigation and resolution of information security and privacy incidents and breaches across CMS.\u003c/li\u003e\u003cli\u003eOnce an incident has been validated, the incumbent CISO will follow the steps in the CISO Playbook which is attached as Appendix A. This playbook details the CISOs responsibilities, the scenarios to be considered and the relevant incident response contacts during an event.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIMT Lead\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eNotify and deliver incident situation reports to CMS CISO.\u003c/li\u003e\u003cli\u003eCoordinate Incident Response activities\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSenior Official for Privacy (SOP)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCoordinate/Support incident response activities with CISO.\u003c/li\u003e\u003cli\u003eIn the event of a PII/PHI breach, coordinate with the system Business Owner and HHS PIRT to handle notifying affected individuals\u003c/li\u003e\u003cli\u003eProvide overall direction for incident handling which includes all incidents involving PII/PHI.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eWorks with IMT Lead to coordinate incident response activities related to their assigned CMS information systems.\u003c/li\u003e\u003cli\u003eIn the event of a PII/PHI breach, coordinate with the Senior Official for Privacy and HHS PIRT to handle notifying affected individuals\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCMS IT Service Desk\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eNotify IMT of incident situation\u003c/li\u003e\u003cli\u003eEnsure Incident Response form has been completed as accurately as possible at the time of the initial report.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDesignated Appointee\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eUpdate the ServiceNow ticket as the situation arises and follow up with the CMS IT Helpdesk until incident has been resolved.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eContainment, Eradication and Recovery\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eChoose a containment strategy. The containment strategy is determined based on the type of the incident (e.g., disconnect system from the network, or disable certain functions). Frontline incident responders should work with the IMT to select an appropriate containment strategy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eGather and handle evidence. The CCIC Forensic, Malware and Analysis Team (FMAT) maintain the criteria for evidence collection and a procedure to ensure a chain of custody. The IMT will coordinate with the FMAT to provide incident responders with assistance to collect and handle evidence.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eIdentify the attacking host. The following items taken from NIST-SP 800-61 Rev. 2 \u003cem\u003eComputer Security Incident Handling Guide \u003c/em\u003edescribe the most commonly performed activities for attacking host identification:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eValidating the Attacking Hosts IP Address: \u003c/strong\u003eNew incident handlers often focus on the attacking hosts IP address. The handler may attempt to validate that the address was not spoofed by verifying connectivity to it; however, this simply indicates that a host at that address does or does not respond to the requests. A failure to respond does not mean the address is not real, for example, a host may be configured to ignore pings and traceroutes. Also, the attacker may have received a dynamic address that has already been reassigned to someone else.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eResearching the Attacking Host through Search Engines: \u003c/strong\u003ePerforming an Internet search using the apparent source IP address of an attack may lead to more information on the attack, for example, a mailing list message regarding a similar attack.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUsing Incident Databases: \u003c/strong\u003eSeveral groups collect and consolidate incident data from various organizations into incident databases. This information sharing may take place in many forms, such as trackers and real-time deny lists. The organization can also check its own knowledge base or issue tracking system for related activity.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitoring Possible Attacker Communication Channels: \u003c/strong\u003eIncident handlers can monitor communication channels that may be used by an attacking host. For example, many bots use IRC as the primary means of communication. Also, attackers may congregate on certain IRC channels to brag about compromises and share information. However, incident handlers should treat any such information acquired only as a potential lead, not as fact.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eEradicate the incident and recover. Eliminate components of the incident (e.g. delete malware, disable breached accounts, identify and mitigate vulnerabilities that were exploited). Incident responders should coordinate with the IMT to identify and execute a strategy for eradication of the incident. Once eradication has been completed restore systems to normal operation, confirm that systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePost-Incident Activity\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eConduct a lessons learned meeting. Learning and improving, one of the most important parts of incident response is also the most often omitted. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Holding a “lessons learned” meeting with all involved parties after a major incident, and optionally periodically after lesser incidents as resources permit, can be extremely helpful in improving security measures and the incident handling process itself. Multiple incidents can be covered in a single lessons learned meeting. This meeting provides a chance to achieve closure with respect to an incident by reviewing what occurred, what was done to intervene, and how well intervention worked. The meeting should be held within several days of the end of the incident. Questions to be answered in the meeting include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eExactly what happened, and at what times?\u003c/li\u003e\u003cli\u003eHow well did staff and management perform in dealing with the incident? Were the documented procedures followed and adequate?\u003c/li\u003e\u003cli\u003eWhat information was needed sooner?\u003c/li\u003e\u003cli\u003eWere any steps or actions taken that might have inhibited the recovery?\u003c/li\u003e\u003cli\u003eWhat would the staff and management do differently the next time a similar incident occurs?\u003c/li\u003e\u003cli\u003eHow could information sharing with other organizations have been improved?\u003c/li\u003e\u003cli\u003eWhat corrective actions can prevent similar incidents in the future?\u003c/li\u003e\u003cli\u003eWhat precursors or indicators should be watched for in the future to detect similar incidents?\u003c/li\u003e\u003cli\u003eWhat additional tools or resources are needed to detect, analyze, and mitigate future incidents?\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eDocument the lessons learned and update IRP and associated procedures as necessary.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eEnsure evidence is retained and archived. The criteria for evidence collection, a procedure to ensure a chain of custody, and archival instructions are maintained by the CCIC Forensic, Malware and Analysis Team (FMAT). The IMT will coordinate with the FMAT to provide incident responders with assistance to collect and handle evidence.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAutomated Incident Handling Processes (IR-04(01))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS employs automated mechanisms to support the incident handling process. CMS employs automated mechanism (e.g., online incident management systems) to support the organizations incident handling process. The following table provides examples of tools used for automated incident handling processes at CMS.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: Automated Tools\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTools\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eUsers\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eHHS RSA Archer\u003c/td\u003e\u003ctd\u003eThe HHS tool used for all incident/tracking and reporting. Users do not access HHS Archer directly.\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCCIC IMT and CCIC SOC\u003c/p\u003e\u003cp\u003eAnalysts\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eServiceNow\u003c/td\u003e\u003ctd\u003eThe CMS ServiceNow ticket is used by the CMS IT Service Desk to track changes and problems within the CMS environment.\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS IT Service Desk CCIC IMT and CCIC SOC\u003c/p\u003e\u003cp\u003eAnalysts\u003c/p\u003e\u003cp\u003eCMS Users\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSplunk\u003c/td\u003e\u003ctd\u003eIs a logging solution for security (CMS Enterprise Security) and Operations and Maintenance (O\u0026amp;M) log management OCISO Systems Security Management (OSSM). It used as an audit reduction tool by the agency to review audit logs.\u003c/td\u003e\u003ctd\u003eCCIC\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eInformation Correlation (IR-04(04))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of Information Correlation is to ensure that CMS correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. To achieve this,\u003c/p\u003e\u003col\u003e\u003cli\u003eAll tickets submitted in ServiceNow are thoroughly worked through to determine the validity of being classified as an incident. The submitted tickets are correlated and analyzed for trends.\u003c/li\u003e\u003cli\u003eCCIC uses the SIEM tool, Splunk, to correlate data from various sources to receive alerts associated with incident breaches.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eIncident Monitoring (IR-05)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Monitoring is to ensure that CMS documents information system security incidents and maintains records about each incident such as the status of the incident, and pertinent information necessary for forensics (evaluating incident details, trends, and handling). At CMS, the CCIC delivers a number of important, agency-wide security services. One of such services is Continuous Diagnostics and Mitigation (CDM), which is still in development and not all data centers have been transitioned. Other services include vulnerability management, security engineering, incident management, forensics and malware analysis, information sharing, cyber-threat intelligence, penetration testing, and software assurance.\u003c/p\u003e\u003cp\u003eThe IMT is the group responsible for tracking and documenting security and privacy incidents. Stakeholders outside of the IMT (e.g., incident responders, ISSO, system owners, etc.) are responsible for providing the information necessary to track and monitor information security and privacy incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAutomated Tracking/Data Collection/Analysis (IR-05(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automated Tracking/Data Collection/Analysis is to ensure that CMS employs automated mechanism to assist in the tracking of security incidents and in the collection and analysis of incident information. At CMS, the RSA Archer/CFACTS SecOps Module is utilized for tracking potential incidents under investigation by the CCIC SOC. The IMT is responsible for maintaining the data in RSA Archer/CFACTS along with reviewing, updating, and analyzing the data and producing the trends analysis.\u003c/p\u003e\u003cp\u003eThe following list details automated tools utilized at CMS to assist in the tracking of security incidents and in the collection and analysis of incident information. Once an incident has been reported, the external stakeholders will be able to leverage the benefits of these tools via the support provided by the IMT.\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS uses a ServiceNow ticketing system for all privacy and security incidents for incident/tracking and reporting.\u003c/li\u003e\u003cli\u003eThe CMS ServiceNow ticket is used by the CMS IT Service Desk to track changes and problems within the CMS environment.\u003c/li\u003e\u003cli\u003eThe HHS Archer is the incident response tool used to notifiy HHS of an incident. A shell ticket is automatically created in HHS Archer when CMS IMT is assigned a ticket in ServiceNow.\u003c/li\u003e\u003cli\u003eThe CCIC IMT updates the incident information in ServiceNow which will post automatically to HHS Archer. This will occur till the incident has been resolved.\u003c/li\u003e\u003cli\u003eCMS RSA Archer/CFACTS SecOps Module is used for investigating potential incidents discovered by the CCIC SOC.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Reporting (IR-06)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe intent of this control is to ensure that CMS requires employees and contractors to report suspected or confirmed information security and privacy incidents to appropriate authorities and to ensure that a formal incident reporting process exists.\u003c/p\u003e\u003cp\u003eAs part of a robust, enterprise security operations program designed to reduce the risks of malicious activity, CMS established the CCIC to provide enterprise-wide situational awareness and near real-time risk management. The CCIC also provides information security and aggregated monitoring of security events across all CMS information systems. Finally, the CCIC notifies appropriate security operations staff of detected configuration weaknesses, vulnerabilities open to exploitation, relevant threat intelligence, including indicators of compromise (IOCs) and security patches. For purposes of incident response, the IMT as a sub- component of the CCIC provides incident response assistance and support. All information security and privacy incidents are to be reported to CMS IT Service Helpdesk. The CMS IT Service Helpdesk will notify the IMT as appropriate.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters for IR reporting.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters Control IR-6\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-6\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eRequires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]\u003c/li\u003e\u003cli\u003eReports security, privacy and supply chain incident information to [Assignment: organization-defined authorities]\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003col\u003e\u003cli\u003eRequires personnel to report actual or suspected security and privacy incidents to the organizational incident response capability within 1 hour of discovery/notification; and\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eReports security, privacy and supply chain incident information to CMS IT Service Help Desk.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe following process details the CMS procedure for reporting suspected security and privacy incidents:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eReport the suspected information security and privacy incident to the CMS IT Service Desk at (410) 786-2580 (internal only) or (800) 562-1963 (internal and external) and/or ema\u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eil CMS_IT_Service@cms.hhs.gov.\u003c/a\u003e Additionally, contact your ISSO as soon as possible and apprise them of the situation. All suspected information security and privacy incidents must be reported to the CMS IT Service Desk within one hour of discovery.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eAfter notifiying the CMS IT Service Desk, collect as much supporting information as possible on the suspected security and privacy incident using the Incident Response Reporting Template located in the ISPL. Provide the information contained on the completed incident reporting form to the CMS IT Service Desk.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThis template replaces the previous HHS CMS Computer Security Incident Report form that was published separately to the information security library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3:\u003c/strong\u003eThe CMS IT Service Desk creates a ServiceNow ticket and enters the details on the suspected security and privacy incident. This ServiceNow ticket creates a shell ticket in HHS Archer, which is the HHS incident response tool.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 4:\u003c/strong\u003eThe IMT will update the ServiceNow ticket, as necessary, which will automatically populate in HHS Archer until the incident has been resolved.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eThe IMT analyzes the suspected incident, working with the SOC analyst as necessary, and if confirmed as an actual incident executes the incident handling procedures located in Section 3.5 Incident Handling.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAutomated Reporting (IR-06(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automated Reporting is to ensure that CMS employs automated mechanisms to assist in the reporting of security and privacy incidents. The following steps detail the CMS specific process for Automated Reporting:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eUser will contact the CMS IT Service Helpdesk and report the information security incident.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eThe CMS IT Service Helpdesk will open a ServiceNow ticket and record the incident. This ServiceNow ticket automatically generates an Archer ticket notifying HHS CSIRC.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eThe CMS IT Service Helpdesk will then assign the ticket to the IMT and they will evaluate the incident report while providing updates to CMS CISO and HHS CSIRC.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eThe user (reporter) will continue to update the incident report in ServiceNow or contact the CMS IT Service Helpdesk.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eIf the IMT finds that the event is valid, the user will be contacted and the mitigation process will start.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 6: \u003c/strong\u003eIf the IMT finds that the event is not valid, the IMT will close out the ticket and contact the user.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 7: \u003c/strong\u003eThe user (reporter) will work with the IMT until remediation of the security incident.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Assistance (IR-07)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Response Assistance is to ensure that CMS provides an incident response support resource, integral to the CMS incident capability that offers advice and assistance to users of the information system for handling and reporting of security and privacy incidents. The following steps detail the CMS specific process for Incident Response assistance:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eUser will contact the CMS IT Service Helpdesk for incident response assistance. The CMS IT Service Desk notifies the IMT as appropriate.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eThe IMT will evaluate, validate the incident and assist with the mitigation.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAutomation Support for Availability of Information/Support (IR-07(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automation Support for Availability of Information Support is to ensure that CMS employs automated mechanisms to increase the availability of incident response-related information and support.\u003c/p\u003e\u003cp\u003eCMS uses multiple resources to provide the user community information/support. These include but are not limited to intranets, mailboxes, and online libraries.\u003c/p\u003e\u003cp\u003eUsers may use the following resources for Automation Support for Availability of Information/Support:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/\"\u003eThe CMS website\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThe CMS CISO mailbox at \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCMS IT Service Desk at \u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eCMS_IT_Service@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCMS Incident Management Team (IMT) at \u003ca href=\"mailto:IncidentManagement@cms.hhs.gov\"\u003eIncidentManagement@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"http://intranet.cms.gov/\"\u003eThe CMS Intranet \u003c/a\u003e(this service is available ONLY to personnel who have access to a GFE issued device, (i.e., laptop, desktop))\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.hhs.gov/ocio\"\u003eThe HHS.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThe \u003ca href=\"https://intranet.hhs.gov/\"\u003eHHS Intranet \u003c/a\u003e(this service is available ONLY to personnel who have access to a GFE issued device, (i.e., laptop, desktop))\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Plan (IR-08)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Incident Response Plan (IRP) is to provide a roadmap for implementing the incident response capability. Each organization needs a plan that meets its unique requirements, which relates to the organizations mission, size, structure, and functions. The plan should lay out the necessary resources and management support. The incident response plan should include the following elements:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePurpose\u003c/li\u003e\u003cli\u003eScope\u003c/li\u003e\u003cli\u003eDefinitions\u003c/li\u003e\u003cli\u003eRoles and Responsibilities\u003c/li\u003e\u003cli\u003eUnderstanding an Incident\u003c/li\u003e\u003cli\u003eIncident Life Cycle\u003cul\u003e\u003cli\u003ePreparation\u003c/li\u003e\u003cli\u003eDetection and Analysis\u003c/li\u003e\u003cli\u003eContainment, Eradication and Recovery\u003c/li\u003e\u003cli\u003ePost-Incident Activity\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReporting Requirements\u003c/li\u003e\u003cli\u003ePoints of Contact\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe incident response policy is established in the CMS IS2P2 and has been included in this handbook. The Incident Response Plan template is attached to this document as Appendix B. This document provides incident response procedure to facilitate the implementation of incident response controls. Incident response plan, policy, and procedure creation are an important part of establishing a team and permits incident response to be performed effectively, efficiently, and consistently; and so that the team is empowered to do what needs to be done.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters for IR planning.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters - Control IR-8\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-8\u003c/td\u003e\u003ctd\u003e\u003cp\u003ea. Incident Response Plan is reviewed and approved by [Assignment: organization- defined personnel or role];\u003c/p\u003e\u003cp\u003eb. Distributes copies of the incident response plan to [Assignment organization- defined incident response personnel (identified by name and/or role) and organizational elements]\u003c/p\u003e\u003cp\u003ec. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;\u003c/p\u003e\u003cp\u003ed. Communicates incident response plan changes to [Assignment: organization- defined incident response personnel (identified by name and/or by role) and organizational elements]; and Protects the incident response plan from unauthorized disclosure and modification\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003ea. Incident Response Plan is reviewed and approved by the applicable Business Owner at least annually.\u003c/p\u003e\u003cp\u003eb. Distributes copies of the incident response plan to CMS CIO, CMS CISO, ISSO, CMS OIG Computer Crime Unit (CCU), All personnel within the CMS Incident Response Team, PII Breach Response Team and Operations Centers.\u003c/p\u003e\u003cp\u003ec. Reviewed annually updated as required\u003c/p\u003e\u003cp\u003ed. Communicates incident response plan changes to all stakeholders.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CCIC IMT created an IRP that provides the CMS with a roadmap for implementing its incident response capability and outlines the incident response process for the IMT. In addition, each information system is responsible for maintaining a separate IRP that describes the systems internal processes for incident response and leverages the capability of the IMT. The following steps details the process for creating an IRP using the template located in the ISPL:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eComplete a draft IRP by leveraging the template and instructions located in Appendix B.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eSubmit the draft IRP to the information systems assigned CRA for ISPG approval. Update that plan as necessary based on the feedback received from ISPG.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eDocument the plan approval by having the Business Owner and ISSO sign the plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eDisseminate the plan to all appropriate stakeholders to include: the CRA, ISSO, BO, Incident Responders, System Developers, and System Administrators.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eCMS Security \u0026amp; Privacy Incident Report Form\u003c/h2\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Security and Privacy Incident Report\u003c/strong\u003e is a form to be filled out when someone has an incident to report. \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/info-security-library-items/rmh-chapter-08-incident-response-appendix-k-incident-report-template\"\u003eYou can access the form and instructions here\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Steps for CISO\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eSignificant Event/Potential Incident Reported\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive notification from DCTSO Director or IR Fed Lead\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eDoes this incident potentially include a criminal element and, therefore, require notification of law enforcement? If so, engage HHS Office of the Inspector General.\u003c/li\u003e\u003cli\u003eWas this incident reported to HHS Office of Civil Rights (OCR) in accordance with HIPAA and for Protected Health Information (PHI)? Refer to the OCR website for any details about the event / incident.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e2\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eObtain situational awareness \u003c/strong\u003eof the potential incident and the likely\u003c/p\u003e\u003cp\u003eimpact(s) on CMS data and /or CMS FISMA systems.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident situation reports from IMT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eWhen engaging an external partner, consider including or informing HHS Office of the Secretary (OS), Office of the Assistant Secretary for Preparedness and Response (ASPR), which executes the Federal coordination responsibilities on behalf of HHS regarding the critical infrastructure public-private partnership for the Healthcare and Public Healthcare Sector (identified in PPD-21 and the National Infrastructure Protection Plan (NIPP)).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e3\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConduct security bridge with stakeholders to review incident \u003c/strong\u003eto obtain a greater understanding of the incidents impacts and implications. Also,\u003c/p\u003e\u003cp\u003ediscuss potential response needs, such as deployment of response capabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eCISO/Deputy CISO will coordinate with IMT to ensure all stakeholders are on security bridge (e.g., SOP, OL, OA, HHS)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eDoes this incident potentially include a criminal element and, therefore, require notification of law enforcement? If so, engage HHS Office of the Inspector General.\u003c/li\u003e\u003cli\u003eDoes CMS have relevant experience or capabilities that it could deploy?\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e4\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eTriage and determine if risk analysis should be performed\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eOC/OL will keep the response teams apprised of public or legislative affairs matters related to the event/incident (e.g., Congressional inquiries and media monitoring)\u003c/li\u003e\u003cli\u003eIf communication of CMS risks or potential impacts is necessary, coordinate development of messaging and identify communication channels\u003c/li\u003e\u003cli\u003eReceive impact analysis and make a decision regarding additional analysis of impacts to CMS\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e5\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eDetermine specific CMS impacts \u003c/strong\u003e(e.g., PII, PHI, FTI, contracts, \u0026amp; other business partners) and \u003cstrong\u003eDetermine specific impacts to CMS data \u003c/strong\u003e(e.g., PII,\u003c/p\u003e\u003cp\u003ePHI, FTI)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eProvide guidance to IR staff about cadence of status reporting\u003c/li\u003e\u003cli\u003eEscalate incident to HHS leadership\u003c/li\u003e\u003cli\u003eWhen findings are presented, consider if public and/or external communication may be appropriate (even if it is not legally necessary or required)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIn accordance with OMB M-20-04, report “\u003cem\u003emajor incidents” \u003c/em\u003eto Congress within seven days.\u003c/li\u003e\u003cli\u003eWhen evaluating impacts to CMS systems, engage business owners and system owners (including ISSOs) and include the impacts to their environments in status reports.\u003c/li\u003e\u003cli\u003eIf sensitive information other than PII, PHI, or FTI (e.g., proprietary information) is at risk, consider the risk to the agency and determine appropriate next steps.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e6\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConduct security bridge with stakeholders to review incident \u003c/strong\u003eto obtain a greater understanding of the incidents impacts and implications. Also,\u003c/p\u003e\u003cp\u003ediscuss potential response needs, such as deployment of response capabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eCISO/Deputy CISO will likely lead the meeting(s)/call(s), with\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e7\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eExecute SOPs to contain and eradicate cause of the event/incident\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT and provide additional guidance/direction as necessary\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDoes CMS have relevant experience or capabilities that it could deploy or offer to assist the external partner(s)?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e8\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eMonitor event/incident to assess changes in risk to CMS systems and/or data\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf changes in risk to CMS systems and/or data are evident, go to \u003cstrong\u003eStep 2A\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT and provide counsel to leadership and response teams as appropriate\u003c/li\u003e\u003cli\u003eOC/OL: Determine if monitoring of media and Congressional sources is necessary, and communicate requests or news to leadership and response teams. Coordinate requests for information or messages that may need to be communicated externally\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDevelop lessons learned and recommend program enhancements\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eParticipate in IMT-led lessons learned development process and inform recommendations\u003c/li\u003e\u003cli\u003eReview lessons learned and submit to business \u0026amp; system owners\u003c/li\u003e\u003cli\u003eReview and support POA\u0026amp;Ms as required\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDetermine if policy changes need to occur in order to further safeguard CMS data.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e10\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eConclude incident and complete external communications activities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReview final Security Incident Report (SIR)\u003c/li\u003e\u003cli\u003eReport closure of incident as appropriate/necessary\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eContacts\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContact\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eNumber\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIncident Management Team (IMT)\u003c/td\u003e\u003ctd\u003e443-316-5005\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSenior Official for Privacy (SOP)\u003c/td\u003e\u003ctd\u003e410-786-5759\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDCTSO Director\u003c/td\u003e\u003ctd\u003e410-786-5956\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDSPC Director\u003c/td\u003e\u003ctd\u003e410-786-6918\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDSPPG Director\u003c/td\u003e\u003ctd\u003e410-786-5759\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of Communications (OC)\u003c/td\u003e\u003ctd\u003e410-786-8126\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of Legislation (OL)\u003c/td\u003e\u003ctd\u003e202-619-0630\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of the Administrator (OA)\u003c/td\u003e\u003ctd\u003e410-786-3000\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHHS Office of the Secretary (OS), Office of the Assistant Secretary for Preparedness and Response (ASPR)\u003c/td\u003e\u003ctd\u003e202-205-8114\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHHS Office of Inspector General (OIG)\u003c/td\u003e\u003ctd\u003e800-447-8477\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBridge\u003c/td\u003e\u003ctd\u003e877-267-1577 (meeting ID will be shared by IMT upon notification)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eIncident Notification Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIncident\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eNotification\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eWho Notifies?\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll incidents\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT\u003c/li\u003e\u003cli\u003eHHS CSIRC\u003c/li\u003e\u003cli\u003eCIO\u003c/li\u003e\u003cli\u003eCISO\u003c/li\u003e\u003cli\u003eSOP\u003c/li\u003e\u003cli\u003eDeputy CISO\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCMS IT Service Desk notifies IMT of an incident\u003c/li\u003e\u003cli\u003eCMS incident tickets are mirrored in the HHS Archer, which notifies HHS CSIRC\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving a CMS System\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eSO\u003c/li\u003e\u003cli\u003eBO\u003c/li\u003e\u003cli\u003eISSO\u003c/li\u003e\u003cli\u003eDG\u003c/li\u003e\u003cli\u003eCRA\u003c/li\u003e\u003cli\u003eUS-CERT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT alerts CMS Personnel.\u003c/li\u003e\u003cli\u003eHHS CSIRC handles US- CERT reporting.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving suspected criminal activity\u003c/td\u003e\u003ctd\u003eHHS OIG\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving employees\u003c/td\u003e\u003ctd\u003eCMS Office of Human Capital\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving legal ramifications\u003c/td\u003e\u003ctd\u003eCMS Office of Legislation\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eISPG (to convene Breach Analysis Team)\u003c/li\u003e\u003cli\u003eIndividuals affected by PII/PHI compromise\u003c/li\u003e\u003cli\u003eHHS PIRT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT alerts ISPG of suspected breach\u003c/li\u003e\u003cli\u003eCMS SOP and BO create a notification plan for affected individuals, subject to review by HHS PIRT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches affecting 500 or more people\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eHHS OCR\u003c/li\u003e\u003cli\u003eMedia outlets, as appropriate\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003eCMS SOP\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches requiring Media Outreach\u003c/td\u003e\u003ctd\u003eCMS Office of Communications\u003c/td\u003e\u003ctd\u003eCMS SOP\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Plan Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe objective of this Incident Response Plan (IRP) is to outline the incident handling and response process for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; in accordance with the requirements outlined in the CMS Acceptable Risk Safeguards (ARS) and CMS Risk Management Handbook (RMH) Chapter 8, Incident Response. This plan covers all assets within the information system boundary, transmitting, storing, or processing CMS information. Furthermore, this plan describes how to manage incident response according to all Federal, Departmental and Agency requirements, policies, directives, and guidelines.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThis IRP is written for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; stakeholders with incident response roles and responsibilities and describes those responsibilities for each phase of the incident life cycle. This plan establishes a quick reference for security and privacy incident handling and response.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDefinitions\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eThe following key terms and definitions relate to incident response:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdministrative Vulnerability: \u003c/strong\u003eAn administrative vulnerability is a security weakness caused by incorrect or inadequate implementation of a systems existing security features by the system administrator, security officer, or users. An administrative vulnerability is not the result of a design deficiency. It is characterized by the fact that the full correction of the vulnerability is possible through a change in the implementation of the system or the establishment of a special administrative or security procedure for the system administrators and users. Poor passwords and inadequately maintained systems are the leading causes of this type of vulnerability.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eBreach: \u003c/strong\u003eA breach is an incident that poses a reasonable risk of harm to the applicable individuals. For the purposes of Office of Management and Budget (OMB) OMB M-17-12 (for PII incidents) and Health Information Technology for Economic and Clinical Health (HITECH) Act (for PHI incidents) reporting requirements, a privacy incident does not rise to the level of a breach until it has been determined that the use or disclosure of the protected information compromises the security or privacy of the protected individual(s) and poses a reasonable risk of harm to the applicable individuals. For any CMS privacy incident, the determination of whether it may rise to the level of a breach is made (exclusively) by the CMS Breach Analysis Team (BAT), which determines whether the privacy incident poses a significant risk of financial, reputational, or other harm to the individual(s).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent: \u003c/strong\u003eAn event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal Tax Information (FTI): \u003c/strong\u003eGenerally, Federal Tax Returns and return information are confidential,\u003c/p\u003e\u003cp\u003eas required by Internal Revenue Code (IRC) Section 6103. The information is used by the Internal Revenue Service (IRS) is considered FTI and ensure that agencies, bodies, and commissions are\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDefinitions\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003emaintaining appropriate safeguards to protect the information confidentiality. [IRS 1075] Tax return information that is not provided by the IRS falls under PII.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Response: \u003c/strong\u003eIncident response outlines steps for reporting incidents and lists actions to be taken to resolve information systems security and privacy related incidents.\u0026nbsp; Handling an incident entails forming a team with the necessary technical capabilities to resolve an incident, engaging the appropriate personnel to aid in the resolution and reporting of such incidents to the proper authorities as required, and report closeout after an incident has been resolved.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Incident: \u003c/strong\u003eA Privacy Incident is a Security Incident that involves Personally Identifiable Information (PII) or Protected Health Information (PHI), or Federal Tax Information (FTI) where there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users or any other than authorized purposes. Users must have access or potential access to PII, PHI and/or FTI in usable form whether physical or electronic.\u003c/p\u003e\u003cp\u003ePrivacy incident scenarios include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLoss of federal, contractor, or personal electronic devices that store PII, PHI and/or FTI affiliated with CMS activities (i.e., laptops, cell phones that can store data, disks, thumb-drives, flash drives, compact disks, etc.)\u003c/li\u003e\u003cli\u003eLoss of hard copy documents containing PII, PHI and/or FTI\u003c/li\u003e\u003cli\u003eSharing paper or electronic documents containing PII, PHI and/or FTI with individuals who are not authorized to access it\u003c/li\u003e\u003cli\u003eAccessing paper or electronic documents containing PII, PHI and/or FTI without authorization or for reasons not related to job performance\u003c/li\u003e\u003cli\u003eEmailing or faxing documents containing PII, PHI and/or FTI to inappropriate recipients, whether intentionally or unintentionally\u003c/li\u003e\u003cli\u003ePosting PII, PHI and/or FTI, whether intentionally or unintentionally, to a public website\u003c/li\u003e\u003cli\u003eMailing hard copy documents containing PII, PHI and/or FTI to the incorrect address\u003c/li\u003e\u003cli\u003eLeaving documents containing PII, PHI and/or FTI exposed in an area where individuals without approved access could read, copy, or move for future use\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSecurity Incident: \u003c/strong\u003eIn accordance with \u003cem\u003eNIST SP 800-61 Revision 2, Computer Security Incident Handling Guide\u003c/em\u003e, a Security Incident is defined as an event that meets one or more of the following criteria:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in any information system processing information on behalf of CMS. It also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents and misrouting of mail, all of which may have the potential to put CMS data at risk of unauthorized access, use, disclosure, modification, or destruction\u003c/li\u003e\u003cli\u003eAn occurrence that jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits\u003c/li\u003e\u003cli\u003eA violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTechnical Vulnerability: \u003c/strong\u003eA technical vulnerability is a hardware, firmware, or software weakness or design deficiency that leaves a system open to potential exploitation, either externally or internally, thus increasing the risk of compromise, alteration of information, or denial of service.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert the roles and responsibilities associated with this plan. Possible roles include:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eBusiness Owners:\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eInformation System Owner(s)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eCyber Risk Advisors (CRA)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eInformation System Security Officer (i.e., ISSO)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eCCIC Incident Management Team (i.e., CCIC IMT)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eFor a detailed description of the responsibilities associated with these role please refer to the CMS IS2P2 located at: \u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003e\u003cem\u003e\u003cstrong\u003ehttps://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\u003c/strong\u003e\u003c/em\u003e\u003c/a\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eUnderstanding an Incident\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe following lists a small subset of common well known incidents:\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTypes of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eData Destruction or Corruption: \u003c/strong\u003eThe loss of data integrity can take many forms including changing permissions on files making the files writable by non-privileged users, deleting data files and or programs, changing audit files to cover-up an intrusion, changing configuration files that determine how and what data is stored and ingesting information from other sources that may be corrupt\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eData Compromise and Data Spills: \u003c/strong\u003eData compromise is the exposure of information to a person not authorized to access that information either through clearance level or formal authorization. This could happen when a person accesses a system not authorized to access or through a data spill. Data spill is the release of information to another system or person not authorized to access that information, even though the person is authorized to access the system on which the data was released. This can occur through the loss of control, improper storage, improper classification, or improper escorting of media, computer equipment (with memory), and computer generated output\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMalicious Software (Malware): \u003c/strong\u003eMalicious code is software based attacks used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs to exclude unauthorized activity. Malicious code is particularly troublesome in that it is typically written to masquerade its presence and, thus, is often difficult to detect. Self-replicating malicious code such as viruses and worms can replicate rapidly, thereby making containment an especially difficult problem. The following is a brief listing of various software attacks:\u003col\u003e\u003cli\u003e\u003cstrong\u003eVirus: \u003c/strong\u003eIt is propagated via a triggering mechanism (e.g., event time) with a mission (e.g., delete files, corrupt data, send data).\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eWorm: \u003c/strong\u003eAn unwanted, self-replicating autonomous process (or set of processes) that penetrates computers using automated hacking techniques.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eTrojan Horse: \u003c/strong\u003eA useful and innocent program containing additional hidden code that allows unauthorized computer network exploitation (CNE), falsification, or destruction of data.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTypes of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eSpyware: \u003c/strong\u003eSurreptitiously installed malicious software that is intended to track and report the usage of a target system or collect other data the author wishes to obtain.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRootkit Software: \u003c/strong\u003eSoftware that is intended to take full or partial control of a system at the lowest levels. Contamination is defined as inappropriate introduction of data into a system.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePrivileged User Misuse: \u003c/strong\u003ePrivileged user misuse occurs when a trusted user or operator attempts to damage the system or compromise the information it contains.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSecurity Support Structure Configuration Modification: \u003c/strong\u003eSoftware, hardware and system configurations contributing to the Security Support Structure (SSS) are controlled. SSS are essential to maintaining the security policies of the system Unauthorized modifications to these configurations can increase the risk to the system.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eNote: These categories of incidents are not necessarily mutually exclusive.\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eCauses of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMalicious Code: \u003c/strong\u003eMalicious code is software or firmware intentionally inserted into an information system for an unauthorized purpose\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSystem Failures: \u003c/strong\u003eProcedures Failures or Improper Acts. A secure operating environment depends upon proper operation and use of systems. Failure to comply with established procedures, or errors/limitations in the procedures for a CMS system, can damage CMS reputation and increase vulnerability/risk to the system or application. While advances in computer technology enable the building of increased security into the CMS architecture, much still depends upon the people operating and using the system(s). Improper acts may be differentiated from insider attack according to intent. With improper acts, someone may knowingly violate policy and procedures, but is not intending to damage the system or compromise the information it contains\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eIntrusions or Break-Ins: \u003c/strong\u003eAn intrusion or break-in is entry into and use of a system by an unauthorized individual\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eInsider Attack: \u003c/strong\u003eInsider attacks can provide the greatest risk. In an insider attack, a trusted user or operator attempts to damage the system or compromise the information it contains\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eAvenues of Attack\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAs with any information system, attacks can originate through certain avenues or routes. An attack avenue is a path or means by which an attacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack avenues enable attackers to exploit system vulnerabilities, including the human element. If a system were locked in a vault with security personnel surrounding it, and if the system were not connected to any other system or network, there would be virtually no avenue of attack. However, there are numerous avenues of attack.\u003c/p\u003e\u003cul\u003e\u003cli\u003eLocal and/or partner networks\u003c/li\u003e\u003cli\u003eUnauthorized devices (including non-approved connections to a local network)\u003c/li\u003e\u003cli\u003eGateways to outside networks\u003c/li\u003e\u003cli\u003eCommunications devices\u003c/li\u003e\u003cli\u003eShared disks\u003c/li\u003e\u003cli\u003eRemovable media\u003c/li\u003e\u003cli\u003eDownloaded software\u003c/li\u003e\u003cli\u003eDirect physical access\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePossible Impacts of an Attack\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOne of the major concerns of a verifiable computer security attack is that sensitive PII is compromised. The release of sensitive information to people without the proper need-to-know or formal authorization jeopardizes the tenant of Confidentiality, Integrity and Availability (CIA). In addition, users may lose trust in computing systems and become hesitant to use one that has a high frequency of incidents or even a high frequency of events that cause the user to distrust the integrity of the federal system. Moreover, users become disenfranchised with any action that causes all or part of the networks service to be stopped entirely, interrupted, or degraded sufficiently to impact operations; as with a DoS attack. The list of impacts from attacks that compromise computer security include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDenial of Service\u003c/li\u003e\u003cli\u003eLoss or Alteration of Data or Programs\u003c/li\u003e\u003cli\u003ePrivacy Incident, including those resulting in identity theft or data breach\u003c/li\u003e\u003cli\u003eLoss of Trust in Computing Systems\u003c/li\u003e\u003cli\u003eThe loss of intellectual property and CMS confidential information\u003c/li\u003e\u003cli\u003eReputational damage to the organization\u003c/li\u003e\u003cli\u003eThe additional cost of securing networks, insurance, and recovery from attacks\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eIncident Life Cycles\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe incident response process has four phases. Review the \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/61/r2/final\"\u003eNIST SP 800-61 Incident Lifecycle\u003c/a\u003e.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003ePreparation ensures that the organization is ready to respond to incidents, but can also prevent incidents by ensuring that systems, networks, and applications are sufficiently secure. The following describes the techniques utilized by the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; and to prepare for security and privacy incidents.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to prepare for information security incidents. Examples of preparation methods are, implementing incident response tools, establishing security baselines, and running periodic announced training and/or unannounced drills. For additional information on preparation activities please review Section 3.3.1 Preparation of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe how incidents involving PII are to be handled, including the policies and procedures that have been developed and how those policies and procedures are communicated to the staff. Staff should be informed of the consequences of their actions for inappropriate use and handling of PII. Describe how it is determined that the existing processes are adequate and that staff understand their responsibilities. Describe how suspected or known incidents involving PII are reported to the business owner, information system owner, CRA, ISSO, and CCIC IMT. Describe what information needs to be reported, and to whom.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDetection and Analysis\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eIncidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling every incident. Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Different types of incidents merit different response strategies. The following section describes the techniques utilized by the \u0026lt;system name\u0026gt; to detect and analyze security incidents\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to detect and analyze for information security incidents. Examples of detection and analysis methods are, prepare for common attack vectors, recognize the signs of an incident, and document and prioritize the incident. For additional information on preparation, activities please review Section 3.3.2 Detection and Analysis of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the activities and methods in place to detect and analyze incidents involving PII that are the responsibility of the information staff. Describe how it is ensured that the analysis process includes an evaluation of whether an incident involved PII, focusing on both known and suspected breaches of PII. Detection of an incident involving PII also requires reporting internally, to US-CERT, and externally, as appropriate; this is a CCIC IMT responsibility.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContainment, Eradication \u0026amp; Recovery\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eContainment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eContainment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making. Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. The following section describes the containment strategies and procedures for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt;:\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the strategies and procedures in place for the information system to contain information security incidents. Examples of containment strategies are, shut down a system, disconnect it from a network, and/or disable certain functions. For additional information on Containment activities, review Section 3.3.3 Containment, Eradication and Recovery of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the strategies and procedures in place for containing incidents involving PII.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContainment, Eradication \u0026amp; Recovery\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAfter an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts, as well as identifying and mitigating all vulnerabilities that were exploited. During eradication, it is important to identify all affected hosts within the organization so that the hosts can be remediated. For some incidents, eradication is either not necessary or is performed during recovery.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to eradicate and recover from information security incidents. Examples methods for eradication are delete malware, disable breached accounts, identify and mitigate vulnerabilities that were exploited. Examples activities associated with recovering from information security incidents are restore systems to normal operation, confirm that systems are functioning normally, and remediate vulnerabilities to prevent similar incidents. For additional information on Eradication and Recovery activities review Section 3.3.3 Containment, Eradication and Recovery of the CMS RMH Chapter 8 Incident Response\u003c/em\u003e.\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe if media sanitization steps are performed when PII needs to be deleted from media during recovery. PII should not be sanitized until a determination has been made about whether the PII must be preserved as evidence. Describe if forensics techniques are needed to ensure preservation of evidence. If PII was accessed, how is it determined how many records or individuals were affected. These activities should be coordinated with the CCIC IMT.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePost-Incident Activity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAfter an incident has been eradicated and recovery completed, each incident response team should evolve to reflect upon new threats, improve technology, and document lessons learned. Holding a lessons learned meeting with all involved parties after a major incident, and optionally after lesser incidents, can be extremely helpful in improving information security measures and the incident handling process.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to conduct post-incident activity after information security incidents. Examples methods for post-incident activity are: to conduct a lesson learned meeting, document the lessons learned, update the IRP and associated procedures as necessary, and ensure evidence is retained and archived. For additional information on post-incident activity review Post-Incident Activity of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the activities and methods in place to conduct post-incident activity after incidents involving PII. This should include how the IRP is continually updated and improved based on the lessons learned during each incident. Sharing information within CMS and US-CERT to help protect against future incidents is a CCIC responsibility.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eReporting Requirements\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eDescribe the information system process for reporting information security incidents. Incident should be reported to the \u003c/em\u003eCMS IT Service Desk within one hour, by calling at (410) 786-2580 (i.e., internal) or (1- 800) 562-1963 (internal and external) or email \u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eCMS_IT_Service@cms.hhs.gov.\u003c/a\u003e For information on reporting requirements \u003cem\u003efor information security and privacy incidents, \u003c/em\u003ereview Section 3.5 Incident Reporting and for the Incident Response Reporting Template in \u003cem\u003eThe CMS RMH Chapter 8 Incident Response\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePoints of Contact\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS IT Service Desk\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Risk Advisor (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Management Team\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Responders\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem Administrators\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem Developers\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePlan Approval\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003cbr\u003e\u003cem\u003e\u0026lt;insert signature\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert title\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert signature\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert title\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Test Plan Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Topic\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cem\u003e\u0026lt;Insert Topic\u0026gt;\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Scope\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eDescribe the scope of the incident response test to include who will participate in the exercise, the purpose of the test, and the expected outcome.\u0026nbsp; All personnel with responsibilities under the incident response plan should participate in the exercise.\u0026nbsp; The exercise should apply to the roles and responsibilities.\u0026nbsp; This includes personnel within the incident response plan being exercised and focus on validating that the documented roles, responsibilities, and interdependencies are accurate and current.\u0026nbsp; To ensure that the knowledge of the roles and responsibilities identified in the plan being exercised is current, it is often effective to conduct a training session in conjunction with any tabletop exercise\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Objectives\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eThe objectives of this test is as follows:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo validate the content of the incident response plan and the related policies and procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e2\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eValidate participants roles and responsibilities as documented in the incident response plan and validate the interdependencies documented in the incident response plan.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e3\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo meet regulatory requirements specifically the NIST SP 800-53 Rev. 4 requirements for incident response testing and incident response training.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e4\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo document lessons learned that may be utilized to update the incident response plan and related policies and procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eParticipants\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert participants, the participants should be comprised of personnel with roles and responsibilities identified in the incident response plan.\u0026nbsp; For example, training staff, validation staff, and evaluation staff\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eExercise Facilitator\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name of the individual who will lead the discussion among the exercise participants\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eData Collector\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name of the individual who records information about the actions that occur during the exercise\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate of Testing\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date and time of testing\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eLocation\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert Location\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eEquipment Required\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert required equipment, for example, audio visual equipment, whiteboard, flipchart\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMaterial Required\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert required material, for example, participant guides, PowerPoint presentations, handouts\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Scenarios\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert a sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives.\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Questions\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert a list of questions regarding the scenario that address the exercise objective.\u0026nbsp; Below are sample questions taken from NIST Special Publication 800-61 Computer Security Incident Handling Guide\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePreparation:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWould the organization consider this activity to be an incident?\u0026nbsp; If so, which of the organizations policies does this activity violate?\u003c/li\u003e\u003cli\u003eWhat measures are in place to attempt to prevent this type of incident from occurring or to limit its impact?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eDetection and Analysis:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat precursors of the incident, if any, might the organization detect?\u0026nbsp; Would any precursors cause the organization to take action before the incident occurred?\u003c/li\u003e\u003cli\u003eWhat indicators of the incident might the organization detect?\u0026nbsp; Which indicators would cause someone to think that an incident might have occurred?\u003c/li\u003e\u003cli\u003eWhat additional tools might be needed to detect this particular incident?\u003c/li\u003e\u003cli\u003eHow would the incident response team analyze and validate this incident?\u0026nbsp; What personnel would be involved in the analysis and validation process?\u003c/li\u003e\u003cli\u003eTo which people and groups within the organization would the team report the incident?\u003c/li\u003e\u003cli\u003eHow would the team prioritize the handling of this incident?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eContainment, Eradication, and Recovery:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat strategy should the organization take to contain the incident?\u0026nbsp; Why is this strategy preferable to others?\u003c/li\u003e\u003cli\u003eWhat could happen if the incident were not contained?\u003c/li\u003e\u003cli\u003eWhat additional tools might be needed to respond to this particular incident?\u003c/li\u003e\u003cli\u003eWhich personnel would be involved in the containment, eradication, and/or recovery processes?\u003c/li\u003e\u003cli\u003eWhat sources of evidence, if any, should the organization acquire?\u0026nbsp; How would the evidence be acquired?\u0026nbsp; Where would it be stored?\u0026nbsp; How long should it be retained?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003ePost-Incident Activity:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWho would attend the lessons learned meeting regarding this incident?\u003c/li\u003e\u003cli\u003eWhat could be done to prevent similar incidents from occurring in the future?\u003c/li\u003e\u003cli\u003eWhat could be done to improve detection of similar incidents?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eGeneral Questions:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eHow many incident response team members would participate in handling this incident?\u003c/li\u003e\u003cli\u003eBesides the incident response team, what groups within the organization would be involved in handling this incident?\u003c/li\u003e\u003cli\u003eTo which external parties would the team report the incident?\u0026nbsp; When would each report occur?\u003c/li\u003e\u003cli\u003eHow would each report be made?\u0026nbsp; What information would you report or not report, and why?\u003c/li\u003e\u003cli\u003eWhat other communications with external parties may occur?\u003c/li\u003e\u003cli\u003eWhat tools and resources would the team use in handling this incident?\u003c/li\u003e\u003cli\u003eWhat aspects of the handling would have been different if the incident had occurred at a different day and time (on-hours versus off-hours)?\u003c/li\u003e\u003cli\u003eWhat aspects of the handling would have been different if the incident had occurred at a different physical location (onsite versus offsite)?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePlan Being Exercise\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name and location of the incident response plan being exercised\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eExercise Agenda\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIntroductions\u003c/li\u003e\u003cli\u003eReview Exercise Scope and Logistics\u003c/li\u003e\u003cli\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/li\u003e\u003cli\u003eData Collector records observations (on-going)\u003c/li\u003e\u003cli\u003eConduct exercise debrief/hotwash\u003c/li\u003e\u003cli\u003eExercise Participants released\u003c/li\u003e\u003cli\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Plan Approval\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert signature by approval authority (e.g., Business Owner or ISSO)\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Participant Guide Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT ORGANIZATION NAME\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT TABLETOP EXERCISE TITLE\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eParticipant Guide\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Location\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Date\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn an effort to validate \u0026lt;\u003cem\u003einsert organization name\u003c/em\u003e\u0026gt; \u0026lt;\u003cem\u003einsert name of plan being exercised\u003c/em\u003e\u0026gt;, \u0026lt;\u003cem\u003einsert organization name\u003c/em\u003e\u0026gt; will conduct a tabletop exercise to examine processes and procedures associated with the implementation of the \u0026lt;\u003cem\u003einsert plan name\u003c/em\u003e\u0026gt;.\u0026nbsp; This discussion-based exercise will be a \u0026lt;\u003cem\u003einsert number of hours\u003c/em\u003e\u0026gt;-hour event that will begin at \u0026lt;\u003cem\u003einsert start ti\u003c/em\u003eme\u0026gt; and will last until \u0026lt;\u003cem\u003einsert end time\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003eThe exercise is designed to facilitate communication among personnel with incident response roles and responsibilities.\u0026nbsp; The following scenarios have been chosen for this exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert scenarios from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis exercise is designed to improve the readiness of the [insert organization name] and help validate existing \u0026lt;\u003cem\u003einsert plan name\u003c/em\u003e\u0026gt; procedures.\u003c/p\u003e\u003cp\u003eParticipants should come to the exercise prepared to discuss high-level issues related to the incident handling based on the scenarios above.\u0026nbsp; To achieve the exercises stated objectives, discussion will focus on the following questions related to the scenarios and the incident response plan:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert questions from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eParticipants may choose to bring incident response narrative or reference material that will aid in answering the above questions.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eConcept of Operations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA tabletop exercise is a discussion-based event in which participants meet in a “classroom” setting to address the actions participants would take in response to an emergency.\u0026nbsp; Tabletops are an effective initial step for personnel to discuss the full range of issues related to a crisis scenario.\u0026nbsp; These exercises provide an excellent forum to examine roles and responsibilities, unearth interdependencies, and evaluate plans.\u0026nbsp; A tabletop exercise also satisfies the training requirement for personnel with incident response roles and responsibilities.\u003c/p\u003e\u003cp\u003eParticipants will be presented with a incident response.\u0026nbsp; A facilitator will help guide discussion by asking questions designed to address the exercises objectives.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eObjectives\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe exercise objectives are as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert questions from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAgenda\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:00 a.m. 9:15 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntroductions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:15 a.m. 9:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReview Exercise Scope and Logistics\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eData Collector records observations (on-going)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e11:30 a.m. 12:00 p.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eConduct exercise debrief/hotwash\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMilestone\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eExercise Participants released\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1:00 p.m. - completion\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eDebriefing/Hotwash Questions\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAn after action report identifying strengths and areas where improvements might be made will be provided after the exercise.\u0026nbsp; The following questions are designed to obtain input into the after action report from participants:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAre there any other issues you would like to discuss that were not raised?\u003c/li\u003e\u003cli\u003eWhat are the strengths of the incident response plan?\u0026nbsp; What areas require closer examination?\u003c/li\u003e\u003cli\u003eWas the exercise beneficial?\u0026nbsp; Did it help prepare you to execute on your incident response roles and responsibilities?\u003c/li\u003e\u003cli\u003eWhat did you gain from the exercise?\u003c/li\u003e\u003cli\u003eHow can we improve future exercises and tests?\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eAfter Action Report Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT ORGANIZATION NAME\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT TABLETOP EXERCISE TITLE\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAfter Action Report\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Location\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Date\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eOn \u0026lt;\u003cem\u003einsert date\u003c/em\u003e\u0026gt;, \u0026lt;insert organization name\u0026gt; participated in \u0026lt;\u003cem\u003einsert duration of exercise\u003c/em\u003e\u0026gt; - hour tabletop exercise designed to validate the organizations understanding of the \u0026lt;\u003cem\u003einsert plan name.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eObjectives\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe exercise objectives are as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eCopy objectives from approved Test Plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAgenda\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:00 a.m. 9:15 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntroductions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:15 a.m. 9:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReview Exercise Scope and Logistics\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eData Collector records observations (on-going)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e11:30 a.m. 12:00 p.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eConduct exercise debrief/hotwash\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMilestone\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eExercise Participants released\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1:00 p.m. - completion\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eDiscussion Findings\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u0026lt;\u003cem\u003einsert exercise name\u003c/em\u003e\u0026gt; provided information on \u0026lt;\u003cem\u003einsert relevant information\u003c/em\u003e\u0026gt;.\u0026nbsp; An important benefit of the exercise was the opportunity for participants to raise important questions, concerns, and issues.\u003c/p\u003e\u003cp\u003eThe discussion findings from the exercise along with any necessary recommended actions are as follows:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral Findings\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe exercise provided an excellent opportunity for participants to \u003cem\u003e\u0026lt;insert relevant information\u0026gt;\u003c/em\u003e.\u0026nbsp; As a result of the exercise, participants left with a heightened awareness of \u003cem\u003e\u0026lt;insert relevant information\u0026gt;\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpecific Findings\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSpecific observations made during the exercise, and recommendations for enhancement of the plan, are as follows:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eObservation 1. \u0026lt;\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003eInsert general topic area\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert observation\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommendation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;Insert recommendations\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eObservation 2. \u003c/strong\u003e\u003cem\u003e\u003cstrong\u003e\u0026lt;Insert general topic area\u0026gt;\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert observation\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommendation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;Insert recommendations\u0026gt;\u003c/p\u003e\u003cp\u003eBelow is an \u003cstrong\u003eexample\u003c/strong\u003e of a completed observation and recommendations, all text in blue should be deleted upon the completion of the After-Action Report.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cem\u003eExample Observations and Recommendations:\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eObservation 1.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCommunication\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eA plan identifying the process for communicating with incident response team members do not exist.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eRecommendations:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cul\u003e\u003cli\u003eThe organization should consider developing a communications plan that establishes standardized communications requirements, addresses how stolen documents will be investigated, and describes procedures for personnel incident response team working with organizations to investigate breaches.\u003c/li\u003e\u003cli\u003eThe organization should identify weaknesses in the incident handling plan and procedures to ensure that all essential personnel can be contacted in the event of sensitive document breach.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eObservation 2.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIncident Breach Handling Protocol\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eEssential personnel have not been aware of the organization impact of stolen documents, and the incident breach handling protocol to investigation and recovery.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cul\u003e\u003cli\u003eThe agency should examine the criteria for ALL personnel having access to sensitive organization documents.\u0026nbsp; In addition, all personnel might need to attend a security training and awareness course on how to report incidents or suspicious activities.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eSample Incident Scenarios\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 1: Domain Name System (DNS) Server Denial of Service (DOS)\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Saturday afternoon, external users start having problems accessing the organizations public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organizations networking staff responds to alerts from an Internet border router and determines that the organizations Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organizations public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhom should the organization contact regarding the external IP address in question?\u003c/li\u003e\u003cli\u003eSuppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were also attempting the same unusual requests to the DNS server. How would that affect the handling of this incident?\u003c/li\u003e\u003cli\u003eSuppose that two of the nine internal hosts disconnected from the network before their system owners were identified. How would the system owners be identified?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 2: Worm and Distributed Denial of Service (DDoS) Agent Infestation\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Tuesday morning, a new worm is released; it spreads itself through removable media, and it can copy itself to open Windows shares. When the worm infects a host, it installs a DDoS agent. The organization has already incurred widespread infections before antivirus signatures become available several hours after the worm started to spread.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the incident response team identify all infected hosts?\u003c/li\u003e\u003cli\u003eHow would the organization attempt to prevent the worm from entering the organization before antivirus signatures were released?\u003c/li\u003e\u003cli\u003eHow would the organization attempt to prevent the worm from being spread by infected hosts before antivirus signatures were released?\u003c/li\u003e\u003cli\u003eWould the organization attempt to patch all vulnerable machines? If so, how would this be done?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if infected hosts that had received the DDoS agent had been configured to attack another organizations website the next morning?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if one or more of the infected hosts contained sensitive personally identifiable information regarding the organizations employees?\u003c/li\u003e\u003cli\u003eHow would the incident response team keep the organizations users informed about the status of the incident?\u003c/li\u003e\u003cli\u003eWhat additional measures would the team perform for hosts that are not currently connected to the network (e.g., staff members on vacation, offsite employees who connect occasionally)?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 3: Stolen Documents\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Monday morning, the organizations legal department receives a call from the Federal Bureau of Investigation (FBI) regarding some suspicious activity involving the organizations systems. Later that day, an FBI agent meets with members of management and the legal department to discuss the activity. The FBI has been investigating activity involving public posting of sensitive government documents, and some of the documents reportedly belong to the organization. The agent asks for the organizations assistance, and management asks for the incident response teams assistance in acquiring the necessary evidence to determine if these documents are legitimate or not and how they might have been leaked.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eFrom what sources might the incident response team gather evidence?\u003c/li\u003e\u003cli\u003eWhat would the team do to keep the investigation confidential?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team identified an internal host responsible for the leaks?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found a rootkit installed on the internal host responsible for the leaks?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 4: Compromised Database Server\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Tuesday night, a database administrator performs some off-hours maintenance on several production database servers. The administrator notices some unfamiliar and unusual directory names on one of the servers. After reviewing the directory listings and viewing some of the files, the administrator concludes that the server has been attacked and calls the incident response team for assistance. The teams investigation determines that the attacker successfully gained root access to the server six weeks ago.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat sources might the team use to determine when the compromise had occurred?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found that the database server had been running a packet sniffer and capturing passwords from the network?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found that the server was running a process that would copy a database containing sensitive customer information (including personally identifiable information) each night and transfer it to an external address?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team discovered a rootkit on the server?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 5: Unknown Exfiltration\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Sunday night, one of the organizations network intrusion detection sensors alerts on anomalous outbound network activity involving large file transfers. The intrusion analyst reviews the alerts; it appears that thousands of .RAR files are being copied from an internal host to an external host, and the external host is located in another country. The analyst contacts the incident response team so that it can investigate the activity further. The team is unable to see what the .RAR files hold because their contents are encrypted. Analysis of the internal host containing the .RAR files shows signs of a bot installation.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the team determine what was most likely inside the .RAR files? Which other teams might assist the incident response team?\u003c/li\u003e\u003cli\u003eIf the incident response team determined that the initial compromise had been performed through a wireless network card in the internal host, how would the team further investigate this activity?\u003c/li\u003e\u003cli\u003eIf the incident response team determined that the internal host was being used to stage sensitive files from other hosts within the enterprise, how would the team further investigate this activity?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 6: Unauthorized Access to Payroll Records\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Wednesday evening, the organizations physical security team receives a call from a payroll administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the team determine what actions had been performed?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the payroll administrator had recognized the person leaving her office as a former payroll department employee?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the team had reason to believe that the person was a current employee?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the physical security team determined that the person had used social engineering techniques to gain physical access to the building?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if logs from the previous week showed an unusually large number of failed remote login attempts using the payroll administrators user ID?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the incident response team discovered that a keystroke logger was installed on the computer two weeks earlier?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 7: Disappearing Host\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Thursday afternoon, a network intrusion detection sensor records vulnerability scanning activity directed at internal hosts that is being generated by an internal IP address. Because the intrusion detection analyst is unaware of any authorized, scheduled vulnerability scanning activity, she reports the activity to the incident response team. When the team begins the analysis, it discovers that the activity has stopped and that there is no longer a host using the IP address.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat data sources might contain information regarding the identity of the vulnerability scanning host?\u003c/li\u003e\u003cli\u003eHow would the team identify who had been performing the vulnerability scans?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the vulnerability scanning were directed at the organizations most critical hosts?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the vulnerability scanning were directed at external hosts?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the internal IP address was associated with the organizations wireless guest network?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the physical security staff discovered that someone had broken into the facility half an hour before the vulnerability scanning occurred?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 8: Telecommuting Compromise\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Saturday night, network intrusion detection software records an inbound connection originating from a watchlist IP address. The intrusion detection analyst determines that the connection is being made to the organizations VPN server and contacts the incident response team. The team reviews the intrusion detection, firewall, and VPN server logs and identifies the user ID that was authenticated for the session and the name of the user associated with the user ID.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should the teams next step be (e.g., calling the user at home, disabling the user ID, disconnecting the VPN session)? Why should this step be performed first? What step should be performed second?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the external IP address belonged to an open proxy?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the ID had been used to initiate VPN connections from several external IP addresses without the knowledge of the user?\u003c/li\u003e\u003cli\u003eSuppose that the identified users computer had become compromised by a game containing a Trojan horse that was downloaded by a family member. How would this affect the teams analysis of the incident? How would this affect evidence gathering and handling? What should the team do in terms of eradicating the incident from the users computer?\u003c/li\u003e\u003cli\u003eSuppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident? How would this affect the handling of the incident if the user were a system administrator? How would this affect the handling of the incident if the user were a high-ranking executive in the organization?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 9: Anonymous Threat\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Thursday afternoon, the organizations physical security team receives a call from an IT manager, reporting that two of her employees just received anonymous threats against the organizations systems. Based on an investigation, the physical security team believes that the threats should be taken seriously and notifies the appropriate internal teams, including the incident response team, of the threats.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should the incident response team do differently, if anything, in response to the notification of the threats?\u003c/li\u003e\u003cli\u003eWhat impact could heightened physical security controls have on the teams responses to incidents?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 10: Peer-to-Peer File Sharing\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eThe organization prohibits the use of peer-to-peer file sharing services. The organizations network intrusion detection sensors have signatures enabled that can detect the usage of several popular peer-to-peer file sharing services. On a Monday evening, an intrusion detection analyst notices that several file sharing alerts have occurred during the past three hours, all involving the same internal IP address.\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat factors should be used to prioritize the handling of this incident (e.g., the apparent content of the files that are being shared)?\u003c/li\u003e\u003cli\u003eWhat privacy considerations may impact the handling of this incident?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the computer performing peer-to-peer file sharing also contains sensitive personally identifiable information?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 11: Unknown Wireless Access Point\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Monday morning, the organizations help desk receives calls from three users on the same floor of a building who state that they are having problems with their wireless access. A network administrator who is asked to assist in resolving the problem brings a laptop with wireless access to the users floor. As he views his wireless networking configuration, he notices that there is a new access point listed as being available. He checks with his teammates and determines that this access point was not deployed by his team, so that it is most likely a rogue access point that was established without permission.\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should be the first major step in handling this incident (e.g., physically finding the rogue access point, logically attaching to the access point)?\u003c/li\u003e\u003cli\u003eWhat is the fastest way to locate the access point? What is the most covert way to locate the access point?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the access point had been deployed by an external party (e.g., contractor) temporarily working at the organizations office?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if an intrusion detection analyst reported signs of suspicious activity involving some of the workstations on the same floor of the building?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the access point had been removed while the team was still attempting to physically locate it?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"325:T23062,"])</script><script>self.__next_f.push([1,"\u003ch3\u003eIntroduction\u003c/h3\u003e\u003cp\u003eRMH Chapter 8 Incident Response documents the controls that focus on how the organization must: establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and track, document, and report incidents to appropriate organizational officials and/or authorities. Procedures addressed include incident response training, incident response testing, incident handling, monitoring and reporting, and information spillage response. Within this chapter, readers will find the CMS Cybersecurity Integration Center (CCIC) Functional Area Overview figure and how the Incident Management Team (IMT) within the CCIC works with systems to mitigate information security and privacy incidents.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLooking for templates and forms about Incident Response\u003c/strong\u003e? Within this page you can find:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#cms-security-privacy-incident-report-form\"\u003eCMS Security and Privacy Incident Report form\u003c/a\u003e (for reporting an incident)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#cms-security-privacy-incident-report-form\"\u003eIncident Response Plan Template\u003c/a\u003e (for creating your Incident Response plan)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#tabletop-exercise-test-plan-template\"\u003eTabletop Exercise Test Template\u003c/a\u003e (for creating your Tabletop Exercise that you will use to test your Incident Response Plan)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#tabletop-exercise-participant-guide-template\"\u003eTabletop Exercise Participant Guide Template\u003c/a\u003e (for creating Participant Guides that you can give to people who will be participating in your Tabletop Exercise)\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir#after-action-report-template\"\u003eAfter-Action Report Template\u003c/a\u003e (for summarizing the outcomes / finding of the Tabletop Exercise, along with any necessary next steps)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eCommon Control Inheritance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe inherited controls list can be used to identify common controls offered by system alternatives. The use of inherited controls is optional, the objective of this process is to identify opportunities to extract benefits (and reduce costs) by maximizing the use of already existing solutions, and minimizing duplication of efforts across the enterprise.\u003c/p\u003e\u003cp\u003eBelow is a listing of controls that can be inherited, where they can be inherited from and if they are a hybrid control for this control family.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eIncident Response Control\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eInheritable From\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eHybrid Control\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-01\u003c/td\u003e\u003ctd\u003eOCISO Inheritable Controls\u003c/td\u003e\u003ctd\u003eYes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02(01)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-02(02)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-03(02)\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04(01)\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-04(04)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-05\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-05(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-06\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-06(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-07\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIR-07(01)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eNo\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-08\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(01)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(02)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(03)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eCMS Baltimore Data Center - EDC4\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eIR-09(04)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS Baltimore Data Center -\u003c/p\u003e\u003cp\u003eEDC4\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eNo\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eProcedures\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eProcedures assist in the implementation of the required security and privacy controls.\u003c/p\u003e\u003cp\u003eIn this section, the IR family procedures are outlined. To increase traceability, each procedure maps to the associated National Institute of Standards and Technology (NIST) controls using the control number from the CMS Acceptable Risk Safeguards (ARS).\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Training (IR-02)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Response Training is to prepare individuals to prevent, detect, and respond to security and privacy incidents, and ensure that CMS fulfills Federal Information Security Modernization Act (FISMA) requirements. Incident response training should be consistent with the roles and responsibilities assigned in the incident response plan. For example, incident response training is applicable to Information System Owners (SO), Business Owners (BO), and Information System Security Officers (ISSO). CMS personnel (i.e., employees and contractors) who routinely access sensitive data, such as names, Social Security numbers, and health records to carry out the CMS mission receive incident response training annually as part of the general information security awareness training.\u003c/p\u003e\u003cp\u003eThe CMS Chief Information Officer (CIO), CMS Chief Information Security Officer (CISO), and the CMS Senior Official for Privacy (SOP) shall endorse and promote an organizational- wide information systems security and privacy awareness training. According to \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e the CIO, shall establish, implement, and enforce a CMS-wide framework to facilitate an incident response program including Personal Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) breaches that ensures proper and timely reporting to HHS. In the CMS IS2P2, the CISO and the SOP shall ensure the CMS-wide implementation of Department and CMS policies and procedures that relate to information security and privacy incident response.\u003c/p\u003e\u003cp\u003eUsers must be aware that the Internal Revenue Code (IRC), Section 6103(p) (4) (D) requires that agencies receiving FTI provide appropriate safeguard measures to ensure the confidentiality of the FTI. Incident response training is one of the safeguards for implementing this requirement.\u003c/p\u003e\u003cp\u003eThe CMS Information Security and Privacy Group (ISPG) will provide incident response training to information system users that is consistent with assigned roles and responsibilities when assuming an incident response role or responsibility and annually thereafter. For example, general users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. In addition, those responsible for identifying and responding to a security incident must understand how to recognize when PII or PHI are involved so that they can coordinate with the SOP.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally-defined parameters (ODPs) for IR-2.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Defined Parameters Control IR-2\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-2\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization provides incident response training to information system users consistent with assigned roles and responsibilities:\u003c/p\u003e\u003cp\u003ea. Within [\u003cem\u003eAssignment: organization- defined time period\u003c/em\u003e] of assuming an incident response role or responsibility;\u003c/p\u003e\u003cp\u003eb. When required by information system changes; and\u003c/p\u003e\u003cp\u003ec. [\u003cem\u003eAssignment: organization-defined frequency\u003c/em\u003e] thereafter\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization provides incident response training to information system users consistent with assigned roles and responsibilities:\u003c/p\u003e\u003cp\u003ea. Within one (1) month of assuming an incident response role or responsibility;\u003cbr\u003e\u003cbr\u003eb. When required by information system changes; and\u003c/p\u003e\u003cp\u003ec. [\u003cem\u003eAssignment: organization-defined frequency\u003c/em\u003e] thereafter\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eTraining for General Users\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFor all Enterprise User Administration (EUA) users the following steps outline the process for completing the CMS Computer-based Training (CBT), which includes IR training.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eThe incident response training is incorporated into the annual Information Systems Security and Privacy Awareness Training. All EUA users must take the CBT Training located at \u003ca href=\"https://www.cms.gov/cbt\"\u003eCMS Information Technology Security and Privacy web page\u003c/a\u003e The training will be delivered to all EUA users initially prior to account issuance and annually thereafter. It is the responsibility of users to take this training within three (3) days.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEach year based on the date of account issuance each user receives an email that requires a review and completion of the annual CBT.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eTraining records are maintained using the CBT database and include the User ID (UID) and the date the individual last completed the training\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eRole-Based Training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eFor individuals with incident response roles and responsibilities, role-based training is satisfied through the execution of a tabletop exercise as long as all personnel with incident response roles and responsibilities participate in the exercise. Review Section 3.2 Incident Response Testing for procedures to conduct a tabletop exercise.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSimulated Events (IR-02(01))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to facilitate the effective response by personnel who handle crisis situations by incorporating simulated events into incident response training. Exercises involving simulated incidents can also be very useful for preparing staff for incident handling.1\u003c/p\u003e\u003cp\u003eThe selection of the scenarios should occur as a part of the test plan development; see Section 3.2 Incident Response Testing for developing the test plan. The following details the CMS specific process for incorporating simulated events/scenarios into incident response training, through the execution of a tabletop exercise.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eSelect two scenarios from the list below that will form the foundation of the tabletop exercise. Document the scenarios and a description of each in the Tabletop Exercise Test Plan. It is important to select your scenarios based upon an assessment of risk (i.e., the greatest current threats). Weaknesses identified during prior incidents might identify good candidate scenarios for future incident response tests. In addition, results from prior \u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003esecurity control assessments (SCAs)\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e or existing \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;Ms)\u003c/a\u003e might assist in selecting scenarios for incident response testing. For example, if access control was identified as a weakness during a prior SCA, a good scenario to select for incident response testing would be scenario 6 (Unauthorized Access to Payroll Records). Detailed descriptions of each of these scenarios can be found in the ISPL (Information Security and Privacy Library) and the scenarios are listed below:\u003cul\u003e\u003cli\u003e\u003cstrong\u003eScenario 1: \u003c/strong\u003eDomain Name System (DNS) Server Denial of Service (DoS)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 2: \u003c/strong\u003eWorm and Distributed Denial of Service (DDoS) Agent Infestation\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 3: \u003c/strong\u003eStolen Documents\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 4: \u003c/strong\u003eCompromised Database Server\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 5: \u003c/strong\u003eUnknown Exfiltration\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 6: \u003c/strong\u003eUnauthorized Access to Payroll Records\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 7: \u003c/strong\u003eDisappearing Host\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 8: \u003c/strong\u003eTelecommuting Compromise\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 9: \u003c/strong\u003eAnonymous Threat\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 10: \u003c/strong\u003ePeer-to-Peer File Sharing\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eScenario 11: \u003c/strong\u003eUnknown Wireless Access Point\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEnsure that the material developed for the tabletop exercise supports the scenarios selected. Review Section 3.2 Incident Response Testing for more information for developing the exercise material.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eExecute the tabletop test using the procedures outlined below in Section 3.2 Incident Response Testing Automated Training Environments (IR-02(02)).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAutomated Training Environments (IR-02(02))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of Incident Response Training/Automated Training Environments is to ensure that CMS employs automated mechanisms to provide a more thorough and realistic incident training environment. At CMS, incident training and incident response testing are both satisfied through the execution of a tabletop exercise. These tabletop exercises are designed to incorporate automated mechanisms for incident response, review Section 3.2.1 Automated Testing for detailed procedure which ensure automated mechanisms are incorporated into incident response training.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Testing (IR-03)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Incident Response Testing is to ensure that CMS tests the incident response capability for the information system using testing principles to determine the incident response effectiveness and document the results.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters (ODPs) for IR testing.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 2: CMS Defined Parameters Control IR-03\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-03\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization tests the incident response capability for the information system:\u003c/p\u003e\u003cp\u003e[Assignment: organization- defined frequency] using [Assignment: organization- defined tests] to determine the incident response effectiveness and documents the results\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe organization tests the incident response capability for the information system within every three hundred sixty- five (365) days using NIST SP 800-61, reviews, analyses, and simulations to determine the organizations incident response effectiveness, and documents its findings.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eCMS incident response testing is accomplished through the execution of tabletop exercises. Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss roles during an emergency and the responses to a particular emergency situation.\u0026nbsp; A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for conducting a tabletop exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eComplete the Test Plan utilizing the Tabletop Exercise Test Plan Template located in the ISPL\u003cstrong\u003e. \u003c/strong\u003eTesting must include two scenario-based exercises to determine the ability of the CMS to respond to information security and privacy incidents. Scenarios should be selected which integrate the use of automated mechanisms for incident response.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eAcquire approval of the Test Plan from the Business Owner and/or ISSO. The approval is granted by signing the final row of the Test Plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eDevelop the exercise materials (e.g., briefings, Participant Guide). A sample Tabletop Exercise Participant Guide Template is located in the ISPL. For more information on functional exercise material please refer to Section 5.3 of \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/84/final\"\u003eNIST SP 800- 84\u003c/a\u003e\u003cstrong\u003e, \u003c/strong\u003e\u003cem\u003eGuide to Test, Training, and Exercise Programs for IT Plans and Capabilities.\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eConduct the tabletop exercise according to the approved Test Plan. The agenda contained within the Test Plan serves as a guide for executing the exercise. Prior to releasing the exercise participants, the Exercise Facilitator and Data Collector conduct a debrief/hotwash.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eEvaluate the tabletop exercise by completing the After-Action Report located in the ISPL. This step is completed by the Exercise Facilitator and Data Collector.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCoordination with Related Plans (IR-03(02))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of the Incident Response Testing/Coordination with Related Plans is to ensure that CMS coordinates incident response testing with organizational elements responsible for related plans. Related plans can include but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConfiguration Management Plan\u003c/li\u003e\u003cli\u003eInformation System Contingency Plan\u003c/li\u003e\u003cli\u003ePatch and Vulnerability Management Plan\u003c/li\u003e\u003cli\u003eInformation System Continuous Monitoring Strategy/Plan\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe following steps detail the CMS specific process to ensure Coordination with Related Plans:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1:\u0026nbsp; \u003c/strong\u003eIdentify the related plans and the stakeholders associated with each.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eEstablish a primary method of communication. Possible methods of communication include emails, face-to-face meetings, and teleconferences.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eUsing the primary method of communication identified above, request copies of related plans. Review the related plans identifying dependencies for the IR test.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eIdentify stakeholders from related plans that will be required to participate in the incident response exercise. Coordinate with the stakeholders through the establishment, review, and execution of a test plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eConduct follow up communications as necessary. Specifically, a copy of the After-Action Report should be provided to stakeholders associated with related plans so that those plans may be updated as needed.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Handling (IR-04)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS implements an incident handling capability for security and privacy incidents that includes 1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery, and 4) post incident activity.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAll distributed Incident Response Teams (IRT) fall under the authority of the CCIC IMT, the single information security and privacy incident coordination entity. Each individual system is responsible for identifying incident responders as part of the systems Incident Response Plan (IRP). The incident responders serve as the frontline of the incident handling capability with oversight and incident response assistance provided by the IMT. This section of the document establishes the specific requirements and processes for maintaining a unified, cohesive incident handling capability across the CMS enterprise and describes the relationship between the IMT and the frontline incident responders.\u003c/p\u003e\u003cp\u003eIn the event of a suspected or confirmed privacy (PII) data breach, CCIC IMT will notify ISPG that a Breach Analysis Team (BAT) should be convened, including representatives from ISPG, IMT, and system stakeholders such as the system Business Owner. The BAT will conduct and document a formal Risk Assessment to assess the risk of harm to individuals potentially affected by the breach. The following factors are used:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNature and sensitivity of PII\u003c/li\u003e\u003cli\u003eLikelihood of access and use of PII and\u003c/li\u003e\u003cli\u003eType of breach\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the Risk Assessment concludes that there is a moderate or high risk that PII has been compromised, the CMS Senior Official for Pivacy will work with IMT and system stakeholders to develop a notification plan to notify affected individuals and mitigate their risk.\u003c/p\u003e\u003cp\u003eAffected individuals should be notified of a breach via first-class mail where possible, though depending on the nature and scale of the breach, additional methods such as email, telephone, and local media outreach may be used. The breach notification should include the following information:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSource of the breach\u003c/li\u003e\u003cli\u003eBrief description\u003c/li\u003e\u003cli\u003eDate of discovery and breach occurrence\u003c/li\u003e\u003cli\u003eType of PII involved\u003c/li\u003e\u003cli\u003eA statement whether or not the information was encrypted\u003c/li\u003e\u003cli\u003eWhat steps individuals should take to protect themselves from potential harm and services being provided to potentially affected individuals\u003c/li\u003e\u003cli\u003eWhat the agency is doing to investigate and resolve the breach\u003c/li\u003e\u003cli\u003eWho affected individuals should contact for information\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition to breach notification, CMS must also consider how best to mitigate the risk of harm to affected individuals. CMS may need to provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCountermeasures against misuse of lost PII/PHI, such as notifying a bank if credit card numbers are lost\u003c/li\u003e\u003cli\u003eGuidance on how affected individuals can protect themselves against identity theft, such as education on credit freezes and other defensive measures\u003c/li\u003e\u003cli\u003eServices, such as credit monitoring\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Breach Analysis Team may determine that some, all, or none of these mitigation techniques are appropriate for a given breach. Some breaches may require notification, but not mitigation.\u003c/p\u003e\u003cp\u003eThe SOP coordinates with HHS Privacy Incident Response Team (PIRT) for review and approval of CMS response plan, breach notification, and breach mitigation. Incident handling activities should be coordinated with contingency planning activities; and the lessons learned from ongoing incident handling activities should be incorporated into incident response procedures, training and testing. The procedure below provides an inclusive set of specific steps and requirements for handling information security and privacy incidents using the four-phase lifecycle. This lifecycle must be used by the IMT and the frontline incident responders to properly handle information security and privacy incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIncident response methodologies typically emphasize preparation, not only establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. Although the incident response team is not typically responsible for incident prevention, it is fundamental to the success of incident response programs.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for phase one (preparation) of the incident handling lifecycle:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSteps\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eActivity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 1:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eEnsure the proper preparations have been made to respond to information security and privacy incidents by completing the Incident Preparation Checklist located in the ISPL. This checklist should be reviewed annually in coordination with the update to the incident response plan.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 2:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eEnsure regular practices have been implemented to prevent information security and privacy incidents. The list below taken from NIST SP 800-61 Rev. 2 provides a brief overview of some of the main recommended practices for securing networks, systems and applications.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eRisk Assessments: \u003c/strong\u003ePeriodic risk assessments of systems and applications should determine what risks are posed by combinations of threats and vulnerabilities. This should include understanding the applicable threats, including organization-specific threats. Each risk should be prioritized, and the risks can be mitigated, transferred, or accepted until a reasonable overall level of risk is reached. Another benefit of conducting risk assessments regularly is that critical resources are identified, allowing staff to emphasize monitoring and response activities for those resources\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard for risk assessment requires that the results of the risk assessment are reviewed at least annually and that the risk assessment is updated at least every three years or when a significant change occurs.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eHost Security: \u003c/strong\u003eAll hosts should be hardened appropriately using\u003c/li\u003e\u003c/ul\u003e\u003cp\u003estandard configurations. In addition to keeping each host properly patched, hosts should be configured to follow the principle of least privilege, granting users only the privileges necessary for performing authorized tasks. Hosts should have auditing enabled and should log significant security-related events. The security of hosts and configurations should be continuously monitored. Many organizations use Security Content Automation Protocol (SCAP) configuration checklists to assist in securing hosts consistently and effectively.\u003c/p\u003e\u003cp\u003eThe CMS standard requires the implementation of the latest security configuration baselines established by the HHS, U.S. Government Configuration Baselines (USGCB), and the National Checklist Program (NCP).\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eNetwork Security: \u003c/strong\u003eThe network perimeter should be configured to deny all activity that is not expressly permitted. This includes securing all connection points, such as virtual private networks (VPNs) and dedicated connections to other organizations.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard requires that the information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMalware Prevention: \u003c/strong\u003eSoftware to detect and stop malware should be deployed throughout the organization. Malware protection should be deployed at the host level (e.g., server and workstation operating systems), the application server level (e.g., email server, web proxies), and the application client level (e.g., email clients, instant messaging clients). The CMS standard requires that malicious code protection mechanisms are implemented as follows:\u003cul\u003e\u003cli\u003e\u003cstrong\u003eDesktops: \u003c/strong\u003eMalicious code scanning software is configured to perform critical system file scans no less often than once every twelve (12) hours and full system scans no less often than once every seventy-two (72) hours.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eServers \u003c/strong\u003e(to include databases and applications)\u003cstrong\u003e: \u003c/strong\u003eMalicious code scanning software is configured to perform critical system file scans no less often than once every twelve (12) hours and full system scans no less often than once every seventy-two (72) hours.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn addition, malicious code protection mechanisms should be updated whenever new releases are available in accordance with CMS configuration management policy and procedures. Antivirus definitions should be updated in near-real-time. Malicious code protection mechanisms should be configured to lock and quarantine malicious code and send alerts to administrators in response to malicious code detection.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eUser Awareness and Training: \u003c/strong\u003eUsers should be made aware of policies and procedures regarding appropriate use of networks, systems, and applications as well as the policy and procedures for safeguarding data that is not in digital form (e.g., PII in paper form). Applicable lessons learned from previous incidents should also be shared with users to evaluate how actions taken by the user could affect the organization. Improving user awareness regarding incidents should reduce the frequency of incidents. IT staff should be trained to maintain networks, systems, and applications in accordance with the organizations security standards. All users should be trained to protect printed hard/paper copies of data, including PII.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS standard requires all general users receive security and privacy awareness training annually. The incident response training is incorporated into the annual Information Systems Security and Privacy Awareness Training. All EUA users must take the CBT Training located at \u003ca href=\"https://www.cms.gov/cbt\"\u003eCMS Information Technology Security and Privacy web page\u003c/a\u003e\u003ca href=\"https://www.cms.gov/cbt/forms/isspa.aspx\"\u003e.\u003c/a\u003e The training must be delivered to all EUA users initially prior to account issuance and annually thereafter.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMaintain Inventory: \u003c/strong\u003eMaintain an accurate inventory of information system components identifying those components that store, transmit, and/or process PII. An accurate inventory facilitates the implementation of the appropriate information security and privacy controls and is critical to preventing, detecting and responding to information security incidents.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 3:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eEnsure that the preparation and prevention techniques listed in Steps 1 and 2 above have been incorporated into the incident response plan for the information system and exercised at least annually. Review Incident Response Plan or details on developing the incident response plan and Incident Response Testing for details on incident response testing.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eDetection and Analysis\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSteps\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eActivity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 1:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePrepare for Common Attack Vectors. The attack vectors listed below are not intended to provide definitive classification for incidents; but rather, to simply list common methods of attack, which can be used as a basis for detection:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eExternal/Removable Media: \u003c/strong\u003eAn attack executed from removable media or a peripheral device, for example, malicious code spreading onto a system from an infected universal serial bus (USB) flash drive.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAttrition: \u003c/strong\u003eAn attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services (e.g., a Distributed Denial of Service (DDoS) intended to impair or deny access to a service or application; or a brute force attack against an authentication mechanism, such as passwords, CAPTCHAS, or digital signatures).\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eWeb: \u003c/strong\u003eAn attack executed from a website or web-based application; for example, a cross-site scripting attack used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEmail: \u003c/strong\u003eAn attack executed via an email message or attachment; for example, exploit code disguised as an attached document or a link to a malicious website in the body of an email message.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImpersonation: \u003c/strong\u003eAn attack involving replacement of something benign with something malicious; for example: spoofing, man in the middle attacks, rogue wireless access points, and structured query language (SQL) injection attacks all involve impersonation.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImproper Usage: \u003c/strong\u003eAny incident resulting from violation of an organizations acceptable usage policies by an authorized user, excluding the above categories; for example, a user installs file sharing software, leading to the loss of sensitive data; or a user performs illegal activities on a system.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 2:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRecognize the Signs of an Incident.\u0026nbsp; Signs of an incident fall into one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in the future. An indicator is a sign that an incident may have occurred or may be occurring now. Precursors and indicators are identified using many different sources, with the most common being computer security software alerts, logs, publicly available information, and people. The table below, taken from \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/61/r2/final\"\u003eNIST SP 800-61 Rev. 2\u003c/a\u003e, lists common sources of precursors and indicators for each category.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: Common Sources of Precursors and Indicators\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAlerts\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIDPSs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntrusion Detection and Prevention Systems (IDPS) products identify suspicious events regarding record pertinent data, including the date and time the attack was detected, the type of attack, the source and destination IP addresses, and the username (if applicable and known). Most IDPS products use attack signatures to identify malicious activity; the signatures must be kept up to date so that the newest attacks can be detected. IDPS software often produces \u003cem\u003efalse positives, \u003c/em\u003ealerts that indicate malicious activity is occurring, when in fact there has been none. Analysts should manually validate IDPS alerts either by closely reviewing the recorded supporting data or by getting related data from other sources.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSIEMs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eSecurity Information and Event Management (SIEM) products are similar to IDPS products, and can generate alerts based on analysis of log data.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAntivirus and anti-spam software\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eAntivirus software detects various forms of malware, generates alerts, and prevents the malware from infecting hosts. Current antivirus products are effective at stopping many instances of malware if signatures are kept up to date. Anti-spam software is used to detect spam and prevent it from reaching users mailboxes. Spam may contain malware, phishing attacks, and other malicious content, so alerts from antispam software may indicate attack attempts.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eFile integrity checking software\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eFile integrity checking software can detect changes made to important files during incidents. It uses a hashing algorithm to obtain a cryptographic checksum for each designated file. If the file is altered and the checksum is recalculated, an extremely high probability exists that the new checksum will not match the old checksum. By regularly recalculating checksums and comparing checksum with previous values, changes to files can be detected.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eThird-party monitoring services\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThird parties offer a variety of subscription-based and free monitoring services. An example is fraud detection services that will notify an organization if its IP addresses, domain names, etc. are associated with current incident activity involving other organizations. There are also free real-time deny lists with similar information.\u003c/p\u003e\u003cp\u003eAnother example of a third-party monitoring service is a CSIRC notification list; these lists are often available only to other incident response teams.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003eLogs\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eOperating system, service and application logs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eLogs from operating systems, services, and applications (particularly audit-related data) are frequently of great value when an incident occurs, such as recording which accounts were accessed and what actions were performed. Organizations should require a baseline level of logging on all systems and a higher baseline level on critical systems. Logs can be used for analysis by correlating event information.\u003c/p\u003e\u003cp\u003eDepending on the event information, an alert can be generated to indicate an incident.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eNetwork device logs\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLogs from network devices such as firewalls and routers are not typically a primary source of precursors or indicators. Although these devices are usually configured to log blocked connection attempts, little information is provided about the nature of the activity. Still, the devices can be valuable in identifying network trends and in correlating events detected by other devices.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eNetwork flows\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eA network flow is a particular communication session occurring between hosts. Routers and other networking devices can provide network flow information, which can be used to find anomalous network activity caused by malware, data exfiltration, and other malicious acts. There are many standards for flow data formats, including NetFlow, sFlow, and IPFIX.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003ePublicly Available Information\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eInformation on new vulnerabilities and exploits\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eKeeping up with new vulnerabilities and exploits can prevent some incidents from occurring and assist in detecting and analyzing new attacks. The National Vulnerability Database (NVD) contains information on vulnerabilities. Organizations such as US-CERT33 and CERT®/CC periodically provide threat update information through briefings, web postings, and mailing lists.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cstrong\u003ePeople\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eSource\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePeople from within the organization\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eUsers, system administrators, network administrators, security staff, and others within the organization may report signs of incidents. It is important to validate all such reports. One approach is to ask people who provide such information is the confidence of the accuracy of the information. Recording this estimate along with the information provided can help considerably during incident analysis, particularly when conflicting data is discovered.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePeople from other organizations\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReports of incidents that originate externally should be taken seriously. For example, the organization might be contacted by a party claiming a system at the organization is attacking the other partys systems. External users may also report other indicators, such as a defaced web page or an unavailable service. Other incident response teams also may report incidents. It is important to have mechanisms in place for external parties to report indicators and for trained staff to monitor those mechanisms carefully; this may be as simple as setting up a phone number and email address, configured to forward messages to the help desk.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 3:\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eReport and Analyze the Incident. Report the incident using the procedures outlined in Section 3.5 Incident Reporting. Once reported the IMT and frontline IR responders analyze the incident. The following are recommendations taken from \u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-61\"\u003eNIST-SP 800-61 Rev. 4 \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e\u003c/a\u003e\u003cem\u003e \u003c/em\u003efor making incident analysis easier and more effective:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eProfile Networks and Systems\u003c/strong\u003e: Profiling is measuring the characteristics of expected activity so that changes to it can be more easily identified. Examples of profiling are running file integrity checking software on hosts to derive checksums for critical files and monitoring network bandwidth usage to determine what the average and peak usage levels are on various days and times. In practice, it is difficult to detect incidents accurately using most profiling techniques; organizations should use profiling as one of several detection and analysis techniques.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUnderstand Normal Behaviors\u003c/strong\u003e: Incident response team members should study networks, systems, and applications to understand what the normal behavior is so that abnormal behavior can be recognized more easily. No incident handler will have a comprehensive knowledge of all behavior throughout the environment, but handlers should know which experts could fill in the gaps. One way to gain this knowledge is through reviewing log entries and security alerts. This may be tedious if filtering is not used to condense the logs to a reasonable size.\u0026nbsp; As handlers become more familiar with the logs and alerts, handlers should be able to focus on unexplained entries, which are usually more important to investigate. Conducting frequent log reviews should keep the knowledge fresh, and the analyst should be able to notice trends and changes over time. The reviews also give the analyst an indication of the reliability of each source.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eCreate a Log Retention Policy: \u003c/strong\u003eInformation regarding an incident may be recorded in several places, such as firewall, IDPS, and application logs. Creating and implementing a log retention policy that specifies how long log data should be maintained may be extremely helpful in analysis because older log entries may show reconnaissance activity or previous instances of similar attacks. Another reason for retaining logs is that incidents may not be discovered until days, weeks, or even months later. The length of time to maintain log data is dependent on several factors, including the organizations data retention policies and the volume of data. See NIST SP 800-92, \u003cem\u003eGuide to Computer Security Log Management \u003c/em\u003efor additional recommendations related to logging.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePerform Event Correlation: \u003c/strong\u003eEvidence of an incident may be captured in several logs that each contain different types of data, firewall log may have the source IP address that was used, whereas an application log may contain a username. A network IDPS may detect that an attack was launched against a particular host, but it may not know if the attack was successful. The analyst may need to examine the hosts logs to determine that information.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCorrelating events among multiple indicator sources can be invaluable in validating whether a particular incident occurred.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eKeep All Host Clocks Synchronized\u003c/strong\u003e: Protocols such as the Network Time Protocol (NTP) synchronize clocks among hosts. Event correlation will be more complicated if the devices reporting events have inconsistent clock settings. From an evidentiary standpoint, it is preferable to have consistent timestamps in logs, for example, to have three logs that show an attack occurred at 12:07:01 a.m., rather than logs that list the attack as occurring at 12:07:01, 12:10:35, and 11:07:06.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMaintain and Use a Knowledge Base of Information: \u003c/strong\u003eThe knowledge base should include information that handlers need for referencing quickly during incident analysis. Although it is possible to build a knowledge base with a complex structure, a simple approach can be effective. Text documents, spreadsheets, and relatively simple databases provide effective, flexible, and searchable mechanisms for sharing data among team members. The knowledge base should also contain a variety of information, including explanations of the significance and validity of precursors and indicators, such as IDPS alerts, operating system log entries, and application error codes.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUse Internet Search Engines for Research: \u003c/strong\u003eInternet search engines can help analysts find information on unusual activity. For example, an analyst may see some unusual connection attempts targeting TCP port 22912. Performing a search on the terms “TCP,” “port,” and “22912” may return some hits that contain logs of similar activity or even an explanation of the significance of the port number. Note that separate workstations should be used for research to minimize the risk to the organization from conducting these searches.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRun Packet Sniffers to Collect Additional Data: \u003c/strong\u003eSometimes the indicators do not record enough detail to permit the handler to understand what is occurring. If an incident is occurring over a network, the fastest way to collect the necessary data may be to have a packet sniffer capture the network traffic. Configuring the sniffer to record traffic that matches specified criteria should keep the volume of data manageable and minimize the inadvertent capture of other information. Because of privacy concerns, some organizations may require incident handlers to request and receive permission before using packet sniffers.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eFilter the Data: \u003c/strong\u003eThere is simply not enough time to review and analyze all the indicators; at minimum, the most suspicious activity should be investigated. One effective strategy is to filter out categories of indicators that tend to be insignificant. Another filtering strategy is to show only the categories of indicators that are of the highest significance; however, this approach carries substantial risk because new malicious activity may not fall into one of the chosen indicator categories.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSeek Assistance from Others: \u003c/strong\u003eOccasionally, the team will be unable to determine the full cause and nature of an incident. If the team lacks sufficient information to contain and eradicate the incident, then it should consult with internal resources (e.g., information security staff) and external resources (e.g., US-CERT, other CSIRTs (Computer Security Incident Response Teams), contractors with incident response expertise). It is important to accurately determine the cause of each incident so that it can be fully contained.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 4\u0026nbsp;\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eContinue to document updates to the incident in the Incident Response Reporting Template form.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eStep 5\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003ePrioritize the incident using the criteria found in the \u003cem\u003e“Impact Category, Attack Vector Descriptions, \u0026amp; Attribute Category” \u003c/em\u003edocument of the Incident Response Reporting document which is located in the ISPL\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cp\u003eEstablish communication method and notify the appropriate CMS personnel. The Incident Notification Table located in the Incident Response Steps for CISO (Appendix A) is a guide on notification steps per incident type. The list below provides examples of individuals that may require notification in the event of an incident:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCIO\u003c/li\u003e\u003cli\u003eCISO\u003c/li\u003e\u003cli\u003eDeputy CISO\u003c/li\u003e\u003cli\u003eSOP\u003c/li\u003e\u003cli\u003eHHS Office of the Inspector General (OIG)\u003c/li\u003e\u003cli\u003eLocal information response team within the organization\u003c/li\u003e\u003cli\u003eExternal incident response team (if appropriate)\u003c/li\u003e\u003cli\u003eSystem Owner\u003c/li\u003e\u003cli\u003eInformation System Security Owner\u003c/li\u003e\u003cli\u003eSystem Business Owner\u003c/li\u003e\u003cli\u003eSystem Cyber Risk Advisor\u003c/li\u003e\u003cli\u003eCMS Office of Human Capital (for cases involving employees, such as harassment through email)\u003c/li\u003e\u003cli\u003eCMS Office of Financial Management (in the case where extra funding is needed for investigation activities)\u003c/li\u003e\u003cli\u003eCMS Office of Communications (for incidents that may generate publicity)\u003c/li\u003e\u003cli\u003eCMS Office of Legislation (for incidents with potential legal ramifications)\u003c/li\u003e\u003cli\u003eUS-CERT (required for Federal agencies and systems operated on behalf of the Federal government).\u003c/li\u003e\u003cli\u003eIndividual (whose PII has been compromised)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe below table documents the responsibilities that should be fulfilled by employees in certain roles during an incident response event:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eRole\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eResponsibility\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCISO\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eLead the investigation and resolution of information security and privacy incidents and breaches across CMS.\u003c/li\u003e\u003cli\u003eOnce an incident has been validated, the incumbent CISO will follow the steps in the CISO Playbook which is attached as Appendix A. This playbook details the CISOs responsibilities, the scenarios to be considered and the relevant incident response contacts during an event.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIMT Lead\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eNotify and deliver incident situation reports to CMS CISO.\u003c/li\u003e\u003cli\u003eCoordinate Incident Response activities\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSenior Official for Privacy (SOP)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCoordinate/Support incident response activities with CISO.\u003c/li\u003e\u003cli\u003eIn the event of a PII/PHI breach, coordinate with the system Business Owner and HHS PIRT to handle notifying affected individuals\u003c/li\u003e\u003cli\u003eProvide overall direction for incident handling which includes all incidents involving PII/PHI.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eWorks with IMT Lead to coordinate incident response activities related to their assigned CMS information systems.\u003c/li\u003e\u003cli\u003eIn the event of a PII/PHI breach, coordinate with the Senior Official for Privacy and HHS PIRT to handle notifying affected individuals\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCMS IT Service Desk\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eNotify IMT of incident situation\u003c/li\u003e\u003cli\u003eEnsure Incident Response form has been completed as accurately as possible at the time of the initial report.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDesignated Appointee\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eUpdate the ServiceNow ticket as the situation arises and follow up with the CMS IT Helpdesk until incident has been resolved.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eContainment, Eradication and Recovery\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eChoose a containment strategy. The containment strategy is determined based on the type of the incident (e.g., disconnect system from the network, or disable certain functions). Frontline incident responders should work with the IMT to select an appropriate containment strategy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eGather and handle evidence. The CCIC Forensic, Malware and Analysis Team (FMAT) maintain the criteria for evidence collection and a procedure to ensure a chain of custody. The IMT will coordinate with the FMAT to provide incident responders with assistance to collect and handle evidence.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eIdentify the attacking host. The following items taken from NIST-SP 800-61 Rev. 2 \u003cem\u003eComputer Security Incident Handling Guide \u003c/em\u003edescribe the most commonly performed activities for attacking host identification:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eValidating the Attacking Hosts IP Address: \u003c/strong\u003eNew incident handlers often focus on the attacking hosts IP address. The handler may attempt to validate that the address was not spoofed by verifying connectivity to it; however, this simply indicates that a host at that address does or does not respond to the requests. A failure to respond does not mean the address is not real, for example, a host may be configured to ignore pings and traceroutes. Also, the attacker may have received a dynamic address that has already been reassigned to someone else.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eResearching the Attacking Host through Search Engines: \u003c/strong\u003ePerforming an Internet search using the apparent source IP address of an attack may lead to more information on the attack, for example, a mailing list message regarding a similar attack.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eUsing Incident Databases: \u003c/strong\u003eSeveral groups collect and consolidate incident data from various organizations into incident databases. This information sharing may take place in many forms, such as trackers and real-time deny lists. The organization can also check its own knowledge base or issue tracking system for related activity.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitoring Possible Attacker Communication Channels: \u003c/strong\u003eIncident handlers can monitor communication channels that may be used by an attacking host. For example, many bots use IRC as the primary means of communication. Also, attackers may congregate on certain IRC channels to brag about compromises and share information. However, incident handlers should treat any such information acquired only as a potential lead, not as fact.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eEradicate the incident and recover. Eliminate components of the incident (e.g. delete malware, disable breached accounts, identify and mitigate vulnerabilities that were exploited). Incident responders should coordinate with the IMT to identify and execute a strategy for eradication of the incident. Once eradication has been completed restore systems to normal operation, confirm that systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePost-Incident Activity\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eConduct a lessons learned meeting. Learning and improving, one of the most important parts of incident response is also the most often omitted. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Holding a “lessons learned” meeting with all involved parties after a major incident, and optionally periodically after lesser incidents as resources permit, can be extremely helpful in improving security measures and the incident handling process itself. Multiple incidents can be covered in a single lessons learned meeting. This meeting provides a chance to achieve closure with respect to an incident by reviewing what occurred, what was done to intervene, and how well intervention worked. The meeting should be held within several days of the end of the incident. Questions to be answered in the meeting include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eExactly what happened, and at what times?\u003c/li\u003e\u003cli\u003eHow well did staff and management perform in dealing with the incident? Were the documented procedures followed and adequate?\u003c/li\u003e\u003cli\u003eWhat information was needed sooner?\u003c/li\u003e\u003cli\u003eWere any steps or actions taken that might have inhibited the recovery?\u003c/li\u003e\u003cli\u003eWhat would the staff and management do differently the next time a similar incident occurs?\u003c/li\u003e\u003cli\u003eHow could information sharing with other organizations have been improved?\u003c/li\u003e\u003cli\u003eWhat corrective actions can prevent similar incidents in the future?\u003c/li\u003e\u003cli\u003eWhat precursors or indicators should be watched for in the future to detect similar incidents?\u003c/li\u003e\u003cli\u003eWhat additional tools or resources are needed to detect, analyze, and mitigate future incidents?\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eDocument the lessons learned and update IRP and associated procedures as necessary.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eEnsure evidence is retained and archived. The criteria for evidence collection, a procedure to ensure a chain of custody, and archival instructions are maintained by the CCIC Forensic, Malware and Analysis Team (FMAT). The IMT will coordinate with the FMAT to provide incident responders with assistance to collect and handle evidence.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAutomated Incident Handling Processes (IR-04(01))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS employs automated mechanisms to support the incident handling process. CMS employs automated mechanism (e.g., online incident management systems) to support the organizations incident handling process. The following table provides examples of tools used for automated incident handling processes at CMS.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: Automated Tools\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTools\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eUsers\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eHHS RSA Archer\u003c/td\u003e\u003ctd\u003eThe HHS tool used for all incident/tracking and reporting. Users do not access HHS Archer directly.\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCCIC IMT and CCIC SOC\u003c/p\u003e\u003cp\u003eAnalysts\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eServiceNow\u003c/td\u003e\u003ctd\u003eThe CMS ServiceNow ticket is used by the CMS IT Service Desk to track changes and problems within the CMS environment.\u003c/td\u003e\u003ctd\u003e\u003cp\u003eCMS IT Service Desk CCIC IMT and CCIC SOC\u003c/p\u003e\u003cp\u003eAnalysts\u003c/p\u003e\u003cp\u003eCMS Users\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSplunk\u003c/td\u003e\u003ctd\u003eIs a logging solution for security (CMS Enterprise Security) and Operations and Maintenance (O\u0026amp;M) log management OCISO Systems Security Management (OSSM). It used as an audit reduction tool by the agency to review audit logs.\u003c/td\u003e\u003ctd\u003eCCIC\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eInformation Correlation (IR-04(04))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of Information Correlation is to ensure that CMS correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. To achieve this,\u003c/p\u003e\u003col\u003e\u003cli\u003eAll tickets submitted in ServiceNow are thoroughly worked through to determine the validity of being classified as an incident. The submitted tickets are correlated and analyzed for trends.\u003c/li\u003e\u003cli\u003eCCIC uses the SIEM tool, Splunk, to correlate data from various sources to receive alerts associated with incident breaches.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eIncident Monitoring (IR-05)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Monitoring is to ensure that CMS documents information system security incidents and maintains records about each incident such as the status of the incident, and pertinent information necessary for forensics (evaluating incident details, trends, and handling). At CMS, the CCIC delivers a number of important, agency-wide security services. One of such services is Continuous Diagnostics and Mitigation (CDM), which is still in development and not all data centers have been transitioned. Other services include vulnerability management, security engineering, incident management, forensics and malware analysis, information sharing, cyber-threat intelligence, penetration testing, and software assurance.\u003c/p\u003e\u003cp\u003eThe IMT is the group responsible for tracking and documenting security and privacy incidents. Stakeholders outside of the IMT (e.g., incident responders, ISSO, system owners, etc.) are responsible for providing the information necessary to track and monitor information security and privacy incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAutomated Tracking/Data Collection/Analysis (IR-05(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automated Tracking/Data Collection/Analysis is to ensure that CMS employs automated mechanism to assist in the tracking of security incidents and in the collection and analysis of incident information. At CMS, the RSA Archer/CFACTS SecOps Module is utilized for tracking potential incidents under investigation by the CCIC SOC. The IMT is responsible for maintaining the data in RSA Archer/CFACTS along with reviewing, updating, and analyzing the data and producing the trends analysis.\u003c/p\u003e\u003cp\u003eThe following list details automated tools utilized at CMS to assist in the tracking of security incidents and in the collection and analysis of incident information. Once an incident has been reported, the external stakeholders will be able to leverage the benefits of these tools via the support provided by the IMT.\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS uses a ServiceNow ticketing system for all privacy and security incidents for incident/tracking and reporting.\u003c/li\u003e\u003cli\u003eThe CMS ServiceNow ticket is used by the CMS IT Service Desk to track changes and problems within the CMS environment.\u003c/li\u003e\u003cli\u003eThe HHS Archer is the incident response tool used to notifiy HHS of an incident. A shell ticket is automatically created in HHS Archer when CMS IMT is assigned a ticket in ServiceNow.\u003c/li\u003e\u003cli\u003eThe CCIC IMT updates the incident information in ServiceNow which will post automatically to HHS Archer. This will occur till the incident has been resolved.\u003c/li\u003e\u003cli\u003eCMS RSA Archer/CFACTS SecOps Module is used for investigating potential incidents discovered by the CCIC SOC.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Reporting (IR-06)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe intent of this control is to ensure that CMS requires employees and contractors to report suspected or confirmed information security and privacy incidents to appropriate authorities and to ensure that a formal incident reporting process exists.\u003c/p\u003e\u003cp\u003eAs part of a robust, enterprise security operations program designed to reduce the risks of malicious activity, CMS established the CCIC to provide enterprise-wide situational awareness and near real-time risk management. The CCIC also provides information security and aggregated monitoring of security events across all CMS information systems. Finally, the CCIC notifies appropriate security operations staff of detected configuration weaknesses, vulnerabilities open to exploitation, relevant threat intelligence, including indicators of compromise (IOCs) and security patches. For purposes of incident response, the IMT as a sub- component of the CCIC provides incident response assistance and support. All information security and privacy incidents are to be reported to CMS IT Service Helpdesk. The CMS IT Service Helpdesk will notify the IMT as appropriate.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters for IR reporting.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters Control IR-6\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-6\u003c/td\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003eRequires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]\u003c/li\u003e\u003cli\u003eReports security, privacy and supply chain incident information to [Assignment: organization-defined authorities]\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003col\u003e\u003cli\u003eRequires personnel to report actual or suspected security and privacy incidents to the organizational incident response capability within 1 hour of discovery/notification; and\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eReports security, privacy and supply chain incident information to CMS IT Service Help Desk.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe following process details the CMS procedure for reporting suspected security and privacy incidents:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eReport the suspected information security and privacy incident to the CMS IT Service Desk at (410) 786-2580 (internal only) or (800) 562-1963 (internal and external) and/or ema\u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eil CMS_IT_Service@cms.hhs.gov.\u003c/a\u003e Additionally, contact your ISSO as soon as possible and apprise them of the situation. All suspected information security and privacy incidents must be reported to the CMS IT Service Desk within one hour of discovery.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eAfter notifiying the CMS IT Service Desk, collect as much supporting information as possible on the suspected security and privacy incident using the Incident Response Reporting Template located in the ISPL. Provide the information contained on the completed incident reporting form to the CMS IT Service Desk.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThis template replaces the previous HHS CMS Computer Security Incident Report form that was published separately to the information security library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 3:\u003c/strong\u003eThe CMS IT Service Desk creates a ServiceNow ticket and enters the details on the suspected security and privacy incident. This ServiceNow ticket creates a shell ticket in HHS Archer, which is the HHS incident response tool.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 4:\u003c/strong\u003eThe IMT will update the ServiceNow ticket, as necessary, which will automatically populate in HHS Archer until the incident has been resolved.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eThe IMT analyzes the suspected incident, working with the SOC analyst as necessary, and if confirmed as an actual incident executes the incident handling procedures located in Section 3.5 Incident Handling.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAutomated Reporting (IR-06(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automated Reporting is to ensure that CMS employs automated mechanisms to assist in the reporting of security and privacy incidents. The following steps detail the CMS specific process for Automated Reporting:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eUser will contact the CMS IT Service Helpdesk and report the information security incident.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eThe CMS IT Service Helpdesk will open a ServiceNow ticket and record the incident. This ServiceNow ticket automatically generates an Archer ticket notifying HHS CSIRC.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eThe CMS IT Service Helpdesk will then assign the ticket to the IMT and they will evaluate the incident report while providing updates to CMS CISO and HHS CSIRC.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eThe user (reporter) will continue to update the incident report in ServiceNow or contact the CMS IT Service Helpdesk.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5: \u003c/strong\u003eIf the IMT finds that the event is valid, the user will be contacted and the mitigation process will start.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 6: \u003c/strong\u003eIf the IMT finds that the event is not valid, the IMT will close out the ticket and contact the user.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 7: \u003c/strong\u003eThe user (reporter) will work with the IMT until remediation of the security incident.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Assistance (IR-07)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of Incident Response Assistance is to ensure that CMS provides an incident response support resource, integral to the CMS incident capability that offers advice and assistance to users of the information system for handling and reporting of security and privacy incidents. The following steps detail the CMS specific process for Incident Response assistance:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eUser will contact the CMS IT Service Helpdesk for incident response assistance. The CMS IT Service Desk notifies the IMT as appropriate.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eThe IMT will evaluate, validate the incident and assist with the mitigation.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAutomation Support for Availability of Information/Support (IR-07(01))\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of Automation Support for Availability of Information Support is to ensure that CMS employs automated mechanisms to increase the availability of incident response-related information and support.\u003c/p\u003e\u003cp\u003eCMS uses multiple resources to provide the user community information/support. These include but are not limited to intranets, mailboxes, and online libraries.\u003c/p\u003e\u003cp\u003eUsers may use the following resources for Automation Support for Availability of Information/Support:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/\"\u003eThe CMS website\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThe CMS CISO mailbox at \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCMS IT Service Desk at \u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eCMS_IT_Service@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCMS Incident Management Team (IMT) at \u003ca href=\"mailto:IncidentManagement@cms.hhs.gov\"\u003eIncidentManagement@cms.hhs.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"http://intranet.cms.gov/\"\u003eThe CMS Intranet \u003c/a\u003e(this service is available ONLY to personnel who have access to a GFE issued device, (i.e., laptop, desktop))\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.hhs.gov/ocio\"\u003eThe HHS.gov\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThe \u003ca href=\"https://intranet.hhs.gov/\"\u003eHHS Intranet \u003c/a\u003e(this service is available ONLY to personnel who have access to a GFE issued device, (i.e., laptop, desktop))\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Plan (IR-08)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe purpose of the Incident Response Plan (IRP) is to provide a roadmap for implementing the incident response capability. Each organization needs a plan that meets its unique requirements, which relates to the organizations mission, size, structure, and functions. The plan should lay out the necessary resources and management support. The incident response plan should include the following elements:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePurpose\u003c/li\u003e\u003cli\u003eScope\u003c/li\u003e\u003cli\u003eDefinitions\u003c/li\u003e\u003cli\u003eRoles and Responsibilities\u003c/li\u003e\u003cli\u003eUnderstanding an Incident\u003c/li\u003e\u003cli\u003eIncident Life Cycle\u003cul\u003e\u003cli\u003ePreparation\u003c/li\u003e\u003cli\u003eDetection and Analysis\u003c/li\u003e\u003cli\u003eContainment, Eradication and Recovery\u003c/li\u003e\u003cli\u003ePost-Incident Activity\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReporting Requirements\u003c/li\u003e\u003cli\u003ePoints of Contact\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe incident response policy is established in the CMS IS2P2 and has been included in this handbook. The Incident Response Plan template is attached to this document as Appendix B. This document provides incident response procedure to facilitate the implementation of incident response controls. Incident response plan, policy, and procedure creation are an important part of establishing a team and permits incident response to be performed effectively, efficiently, and consistently; and so that the team is empowered to do what needs to be done.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS organizationally defined parameters for IR planning.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 6: CMS Defined Parameters - Control IR-8\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIR-8\u003c/td\u003e\u003ctd\u003e\u003cp\u003ea. Incident Response Plan is reviewed and approved by [Assignment: organization- defined personnel or role];\u003c/p\u003e\u003cp\u003eb. Distributes copies of the incident response plan to [Assignment organization- defined incident response personnel (identified by name and/or role) and organizational elements]\u003c/p\u003e\u003cp\u003ec. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;\u003c/p\u003e\u003cp\u003ed. Communicates incident response plan changes to [Assignment: organization- defined incident response personnel (identified by name and/or by role) and organizational elements]; and Protects the incident response plan from unauthorized disclosure and modification\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003ea. Incident Response Plan is reviewed and approved by the applicable Business Owner at least annually.\u003c/p\u003e\u003cp\u003eb. Distributes copies of the incident response plan to CMS CIO, CMS CISO, ISSO, CMS OIG Computer Crime Unit (CCU), All personnel within the CMS Incident Response Team, PII Breach Response Team and Operations Centers.\u003c/p\u003e\u003cp\u003ec. Reviewed annually updated as required\u003c/p\u003e\u003cp\u003ed. Communicates incident response plan changes to all stakeholders.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe CCIC IMT created an IRP that provides the CMS with a roadmap for implementing its incident response capability and outlines the incident response process for the IMT. In addition, each information system is responsible for maintaining a separate IRP that describes the systems internal processes for incident response and leverages the capability of the IMT. The following steps details the process for creating an IRP using the template located in the ISPL:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1: \u003c/strong\u003eComplete a draft IRP by leveraging the template and instructions located in Appendix B.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2: \u003c/strong\u003eSubmit the draft IRP to the information systems assigned CRA for ISPG approval. Update that plan as necessary based on the feedback received from ISPG.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3: \u003c/strong\u003eDocument the plan approval by having the Business Owner and ISSO sign the plan.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4: \u003c/strong\u003eDisseminate the plan to all appropriate stakeholders to include: the CRA, ISSO, BO, Incident Responders, System Developers, and System Administrators.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eCMS Security \u0026amp; Privacy Incident Report Form\u003c/h2\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Security and Privacy Incident Report\u003c/strong\u003e is a form to be filled out when someone has an incident to report. \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/info-security-library-items/rmh-chapter-08-incident-response-appendix-k-incident-report-template\"\u003eYou can access the form and instructions here\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Steps for CISO\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eSignificant Event/Potential Incident Reported\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive notification from DCTSO Director or IR Fed Lead\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eDoes this incident potentially include a criminal element and, therefore, require notification of law enforcement? If so, engage HHS Office of the Inspector General.\u003c/li\u003e\u003cli\u003eWas this incident reported to HHS Office of Civil Rights (OCR) in accordance with HIPAA and for Protected Health Information (PHI)? Refer to the OCR website for any details about the event / incident.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e2\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eObtain situational awareness \u003c/strong\u003eof the potential incident and the likely\u003c/p\u003e\u003cp\u003eimpact(s) on CMS data and /or CMS FISMA systems.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident situation reports from IMT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eWhen engaging an external partner, consider including or informing HHS Office of the Secretary (OS), Office of the Assistant Secretary for Preparedness and Response (ASPR), which executes the Federal coordination responsibilities on behalf of HHS regarding the critical infrastructure public-private partnership for the Healthcare and Public Healthcare Sector (identified in PPD-21 and the National Infrastructure Protection Plan (NIPP)).\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e3\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConduct security bridge with stakeholders to review incident \u003c/strong\u003eto obtain a greater understanding of the incidents impacts and implications. Also,\u003c/p\u003e\u003cp\u003ediscuss potential response needs, such as deployment of response capabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eCISO/Deputy CISO will coordinate with IMT to ensure all stakeholders are on security bridge (e.g., SOP, OL, OA, HHS)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eDoes this incident potentially include a criminal element and, therefore, require notification of law enforcement? If so, engage HHS Office of the Inspector General.\u003c/li\u003e\u003cli\u003eDoes CMS have relevant experience or capabilities that it could deploy?\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e4\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eTriage and determine if risk analysis should be performed\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eOC/OL will keep the response teams apprised of public or legislative affairs matters related to the event/incident (e.g., Congressional inquiries and media monitoring)\u003c/li\u003e\u003cli\u003eIf communication of CMS risks or potential impacts is necessary, coordinate development of messaging and identify communication channels\u003c/li\u003e\u003cli\u003eReceive impact analysis and make a decision regarding additional analysis of impacts to CMS\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e5\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eDetermine specific CMS impacts \u003c/strong\u003e(e.g., PII, PHI, FTI, contracts, \u0026amp; other business partners) and \u003cstrong\u003eDetermine specific impacts to CMS data \u003c/strong\u003e(e.g., PII,\u003c/p\u003e\u003cp\u003ePHI, FTI)\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eProvide guidance to IR staff about cadence of status reporting\u003c/li\u003e\u003cli\u003eEscalate incident to HHS leadership\u003c/li\u003e\u003cli\u003eWhen findings are presented, consider if public and/or external communication may be appropriate (even if it is not legally necessary or required)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIn accordance with OMB M-20-04, report “\u003cem\u003emajor incidents” \u003c/em\u003eto Congress within seven days.\u003c/li\u003e\u003cli\u003eWhen evaluating impacts to CMS systems, engage business owners and system owners (including ISSOs) and include the impacts to their environments in status reports.\u003c/li\u003e\u003cli\u003eIf sensitive information other than PII, PHI, or FTI (e.g., proprietary information) is at risk, consider the risk to the agency and determine appropriate next steps.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e6\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConduct security bridge with stakeholders to review incident \u003c/strong\u003eto obtain a greater understanding of the incidents impacts and implications. Also,\u003c/p\u003e\u003cp\u003ediscuss potential response needs, such as deployment of response capabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT\u003c/li\u003e\u003cli\u003eCISO/Deputy CISO will likely lead the meeting(s)/call(s), with\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e7\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eExecute SOPs to contain and eradicate cause of the event/incident\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT and provide additional guidance/direction as necessary\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDoes CMS have relevant experience or capabilities that it could deploy or offer to assist the external partner(s)?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e8\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eMonitor event/incident to assess changes in risk to CMS systems and/or data\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIf changes in risk to CMS systems and/or data are evident, go to \u003cstrong\u003eStep 2A\u003c/strong\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReceive incident status reports from IMT and provide counsel to leadership and response teams as appropriate\u003c/li\u003e\u003cli\u003eOC/OL: Determine if monitoring of media and Congressional sources is necessary, and communicate requests or news to leadership and response teams. Coordinate requests for information or messages that may need to be communicated externally\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP OC OL OA HHS\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDevelop lessons learned and recommend program enhancements\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eParticipate in IMT-led lessons learned development process and inform recommendations\u003c/li\u003e\u003cli\u003eReview lessons learned and submit to business \u0026amp; system owners\u003c/li\u003e\u003cli\u003eReview and support POA\u0026amp;Ms as required\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDetermine if policy changes need to occur in order to further safeguard CMS data.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e10\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eConclude incident and complete external communications activities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCONTACTS\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eResponsibilities\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eReview final Security Incident Report (SIR)\u003c/li\u003e\u003cli\u003eReport closure of incident as appropriate/necessary\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIMT SOP\u003c/p\u003e\u003cp\u003eISPG Directors System Owner\u003c/p\u003e\u003cp\u003eData Guardian, ISSO, CRA\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eConsiderations\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAre there any event/incident facts or findings discovered to date that can or should be shared with ISAOs or interagency partners?\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eContacts\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContact\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eNumber\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIncident Management Team (IMT)\u003c/td\u003e\u003ctd\u003e443-316-5005\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSenior Official for Privacy (SOP)\u003c/td\u003e\u003ctd\u003e410-786-5759\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDCTSO Director\u003c/td\u003e\u003ctd\u003e410-786-5956\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDSPC Director\u003c/td\u003e\u003ctd\u003e410-786-6918\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDSPPG Director\u003c/td\u003e\u003ctd\u003e410-786-5759\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of Communications (OC)\u003c/td\u003e\u003ctd\u003e410-786-8126\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of Legislation (OL)\u003c/td\u003e\u003ctd\u003e202-619-0630\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOffice of the Administrator (OA)\u003c/td\u003e\u003ctd\u003e410-786-3000\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHHS Office of the Secretary (OS), Office of the Assistant Secretary for Preparedness and Response (ASPR)\u003c/td\u003e\u003ctd\u003e202-205-8114\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHHS Office of Inspector General (OIG)\u003c/td\u003e\u003ctd\u003e800-447-8477\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBridge\u003c/td\u003e\u003ctd\u003e877-267-1577 (meeting ID will be shared by IMT upon notification)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eIncident Notification Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIncident\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eNotification\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eWho Notifies?\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll incidents\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT\u003c/li\u003e\u003cli\u003eHHS CSIRC\u003c/li\u003e\u003cli\u003eCIO\u003c/li\u003e\u003cli\u003eCISO\u003c/li\u003e\u003cli\u003eSOP\u003c/li\u003e\u003cli\u003eDeputy CISO\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eCMS IT Service Desk notifies IMT of an incident\u003c/li\u003e\u003cli\u003eCMS incident tickets are mirrored in the HHS Archer, which notifies HHS CSIRC\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving a CMS System\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eSO\u003c/li\u003e\u003cli\u003eBO\u003c/li\u003e\u003cli\u003eISSO\u003c/li\u003e\u003cli\u003eDG\u003c/li\u003e\u003cli\u003eCRA\u003c/li\u003e\u003cli\u003eUS-CERT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT alerts CMS Personnel.\u003c/li\u003e\u003cli\u003eHHS CSIRC handles US- CERT reporting.\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving suspected criminal activity\u003c/td\u003e\u003ctd\u003eHHS OIG\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving employees\u003c/td\u003e\u003ctd\u003eCMS Office of Human Capital\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIncidents involving legal ramifications\u003c/td\u003e\u003ctd\u003eCMS Office of Legislation\u003c/td\u003e\u003ctd\u003eIMT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eISPG (to convene Breach Analysis Team)\u003c/li\u003e\u003cli\u003eIndividuals affected by PII/PHI compromise\u003c/li\u003e\u003cli\u003eHHS PIRT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIMT alerts ISPG of suspected breach\u003c/li\u003e\u003cli\u003eCMS SOP and BO create a notification plan for affected individuals, subject to review by HHS PIRT\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches affecting 500 or more people\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eHHS OCR\u003c/li\u003e\u003cli\u003eMedia outlets, as appropriate\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003ctd\u003eCMS SOP\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBreaches requiring Media Outreach\u003c/td\u003e\u003ctd\u003eCMS Office of Communications\u003c/td\u003e\u003ctd\u003eCMS SOP\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eIncident Response Plan Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe objective of this Incident Response Plan (IRP) is to outline the incident handling and response process for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; in accordance with the requirements outlined in the CMS Acceptable Risk Safeguards (ARS) and CMS Risk Management Handbook (RMH) Chapter 8, Incident Response. This plan covers all assets within the information system boundary, transmitting, storing, or processing CMS information. Furthermore, this plan describes how to manage incident response according to all Federal, Departmental and Agency requirements, policies, directives, and guidelines.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThis IRP is written for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; stakeholders with incident response roles and responsibilities and describes those responsibilities for each phase of the incident life cycle. This plan establishes a quick reference for security and privacy incident handling and response.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDefinitions\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eThe following key terms and definitions relate to incident response:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdministrative Vulnerability: \u003c/strong\u003eAn administrative vulnerability is a security weakness caused by incorrect or inadequate implementation of a systems existing security features by the system administrator, security officer, or users. An administrative vulnerability is not the result of a design deficiency. It is characterized by the fact that the full correction of the vulnerability is possible through a change in the implementation of the system or the establishment of a special administrative or security procedure for the system administrators and users. Poor passwords and inadequately maintained systems are the leading causes of this type of vulnerability.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eBreach: \u003c/strong\u003eA breach is an incident that poses a reasonable risk of harm to the applicable individuals. For the purposes of Office of Management and Budget (OMB) OMB M-17-12 (for PII incidents) and Health Information Technology for Economic and Clinical Health (HITECH) Act (for PHI incidents) reporting requirements, a privacy incident does not rise to the level of a breach until it has been determined that the use or disclosure of the protected information compromises the security or privacy of the protected individual(s) and poses a reasonable risk of harm to the applicable individuals. For any CMS privacy incident, the determination of whether it may rise to the level of a breach is made (exclusively) by the CMS Breach Analysis Team (BAT), which determines whether the privacy incident poses a significant risk of financial, reputational, or other harm to the individual(s).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent: \u003c/strong\u003eAn event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal Tax Information (FTI): \u003c/strong\u003eGenerally, Federal Tax Returns and return information are confidential,\u003c/p\u003e\u003cp\u003eas required by Internal Revenue Code (IRC) Section 6103. The information is used by the Internal Revenue Service (IRS) is considered FTI and ensure that agencies, bodies, and commissions are\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDefinitions\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003emaintaining appropriate safeguards to protect the information confidentiality. [IRS 1075] Tax return information that is not provided by the IRS falls under PII.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Response: \u003c/strong\u003eIncident response outlines steps for reporting incidents and lists actions to be taken to resolve information systems security and privacy related incidents.\u0026nbsp; Handling an incident entails forming a team with the necessary technical capabilities to resolve an incident, engaging the appropriate personnel to aid in the resolution and reporting of such incidents to the proper authorities as required, and report closeout after an incident has been resolved.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Incident: \u003c/strong\u003eA Privacy Incident is a Security Incident that involves Personally Identifiable Information (PII) or Protected Health Information (PHI), or Federal Tax Information (FTI) where there is a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users or any other than authorized purposes. Users must have access or potential access to PII, PHI and/or FTI in usable form whether physical or electronic.\u003c/p\u003e\u003cp\u003ePrivacy incident scenarios include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLoss of federal, contractor, or personal electronic devices that store PII, PHI and/or FTI affiliated with CMS activities (i.e., laptops, cell phones that can store data, disks, thumb-drives, flash drives, compact disks, etc.)\u003c/li\u003e\u003cli\u003eLoss of hard copy documents containing PII, PHI and/or FTI\u003c/li\u003e\u003cli\u003eSharing paper or electronic documents containing PII, PHI and/or FTI with individuals who are not authorized to access it\u003c/li\u003e\u003cli\u003eAccessing paper or electronic documents containing PII, PHI and/or FTI without authorization or for reasons not related to job performance\u003c/li\u003e\u003cli\u003eEmailing or faxing documents containing PII, PHI and/or FTI to inappropriate recipients, whether intentionally or unintentionally\u003c/li\u003e\u003cli\u003ePosting PII, PHI and/or FTI, whether intentionally or unintentionally, to a public website\u003c/li\u003e\u003cli\u003eMailing hard copy documents containing PII, PHI and/or FTI to the incorrect address\u003c/li\u003e\u003cli\u003eLeaving documents containing PII, PHI and/or FTI exposed in an area where individuals without approved access could read, copy, or move for future use\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSecurity Incident: \u003c/strong\u003eIn accordance with \u003cem\u003eNIST SP 800-61 Revision 2, Computer Security Incident Handling Guide\u003c/em\u003e, a Security Incident is defined as an event that meets one or more of the following criteria:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in any information system processing information on behalf of CMS. It also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents and misrouting of mail, all of which may have the potential to put CMS data at risk of unauthorized access, use, disclosure, modification, or destruction\u003c/li\u003e\u003cli\u003eAn occurrence that jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits\u003c/li\u003e\u003cli\u003eA violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTechnical Vulnerability: \u003c/strong\u003eA technical vulnerability is a hardware, firmware, or software weakness or design deficiency that leaves a system open to potential exploitation, either externally or internally, thus increasing the risk of compromise, alteration of information, or denial of service.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert the roles and responsibilities associated with this plan. Possible roles include:\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eBusiness Owners:\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eInformation System Owner(s)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eCyber Risk Advisors (CRA)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eInformation System Security Officer (i.e., ISSO)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eCCIC Incident Management Team (i.e., CCIC IMT)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eFor a detailed description of the responsibilities associated with these role please refer to the CMS IS2P2 located at: \u003c/em\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"\u003e\u003cem\u003e\u003cstrong\u003ehttps://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\u003c/strong\u003e\u003c/em\u003e\u003c/a\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eUnderstanding an Incident\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe following lists a small subset of common well known incidents:\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTypes of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eData Destruction or Corruption: \u003c/strong\u003eThe loss of data integrity can take many forms including changing permissions on files making the files writable by non-privileged users, deleting data files and or programs, changing audit files to cover-up an intrusion, changing configuration files that determine how and what data is stored and ingesting information from other sources that may be corrupt\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eData Compromise and Data Spills: \u003c/strong\u003eData compromise is the exposure of information to a person not authorized to access that information either through clearance level or formal authorization. This could happen when a person accesses a system not authorized to access or through a data spill. Data spill is the release of information to another system or person not authorized to access that information, even though the person is authorized to access the system on which the data was released. This can occur through the loss of control, improper storage, improper classification, or improper escorting of media, computer equipment (with memory), and computer generated output\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMalicious Software (Malware): \u003c/strong\u003eMalicious code is software based attacks used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs to exclude unauthorized activity. Malicious code is particularly troublesome in that it is typically written to masquerade its presence and, thus, is often difficult to detect. Self-replicating malicious code such as viruses and worms can replicate rapidly, thereby making containment an especially difficult problem. The following is a brief listing of various software attacks:\u003col\u003e\u003cli\u003e\u003cstrong\u003eVirus: \u003c/strong\u003eIt is propagated via a triggering mechanism (e.g., event time) with a mission (e.g., delete files, corrupt data, send data).\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eWorm: \u003c/strong\u003eAn unwanted, self-replicating autonomous process (or set of processes) that penetrates computers using automated hacking techniques.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eTrojan Horse: \u003c/strong\u003eA useful and innocent program containing additional hidden code that allows unauthorized computer network exploitation (CNE), falsification, or destruction of data.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTypes of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eSpyware: \u003c/strong\u003eSurreptitiously installed malicious software that is intended to track and report the usage of a target system or collect other data the author wishes to obtain.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eRootkit Software: \u003c/strong\u003eSoftware that is intended to take full or partial control of a system at the lowest levels. Contamination is defined as inappropriate introduction of data into a system.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePrivileged User Misuse: \u003c/strong\u003ePrivileged user misuse occurs when a trusted user or operator attempts to damage the system or compromise the information it contains.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSecurity Support Structure Configuration Modification: \u003c/strong\u003eSoftware, hardware and system configurations contributing to the Security Support Structure (SSS) are controlled. SSS are essential to maintaining the security policies of the system Unauthorized modifications to these configurations can increase the risk to the system.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eNote: These categories of incidents are not necessarily mutually exclusive.\u003c/strong\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eCauses of Incidents\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eMalicious Code: \u003c/strong\u003eMalicious code is software or firmware intentionally inserted into an information system for an unauthorized purpose\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSystem Failures: \u003c/strong\u003eProcedures Failures or Improper Acts. A secure operating environment depends upon proper operation and use of systems. Failure to comply with established procedures, or errors/limitations in the procedures for a CMS system, can damage CMS reputation and increase vulnerability/risk to the system or application. While advances in computer technology enable the building of increased security into the CMS architecture, much still depends upon the people operating and using the system(s). Improper acts may be differentiated from insider attack according to intent. With improper acts, someone may knowingly violate policy and procedures, but is not intending to damage the system or compromise the information it contains\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eIntrusions or Break-Ins: \u003c/strong\u003eAn intrusion or break-in is entry into and use of a system by an unauthorized individual\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eInsider Attack: \u003c/strong\u003eInsider attacks can provide the greatest risk. In an insider attack, a trusted user or operator attempts to damage the system or compromise the information it contains\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eAvenues of Attack\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAs with any information system, attacks can originate through certain avenues or routes. An attack avenue is a path or means by which an attacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack avenues enable attackers to exploit system vulnerabilities, including the human element. If a system were locked in a vault with security personnel surrounding it, and if the system were not connected to any other system or network, there would be virtually no avenue of attack. However, there are numerous avenues of attack.\u003c/p\u003e\u003cul\u003e\u003cli\u003eLocal and/or partner networks\u003c/li\u003e\u003cli\u003eUnauthorized devices (including non-approved connections to a local network)\u003c/li\u003e\u003cli\u003eGateways to outside networks\u003c/li\u003e\u003cli\u003eCommunications devices\u003c/li\u003e\u003cli\u003eShared disks\u003c/li\u003e\u003cli\u003eRemovable media\u003c/li\u003e\u003cli\u003eDownloaded software\u003c/li\u003e\u003cli\u003eDirect physical access\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePossible Impacts of an Attack\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOne of the major concerns of a verifiable computer security attack is that sensitive PII is compromised. The release of sensitive information to people without the proper need-to-know or formal authorization jeopardizes the tenant of Confidentiality, Integrity and Availability (CIA). In addition, users may lose trust in computing systems and become hesitant to use one that has a high frequency of incidents or even a high frequency of events that cause the user to distrust the integrity of the federal system. Moreover, users become disenfranchised with any action that causes all or part of the networks service to be stopped entirely, interrupted, or degraded sufficiently to impact operations; as with a DoS attack. The list of impacts from attacks that compromise computer security include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDenial of Service\u003c/li\u003e\u003cli\u003eLoss or Alteration of Data or Programs\u003c/li\u003e\u003cli\u003ePrivacy Incident, including those resulting in identity theft or data breach\u003c/li\u003e\u003cli\u003eLoss of Trust in Computing Systems\u003c/li\u003e\u003cli\u003eThe loss of intellectual property and CMS confidential information\u003c/li\u003e\u003cli\u003eReputational damage to the organization\u003c/li\u003e\u003cli\u003eThe additional cost of securing networks, insurance, and recovery from attacks\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eIncident Life Cycles\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eThe incident response process has four phases. Review the \u003ca href=\"https://csrc.nist.gov/pubs/sp/800/61/r2/final\"\u003eNIST SP 800-61 Incident Lifecycle\u003c/a\u003e.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePreparation\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003ePreparation ensures that the organization is ready to respond to incidents, but can also prevent incidents by ensuring that systems, networks, and applications are sufficiently secure. The following describes the techniques utilized by the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt; and to prepare for security and privacy incidents.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to prepare for information security incidents. Examples of preparation methods are, implementing incident response tools, establishing security baselines, and running periodic announced training and/or unannounced drills. For additional information on preparation activities please review Section 3.3.1 Preparation of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe how incidents involving PII are to be handled, including the policies and procedures that have been developed and how those policies and procedures are communicated to the staff. Staff should be informed of the consequences of their actions for inappropriate use and handling of PII. Describe how it is determined that the existing processes are adequate and that staff understand their responsibilities. Describe how suspected or known incidents involving PII are reported to the business owner, information system owner, CRA, ISSO, and CCIC IMT. Describe what information needs to be reported, and to whom.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDetection and Analysis\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eIncidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling every incident. Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Different types of incidents merit different response strategies. The following section describes the techniques utilized by the \u0026lt;system name\u0026gt; to detect and analyze security incidents\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to detect and analyze for information security incidents. Examples of detection and analysis methods are, prepare for common attack vectors, recognize the signs of an incident, and document and prioritize the incident. For additional information on preparation, activities please review Section 3.3.2 Detection and Analysis of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the activities and methods in place to detect and analyze incidents involving PII that are the responsibility of the information staff. Describe how it is ensured that the analysis process includes an evaluation of whether an incident involved PII, focusing on both known and suspected breaches of PII. Detection of an incident involving PII also requires reporting internally, to US-CERT, and externally, as appropriate; this is a CCIC IMT responsibility.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContainment, Eradication \u0026amp; Recovery\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eContainment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eContainment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making. Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. The following section describes the containment strategies and procedures for the \u0026lt;\u003cem\u003esystem name\u003c/em\u003e\u0026gt;:\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the strategies and procedures in place for the information system to contain information security incidents. Examples of containment strategies are, shut down a system, disconnect it from a network, and/or disable certain functions. For additional information on Containment activities, review Section 3.3.3 Containment, Eradication and Recovery of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the strategies and procedures in place for containing incidents involving PII.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eContainment, Eradication \u0026amp; Recovery\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAfter an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts, as well as identifying and mitigating all vulnerabilities that were exploited. During eradication, it is important to identify all affected hosts within the organization so that the hosts can be remediated. For some incidents, eradication is either not necessary or is performed during recovery.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to eradicate and recover from information security incidents. Examples methods for eradication are delete malware, disable breached accounts, identify and mitigate vulnerabilities that were exploited. Examples activities associated with recovering from information security incidents are restore systems to normal operation, confirm that systems are functioning normally, and remediate vulnerabilities to prevent similar incidents. For additional information on Eradication and Recovery activities review Section 3.3.3 Containment, Eradication and Recovery of the CMS RMH Chapter 8 Incident Response\u003c/em\u003e.\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe if media sanitization steps are performed when PII needs to be deleted from media during recovery. PII should not be sanitized until a determination has been made about whether the PII must be preserved as evidence. Describe if forensics techniques are needed to ensure preservation of evidence. If PII was accessed, how is it determined how many records or individuals were affected. These activities should be coordinated with the CCIC IMT.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePost-Incident Activity\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eAfter an incident has been eradicated and recovery completed, each incident response team should evolve to reflect upon new threats, improve technology, and document lessons learned. Holding a lessons learned meeting with all involved parties after a major incident, and optionally after lesser incidents, can be extremely helpful in improving information security measures and the incident handling process.\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eDescribe the activities and methods in place for the information system to conduct post-incident activity after information security incidents. Examples methods for post-incident activity are: to conduct a lesson learned meeting, document the lessons learned, update the IRP and associated procedures as necessary, and ensure evidence is retained and archived. For additional information on post-incident activity review Post-Incident Activity of the CMS RMH Chapter 8 Incident Response.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;Describe the activities and methods in place to conduct post-incident activity after incidents involving PII. This should include how the IRP is continually updated and improved based on the lessons learned during each incident. Sharing information within CMS and US-CERT to help protect against future incidents is a CCIC responsibility.\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eReporting Requirements\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eDescribe the information system process for reporting information security incidents. Incident should be reported to the \u003c/em\u003eCMS IT Service Desk within one hour, by calling at (410) 786-2580 (i.e., internal) or (1- 800) 562-1963 (internal and external) or email \u003ca href=\"mailto:CMS_IT_Service@cms.hhs.gov\"\u003eCMS_IT_Service@cms.hhs.gov.\u003c/a\u003e For information on reporting requirements \u003cem\u003efor information security and privacy incidents, \u003c/em\u003ereview Section 3.5 Incident Reporting and for the Incident Response Reporting Template in \u003cem\u003eThe CMS RMH Chapter 8 Incident Response\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePoints of Contact\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS IT Service Desk\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCybersecurity Risk Advisor (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Management Team\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident Responders\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem Administrators\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem Developers\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003ePlan Approval\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003cbr\u003e\u003cem\u003e\u0026lt;insert signature\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert title\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert signature\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert name\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert title\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert email\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026lt;insert phone\u0026gt;\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Test Plan Template\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Topic\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cem\u003e\u0026lt;Insert Topic\u0026gt;\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Scope\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eDescribe the scope of the incident response test to include who will participate in the exercise, the purpose of the test, and the expected outcome.\u0026nbsp; All personnel with responsibilities under the incident response plan should participate in the exercise.\u0026nbsp; The exercise should apply to the roles and responsibilities.\u0026nbsp; This includes personnel within the incident response plan being exercised and focus on validating that the documented roles, responsibilities, and interdependencies are accurate and current.\u0026nbsp; To ensure that the knowledge of the roles and responsibilities identified in the plan being exercised is current, it is often effective to conduct a training session in conjunction with any tabletop exercise\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Objectives\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eThe objectives of this test is as follows:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo validate the content of the incident response plan and the related policies and procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e2\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eValidate participants roles and responsibilities as documented in the incident response plan and validate the interdependencies documented in the incident response plan.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e3\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo meet regulatory requirements specifically the NIST SP 800-53 Rev. 4 requirements for incident response testing and incident response training.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e4\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eTo document lessons learned that may be utilized to update the incident response plan and related policies and procedures.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eParticipants\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert participants, the participants should be comprised of personnel with roles and responsibilities identified in the incident response plan.\u0026nbsp; For example, training staff, validation staff, and evaluation staff\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eExercise Facilitator\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name of the individual who will lead the discussion among the exercise participants\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eData Collector\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name of the individual who records information about the actions that occur during the exercise\u003c/em\u003e.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate of Testing\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date and time of testing\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eLocation\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert Location\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eEquipment Required\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert required equipment, for example, audio visual equipment, whiteboard, flipchart\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMaterial Required\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert required material, for example, participant guides, PowerPoint presentations, handouts\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Scenarios\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert a sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives.\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Questions\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert a list of questions regarding the scenario that address the exercise objective.\u0026nbsp; Below are sample questions taken from NIST Special Publication 800-61 Computer Security Incident Handling Guide\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePreparation:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWould the organization consider this activity to be an incident?\u0026nbsp; If so, which of the organizations policies does this activity violate?\u003c/li\u003e\u003cli\u003eWhat measures are in place to attempt to prevent this type of incident from occurring or to limit its impact?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eDetection and Analysis:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat precursors of the incident, if any, might the organization detect?\u0026nbsp; Would any precursors cause the organization to take action before the incident occurred?\u003c/li\u003e\u003cli\u003eWhat indicators of the incident might the organization detect?\u0026nbsp; Which indicators would cause someone to think that an incident might have occurred?\u003c/li\u003e\u003cli\u003eWhat additional tools might be needed to detect this particular incident?\u003c/li\u003e\u003cli\u003eHow would the incident response team analyze and validate this incident?\u0026nbsp; What personnel would be involved in the analysis and validation process?\u003c/li\u003e\u003cli\u003eTo which people and groups within the organization would the team report the incident?\u003c/li\u003e\u003cli\u003eHow would the team prioritize the handling of this incident?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eContainment, Eradication, and Recovery:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat strategy should the organization take to contain the incident?\u0026nbsp; Why is this strategy preferable to others?\u003c/li\u003e\u003cli\u003eWhat could happen if the incident were not contained?\u003c/li\u003e\u003cli\u003eWhat additional tools might be needed to respond to this particular incident?\u003c/li\u003e\u003cli\u003eWhich personnel would be involved in the containment, eradication, and/or recovery processes?\u003c/li\u003e\u003cli\u003eWhat sources of evidence, if any, should the organization acquire?\u0026nbsp; How would the evidence be acquired?\u0026nbsp; Where would it be stored?\u0026nbsp; How long should it be retained?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003ePost-Incident Activity:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eWho would attend the lessons learned meeting regarding this incident?\u003c/li\u003e\u003cli\u003eWhat could be done to prevent similar incidents from occurring in the future?\u003c/li\u003e\u003cli\u003eWhat could be done to improve detection of similar incidents?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eGeneral Questions:\u003c/strong\u003e\u003c/p\u003e\u003col\u003e\u003cli\u003eHow many incident response team members would participate in handling this incident?\u003c/li\u003e\u003cli\u003eBesides the incident response team, what groups within the organization would be involved in handling this incident?\u003c/li\u003e\u003cli\u003eTo which external parties would the team report the incident?\u0026nbsp; When would each report occur?\u003c/li\u003e\u003cli\u003eHow would each report be made?\u0026nbsp; What information would you report or not report, and why?\u003c/li\u003e\u003cli\u003eWhat other communications with external parties may occur?\u003c/li\u003e\u003cli\u003eWhat tools and resources would the team use in handling this incident?\u003c/li\u003e\u003cli\u003eWhat aspects of the handling would have been different if the incident had occurred at a different day and time (on-hours versus off-hours)?\u003c/li\u003e\u003cli\u003eWhat aspects of the handling would have been different if the incident had occurred at a different physical location (onsite versus offsite)?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePlan Being Exercise\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert the name and location of the incident response plan being exercised\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eExercise Agenda\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cul\u003e\u003cli\u003eIntroductions\u003c/li\u003e\u003cli\u003eReview Exercise Scope and Logistics\u003c/li\u003e\u003cli\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/li\u003e\u003cli\u003eData Collector records observations (on-going)\u003c/li\u003e\u003cli\u003eConduct exercise debrief/hotwash\u003c/li\u003e\u003cli\u003eExercise Participants released\u003c/li\u003e\u003cli\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/li\u003e\u003c/ul\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eTest Plan Approval\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert signature by approval authority (e.g., Business Owner or ISSO)\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eTabletop Exercise Participant Guide Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT ORGANIZATION NAME\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT TABLETOP EXERCISE TITLE\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eParticipant Guide\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Location\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Date\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn an effort to validate \u0026lt;\u003cem\u003einsert organization name\u003c/em\u003e\u0026gt; \u0026lt;\u003cem\u003einsert name of plan being exercised\u003c/em\u003e\u0026gt;, \u0026lt;\u003cem\u003einsert organization name\u003c/em\u003e\u0026gt; will conduct a tabletop exercise to examine processes and procedures associated with the implementation of the \u0026lt;\u003cem\u003einsert plan name\u003c/em\u003e\u0026gt;.\u0026nbsp; This discussion-based exercise will be a \u0026lt;\u003cem\u003einsert number of hours\u003c/em\u003e\u0026gt;-hour event that will begin at \u0026lt;\u003cem\u003einsert start ti\u003c/em\u003eme\u0026gt; and will last until \u0026lt;\u003cem\u003einsert end time\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003eThe exercise is designed to facilitate communication among personnel with incident response roles and responsibilities.\u0026nbsp; The following scenarios have been chosen for this exercise:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert scenarios from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis exercise is designed to improve the readiness of the [insert organization name] and help validate existing \u0026lt;\u003cem\u003einsert plan name\u003c/em\u003e\u0026gt; procedures.\u003c/p\u003e\u003cp\u003eParticipants should come to the exercise prepared to discuss high-level issues related to the incident handling based on the scenarios above.\u0026nbsp; To achieve the exercises stated objectives, discussion will focus on the following questions related to the scenarios and the incident response plan:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert questions from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eParticipants may choose to bring incident response narrative or reference material that will aid in answering the above questions.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eConcept of Operations\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA tabletop exercise is a discussion-based event in which participants meet in a “classroom” setting to address the actions participants would take in response to an emergency.\u0026nbsp; Tabletops are an effective initial step for personnel to discuss the full range of issues related to a crisis scenario.\u0026nbsp; These exercises provide an excellent forum to examine roles and responsibilities, unearth interdependencies, and evaluate plans.\u0026nbsp; A tabletop exercise also satisfies the training requirement for personnel with incident response roles and responsibilities.\u003c/p\u003e\u003cp\u003eParticipants will be presented with a incident response.\u0026nbsp; A facilitator will help guide discussion by asking questions designed to address the exercises objectives.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eObjectives\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe exercise objectives are as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eInsert questions from approved test plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAgenda\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:00 a.m. 9:15 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntroductions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:15 a.m. 9:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReview Exercise Scope and Logistics\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eData Collector records observations (on-going)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e11:30 a.m. 12:00 p.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eConduct exercise debrief/hotwash\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMilestone\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eExercise Participants released\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1:00 p.m. - completion\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eDebriefing/Hotwash Questions\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAn after action report identifying strengths and areas where improvements might be made will be provided after the exercise.\u0026nbsp; The following questions are designed to obtain input into the after action report from participants:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAre there any other issues you would like to discuss that were not raised?\u003c/li\u003e\u003cli\u003eWhat are the strengths of the incident response plan?\u0026nbsp; What areas require closer examination?\u003c/li\u003e\u003cli\u003eWas the exercise beneficial?\u0026nbsp; Did it help prepare you to execute on your incident response roles and responsibilities?\u003c/li\u003e\u003cli\u003eWhat did you gain from the exercise?\u003c/li\u003e\u003cli\u003eHow can we improve future exercises and tests?\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eAfter Action Report Template\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT ORGANIZATION NAME\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eINSERT TABLETOP EXERCISE TITLE\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAfter Action Report\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Location\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert Tabletop Date\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eOn \u0026lt;\u003cem\u003einsert date\u003c/em\u003e\u0026gt;, \u0026lt;insert organization name\u0026gt; participated in \u0026lt;\u003cem\u003einsert duration of exercise\u003c/em\u003e\u0026gt; - hour tabletop exercise designed to validate the organizations understanding of the \u0026lt;\u003cem\u003einsert plan name.\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eObjectives\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe exercise objectives are as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u0026lt;\u003cem\u003eCopy objectives from approved Test Plan\u003c/em\u003e\u0026gt;\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAgenda\u003c/strong\u003e\u003c/h4\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eDate:\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;\u003cem\u003eInsert date\u003c/em\u003e\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:00 a.m. 9:15 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIntroductions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:15 a.m. 9:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eReview Exercise Scope and Logistics\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eScenario Walk-Through \u0026amp; review of test questions (Exercise Facilitator)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e9:30 a.m. 11:30 a.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eData Collector records observations (on-going)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e11:30 a.m. 12:00 p.m.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eConduct exercise debrief/hotwash\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eMilestone\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eExercise Participants released\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003e1:00 p.m. - completion\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eComplete After-Action Report (Exercise Facilitator \u0026amp; Data Collector only)\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eDiscussion Findings\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u0026lt;\u003cem\u003einsert exercise name\u003c/em\u003e\u0026gt; provided information on \u0026lt;\u003cem\u003einsert relevant information\u003c/em\u003e\u0026gt;.\u0026nbsp; An important benefit of the exercise was the opportunity for participants to raise important questions, concerns, and issues.\u003c/p\u003e\u003cp\u003eThe discussion findings from the exercise along with any necessary recommended actions are as follows:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral Findings\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe exercise provided an excellent opportunity for participants to \u003cem\u003e\u0026lt;insert relevant information\u0026gt;\u003c/em\u003e.\u0026nbsp; As a result of the exercise, participants left with a heightened awareness of \u003cem\u003e\u0026lt;insert relevant information\u0026gt;\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpecific Findings\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSpecific observations made during the exercise, and recommendations for enhancement of the plan, are as follows:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eObservation 1. \u0026lt;\u003c/strong\u003e\u003cem\u003e\u003cstrong\u003eInsert general topic area\u003c/strong\u003e\u003c/em\u003e\u003cstrong\u003e\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert observation\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommendation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;Insert recommendations\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eObservation 2. \u003c/strong\u003e\u003cem\u003e\u003cstrong\u003e\u0026lt;Insert general topic area\u0026gt;\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;\u003cem\u003eInsert observation\u003c/em\u003e\u0026gt;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRecommendation\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u0026lt;Insert recommendations\u0026gt;\u003c/p\u003e\u003cp\u003eBelow is an \u003cstrong\u003eexample\u003c/strong\u003e of a completed observation and recommendations, all text in blue should be deleted upon the completion of the After-Action Report.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cem\u003eExample Observations and Recommendations:\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eObservation 1.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCommunication\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eA plan identifying the process for communicating with incident response team members do not exist.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eRecommendations:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cul\u003e\u003cli\u003eThe organization should consider developing a communications plan that establishes standardized communications requirements, addresses how stolen documents will be investigated, and describes procedures for personnel incident response team working with organizations to investigate breaches.\u003c/li\u003e\u003cli\u003eThe organization should identify weaknesses in the incident handling plan and procedures to ensure that all essential personnel can be contacted in the event of sensitive document breach.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eObservation 2.\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eIncident Breach Handling Protocol\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003eEssential personnel have not been aware of the organization impact of stolen documents, and the incident breach handling protocol to investigation and recovery.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd colspan=\"2\"\u003e\u003cul\u003e\u003cli\u003eThe agency should examine the criteria for ALL personnel having access to sensitive organization documents.\u0026nbsp; In addition, all personnel might need to attend a security training and awareness course on how to report incidents or suspicious activities.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eSample Incident Scenarios\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 1: Domain Name System (DNS) Server Denial of Service (DOS)\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Saturday afternoon, external users start having problems accessing the organizations public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organizations networking staff responds to alerts from an Internet border router and determines that the organizations Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organizations public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhom should the organization contact regarding the external IP address in question?\u003c/li\u003e\u003cli\u003eSuppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were also attempting the same unusual requests to the DNS server. How would that affect the handling of this incident?\u003c/li\u003e\u003cli\u003eSuppose that two of the nine internal hosts disconnected from the network before their system owners were identified. How would the system owners be identified?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 2: Worm and Distributed Denial of Service (DDoS) Agent Infestation\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Tuesday morning, a new worm is released; it spreads itself through removable media, and it can copy itself to open Windows shares. When the worm infects a host, it installs a DDoS agent. The organization has already incurred widespread infections before antivirus signatures become available several hours after the worm started to spread.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the incident response team identify all infected hosts?\u003c/li\u003e\u003cli\u003eHow would the organization attempt to prevent the worm from entering the organization before antivirus signatures were released?\u003c/li\u003e\u003cli\u003eHow would the organization attempt to prevent the worm from being spread by infected hosts before antivirus signatures were released?\u003c/li\u003e\u003cli\u003eWould the organization attempt to patch all vulnerable machines? If so, how would this be done?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if infected hosts that had received the DDoS agent had been configured to attack another organizations website the next morning?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if one or more of the infected hosts contained sensitive personally identifiable information regarding the organizations employees?\u003c/li\u003e\u003cli\u003eHow would the incident response team keep the organizations users informed about the status of the incident?\u003c/li\u003e\u003cli\u003eWhat additional measures would the team perform for hosts that are not currently connected to the network (e.g., staff members on vacation, offsite employees who connect occasionally)?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 3: Stolen Documents\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Monday morning, the organizations legal department receives a call from the Federal Bureau of Investigation (FBI) regarding some suspicious activity involving the organizations systems. Later that day, an FBI agent meets with members of management and the legal department to discuss the activity. The FBI has been investigating activity involving public posting of sensitive government documents, and some of the documents reportedly belong to the organization. The agent asks for the organizations assistance, and management asks for the incident response teams assistance in acquiring the necessary evidence to determine if these documents are legitimate or not and how they might have been leaked.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eFrom what sources might the incident response team gather evidence?\u003c/li\u003e\u003cli\u003eWhat would the team do to keep the investigation confidential?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team identified an internal host responsible for the leaks?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found a rootkit installed on the internal host responsible for the leaks?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 4: Compromised Database Server\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Tuesday night, a database administrator performs some off-hours maintenance on several production database servers. The administrator notices some unfamiliar and unusual directory names on one of the servers. After reviewing the directory listings and viewing some of the files, the administrator concludes that the server has been attacked and calls the incident response team for assistance. The teams investigation determines that the attacker successfully gained root access to the server six weeks ago.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat sources might the team use to determine when the compromise had occurred?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found that the database server had been running a packet sniffer and capturing passwords from the network?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team found that the server was running a process that would copy a database containing sensitive customer information (including personally identifiable information) each night and transfer it to an external address?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident change if the team discovered a rootkit on the server?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 5: Unknown Exfiltration\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Sunday night, one of the organizations network intrusion detection sensors alerts on anomalous outbound network activity involving large file transfers. The intrusion analyst reviews the alerts; it appears that thousands of .RAR files are being copied from an internal host to an external host, and the external host is located in another country. The analyst contacts the incident response team so that it can investigate the activity further. The team is unable to see what the .RAR files hold because their contents are encrypted. Analysis of the internal host containing the .RAR files shows signs of a bot installation.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the team determine what was most likely inside the .RAR files? Which other teams might assist the incident response team?\u003c/li\u003e\u003cli\u003eIf the incident response team determined that the initial compromise had been performed through a wireless network card in the internal host, how would the team further investigate this activity?\u003c/li\u003e\u003cli\u003eIf the incident response team determined that the internal host was being used to stage sensitive files from other hosts within the enterprise, how would the team further investigate this activity?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 6: Unauthorized Access to Payroll Records\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Wednesday evening, the organizations physical security team receives a call from a payroll administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eHow would the team determine what actions had been performed?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the payroll administrator had recognized the person leaving her office as a former payroll department employee?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the team had reason to believe that the person was a current employee?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the physical security team determined that the person had used social engineering techniques to gain physical access to the building?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if logs from the previous week showed an unusually large number of failed remote login attempts using the payroll administrators user ID?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the incident response team discovered that a keystroke logger was installed on the computer two weeks earlier?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 7: Disappearing Host\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Thursday afternoon, a network intrusion detection sensor records vulnerability scanning activity directed at internal hosts that is being generated by an internal IP address. Because the intrusion detection analyst is unaware of any authorized, scheduled vulnerability scanning activity, she reports the activity to the incident response team. When the team begins the analysis, it discovers that the activity has stopped and that there is no longer a host using the IP address.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat data sources might contain information regarding the identity of the vulnerability scanning host?\u003c/li\u003e\u003cli\u003eHow would the team identify who had been performing the vulnerability scans?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the vulnerability scanning were directed at the organizations most critical hosts?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the vulnerability scanning were directed at external hosts?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the internal IP address was associated with the organizations wireless guest network?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the physical security staff discovered that someone had broken into the facility half an hour before the vulnerability scanning occurred?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 8: Telecommuting Compromise\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Saturday night, network intrusion detection software records an inbound connection originating from a watchlist IP address. The intrusion detection analyst determines that the connection is being made to the organizations VPN server and contacts the incident response team. The team reviews the intrusion detection, firewall, and VPN server logs and identifies the user ID that was authenticated for the session and the name of the user associated with the user ID.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should the teams next step be (e.g., calling the user at home, disabling the user ID, disconnecting the VPN session)? Why should this step be performed first? What step should be performed second?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the external IP address belonged to an open proxy?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the ID had been used to initiate VPN connections from several external IP addresses without the knowledge of the user?\u003c/li\u003e\u003cli\u003eSuppose that the identified users computer had become compromised by a game containing a Trojan horse that was downloaded by a family member. How would this affect the teams analysis of the incident? How would this affect evidence gathering and handling? What should the team do in terms of eradicating the incident from the users computer?\u003c/li\u003e\u003cli\u003eSuppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident? How would this affect the handling of the incident if the user were a system administrator? How would this affect the handling of the incident if the user were a high-ranking executive in the organization?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 9: Anonymous Threat\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Thursday afternoon, the organizations physical security team receives a call from an IT manager, reporting that two of her employees just received anonymous threats against the organizations systems. Based on an investigation, the physical security team believes that the threats should be taken seriously and notifies the appropriate internal teams, including the incident response team, of the threats.\u003c/p\u003e\u003cp\u003eThe following are additional questions for this scenario:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should the incident response team do differently, if anything, in response to the notification of the threats?\u003c/li\u003e\u003cli\u003eWhat impact could heightened physical security controls have on the teams responses to incidents?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 10: Peer-to-Peer File Sharing\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eThe organization prohibits the use of peer-to-peer file sharing services. The organizations network intrusion detection sensors have signatures enabled that can detect the usage of several popular peer-to-peer file sharing services. On a Monday evening, an intrusion detection analyst notices that several file sharing alerts have occurred during the past three hours, all involving the same internal IP address.\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat factors should be used to prioritize the handling of this incident (e.g., the apparent content of the files that are being shared)?\u003c/li\u003e\u003cli\u003eWhat privacy considerations may impact the handling of this incident?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the computer performing peer-to-peer file sharing also contains sensitive personally identifiable information?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eScenario 11: Unknown Wireless Access Point\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eOn a Monday morning, the organizations help desk receives calls from three users on the same floor of a building who state that they are having problems with their wireless access. A network administrator who is asked to assist in resolving the problem brings a laptop with wireless access to the users floor. As he views his wireless networking configuration, he notices that there is a new access point listed as being available. He checks with his teammates and determines that this access point was not deployed by his team, so that it is most likely a rogue access point that was established without permission.\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat should be the first major step in handling this incident (e.g., physically finding the rogue access point, logically attaching to the access point)?\u003c/li\u003e\u003cli\u003eWhat is the fastest way to locate the access point? What is the most covert way to locate the access point?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the access point had been deployed by an external party (e.g., contractor) temporarily working at the organizations office?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if an intrusion detection analyst reported signs of suspicious activity involving some of the workstations on the same floor of the building?\u003c/li\u003e\u003cli\u003eHow would the handling of this incident differ if the access point had been removed while the team was still attempting to physically locate it?\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"323:{\"value\":\"$324\",\"format\":\"body_text\",\"processed\":\"$325\",\"summary\":\"\"}\n328:[]\n327:{\"uri\":\"entity:node/696\",\"title\":\"Breach Response at CMS\",\"options\":\"$328\",\"url\":\"/learn/breach-response\"}\n32a:[]\n329:{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":\"$32a\",\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}\n32c:[]\n32b:{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks (all)\",\"options\":\"$32c\",\"url\":\"/learn/cms-security-and-privacy-handbooks\"}\n326:[\"$327\",\"$329\",\"$32b\"]\n32d:{\"value\":\"This chapter (RMH Chapter 8) identifies the policies and standards for the Incident Response family of controls\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThis chapter (RMH Chapter 8) identifies the policies and standards for the Incident Response family of controls\u003c/p\u003e\\n\"}\n321:{\"drupal_internal__nid\":471,\"drupal_internal__vid\":5758,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:55:41+00:00\",\"status\":true,\"title\":\"Risk Management Handbook Chapter 8: Incident Response (IR)\",\"created\":\"2022-08-29T17:51:26+00:00\",\"changed\":\"2024-08-05T15:55:41+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$322\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$323\",\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2021-03-23\",\"field_related_resources\":\"$326\",\"field_short_description\":\"$32d\"}\n331:{\"drupal_internal__target_id\":\"library\"}\n330:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$331\"}\n333:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/node_type?resourceVersion=id%3A5758\"}\n334:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/node_type?resourceVersion=id%3A5758\"}\n332:{\"re"])</script><script>self.__next_f.push([1,"lated\":\"$333\",\"self\":\"$334\"}\n32f:{\"data\":\"$330\",\"links\":\"$332\"}\n337:{\"drupal_internal__target_id\":159}\n336:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$337\"}\n339:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/revision_uid?resourceVersion=id%3A5758\"}\n33a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/revision_uid?resourceVersion=id%3A5758\"}\n338:{\"related\":\"$339\",\"self\":\"$33a\"}\n335:{\"data\":\"$336\",\"links\":\"$338\"}\n33d:{\"drupal_internal__target_id\":26}\n33c:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$33d\"}\n33f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/uid?resourceVersion=id%3A5758\"}\n340:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/uid?resourceVersion=id%3A5758\"}\n33e:{\"related\":\"$33f\",\"self\":\"$340\"}\n33b:{\"data\":\"$33c\",\"links\":\"$33e\"}\n343:{\"drupal_internal__target_id\":91}\n342:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":\"$343\"}\n345:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/field_resource_type?resourceVersion=id%3A5758\"}\n346:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/field_resource_type?resourceVersion=id%3A5758\"}\n344:{\"related\":\"$345\",\"self\":\"$346\"}\n341:{\"data\":\"$342\",\"links\":\"$344\"}\n34a:{\"drupal_internal__target_id\":66}\n349:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$34a\"}\n34c:{\"drupal_internal__target_id\":81}\n34b:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$34c\"}\n34e:{\"drupal_internal__target_id\":61}\n34d:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$34e\"}\n350:{\"drupal_internal__target_id\":76}\n34f:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"met"])</script><script>self.__next_f.push([1,"a\":\"$350\"}\n352:{\"drupal_internal__target_id\":71}\n351:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$352\"}\n348:[\"$349\",\"$34b\",\"$34d\",\"$34f\",\"$351\"]\n354:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/field_roles?resourceVersion=id%3A5758\"}\n355:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/field_roles?resourceVersion=id%3A5758\"}\n353:{\"related\":\"$354\",\"self\":\"$355\"}\n347:{\"data\":\"$348\",\"links\":\"$353\"}\n359:{\"drupal_internal__target_id\":16}\n358:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$359\"}\n35b:{\"drupal_internal__target_id\":46}\n35a:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$35b\"}\n357:[\"$358\",\"$35a\"]\n35d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/field_topics?resourceVersion=id%3A5758\"}\n35e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/field_topics?resourceVersion=id%3A5758\"}\n35c:{\"related\":\"$35d\",\"self\":\"$35e\"}\n356:{\"data\":\"$357\",\"links\":\"$35c\"}\n32e:{\"node_type\":\"$32f\",\"revision_uid\":\"$335\",\"uid\":\"$33b\",\"field_resource_type\":\"$341\",\"field_roles\":\"$347\",\"field_topics\":\"$356\"}\n31e:{\"type\":\"node--library\",\"id\":\"9b633ff4-47c4-453c-9669-3bcdd7c85ae3\",\"links\":\"$31f\",\"attributes\":\"$321\",\"relationships\":\"$32e\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"79350126-ac6b-4afd-8fb7-f5814702ddb2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2?resourceVersion=id%3A5170\"}},\"attributes\":{\"drupal_internal__nid\":256,\"drupal_internal__vid\":5170,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T17:56:20+00:00\",\"status\":true,\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"created\":\"2022-08-26T14:55:57+00:00\",\"changed\":\"2024-01-05T17:56:20+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"pid\":246,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"Report incidents in ServiceNOW\",\"field_short_description\":{\"value\":\"The CCIC uses data to address incidents through risk management and monitoring activities across CMS \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe CCIC uses data to address incidents through risk management and monitoring activities across CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/node_type?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/node_type?resourceVersion=id%3A5170\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/revision_uid?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/revision_uid?resourceVersion=id%3A5170\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/uid?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/uid?resourceVersion=id%3A5170\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"59fda20c-2255-44ef-9fb0-d0834c579aa4\",\"meta\":{\"target_revision_id\":16462,\"drupal_internal__target_id\":3363}},{\"type\":\"paragraph--page_section\",\"id\":\"859d0236-1261-46a5-b0de-417573614a67\",\"meta\":{\"target_revision_id\":16464,\"drupal_internal__target_id\":3365}},{\"type\":\"paragraph--page_section\",\"id\":\"b4617ce8-95fc-4897-818b-c27cc6651aa2\",\"meta\":{\"target_revision_id\":16466,\"drupal_internal__target_id\":3367}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_page_section?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_page_section?resourceVersion=id%3A5170\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7\",\"meta\":{\"target_revision_id\":16467,\"drupal_internal__target_id\":3368}},{\"type\":\"paragraph--internal_link\",\"id\":\"fc107bc4-832c-47e5-9f84-8235407eeed2\",\"meta\":{\"target_revision_id\":16468,\"drupal_internal__target_id\":3369}},{\"type\":\"paragraph--internal_link\",\"id\":\"d51b0447-02a5-4951-bc45-42b3b7ae745b\",\"meta\":{\"target_revision_id\":16469,\"drupal_internal__target_id\":3370}},{\"type\":\"paragraph--internal_link\",\"id\":\"4090ef92-e750-496d-8230-dcec4f6d312d\",\"meta\":{\"target_revision_id\":16470,\"drupal_internal__target_id\":3371}},{\"type\":\"paragraph--internal_link\",\"id\":\"d8afa351-48fa-446c-9491-7865d51b2f72\",\"meta\":{\"target_revision_id\":16471,\"drupal_internal__target_id\":3372}},{\"type\":\"paragraph--internal_link\",\"id\":\"010ab69b-b5ce-499a-a760-d3c0af6a37a8\",\"meta\":{\"target_revision_id\":16472,\"drupal_internal__target_id\":3373}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_related_collection?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_related_collection?resourceVersion=id%3A5170\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_resource_type?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_resource_type?resourceVersion=id%3A5170\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_roles?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_roles?resourceVersion=id%3A5170\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/field_topics?resourceVersion=id%3A5170\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/79350126-ac6b-4afd-8fb7-f5814702ddb2/relationships/field_topics?resourceVersion=id%3A5170\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/663db243-0ec9-4d3f-9589-5a0ed308fbbc\"}},\"attributes\":{\"display_name\":\"alex.kerr\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5?resourceVersion=id%3A46\"}},\"attributes\":{\"drupal_internal__tid\":46,\"drupal_internal__revision_id\":46,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:13+00:00\",\"status\":true,\"name\":\"Security Operations\",\"description\":null,\"weight\":6,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/vid?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/vid?resourceVersion=id%3A46\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/revision_user?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/revision_user?resourceVersion=id%3A46\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/parent?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/parent?resourceVersion=id%3A46\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"59fda20c-2255-44ef-9fb0-d0834c579aa4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4?resourceVersion=id%3A16462\"}},\"attributes\":{\"drupal_internal__id\":3363,\"drupal_internal__revision_id\":16462,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:13:37+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2\u003e\u003cstrong\u003eWhat is the CCIC?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS Cybersecurity Integration Center (CCIC) is the hub of cybersecurity strategy and response at CMS. The CCIC works with System/Business Owners, ISSOs, CRAs, and Data Guardians to manage how cyber threats are found and understood throughout our agency and works to educate users about best practices in continuous monitoring, risk management, and cybersecurity.\u0026nbsp;\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003e\u003cstrong\u003eWhat is the CCIC?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS Cybersecurity Integration Center (CCIC) is the hub of cybersecurity strategy and response at CMS. The CCIC works with System/Business Owners, ISSOs, CRAs, and Data Guardians to manage how cyber threats are found and understood throughout our agency and works to educate users about best practices in continuous monitoring, risk management, and cybersecurity.\u0026nbsp;\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4/paragraph_type?resourceVersion=id%3A16462\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4/relationships/paragraph_type?resourceVersion=id%3A16462\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"80be8345-ad19-448f-83b6-3c5d0681969a\",\"meta\":{\"target_revision_id\":16461,\"drupal_internal__target_id\":3362}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4/field_specialty_item?resourceVersion=id%3A16462\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/59fda20c-2255-44ef-9fb0-d0834c579aa4/relationships/field_specialty_item?resourceVersion=id%3A16462\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"859d0236-1261-46a5-b0de-417573614a67\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67?resourceVersion=id%3A16464\"}},\"attributes\":{\"drupal_internal__id\":3365,\"drupal_internal__revision_id\":16464,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:22:20+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67/paragraph_type?resourceVersion=id%3A16464\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67/relationships/paragraph_type?resourceVersion=id%3A16464\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"bdb43863-9f16-4af9-b178-8587c253cc97\",\"meta\":{\"target_revision_id\":16463,\"drupal_internal__target_id\":3364}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67/field_specialty_item?resourceVersion=id%3A16464\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/859d0236-1261-46a5-b0de-417573614a67/relationships/field_specialty_item?resourceVersion=id%3A16464\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"b4617ce8-95fc-4897-818b-c27cc6651aa2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2?resourceVersion=id%3A16466\"}},\"attributes\":{\"drupal_internal__id\":3367,\"drupal_internal__revision_id\":16466,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:24:22+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2/paragraph_type?resourceVersion=id%3A16466\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2/relationships/paragraph_type?resourceVersion=id%3A16466\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"caef88fe-5113-4c14-affc-37cc1c84cded\",\"meta\":{\"target_revision_id\":16465,\"drupal_internal__target_id\":3366}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2/field_specialty_item?resourceVersion=id%3A16466\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b4617ce8-95fc-4897-818b-c27cc6651aa2/relationships/field_specialty_item?resourceVersion=id%3A16466\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"80be8345-ad19-448f-83b6-3c5d0681969a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/80be8345-ad19-448f-83b6-3c5d0681969a?resourceVersion=id%3A16461\"}},\"attributes\":{\"drupal_internal__id\":3362,\"drupal_internal__revision_id\":16461,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:14:25+00:00\",\"parent_id\":\"3363\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://cmsitsm.servicenowservices.com/connect\",\"title\":\"\",\"options\":[],\"url\":\"https://cmsitsm.servicenowservices.com/connect\"},\"field_call_out_link_text\":\"Create a ticket\",\"field_call_out_text\":{\"value\":\"Do you need to report an incident? The ServiceNOW Catalog provides a space to quickly create a ticket, which will be sent to the CCIC for review. \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDo you need to report an incident? The ServiceNOW Catalog provides a space to quickly create a ticket, which will be sent to the CCIC for review.\u003c/p\u003e\\n\"},\"field_header\":\"Report an incident\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/80be8345-ad19-448f-83b6-3c5d0681969a/paragraph_type?resourceVersion=id%3A16461\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/80be8345-ad19-448f-83b6-3c5d0681969a/relationships/paragraph_type?resourceVersion=id%3A16461\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"bdb43863-9f16-4af9-b178-8587c253cc97\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/bdb43863-9f16-4af9-b178-8587c253cc97?resourceVersion=id%3A16463\"}},\"attributes\":{\"drupal_internal__id\":3364,\"drupal_internal__revision_id\":16463,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:23:07+00:00\",\"parent_id\":\"3365\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://cmsitsm.servicenowservices.com/connect?page=cat_item\u0026sys_id=8d414c9f1bd4e4100888ed7bbc4bcbed\u0026sysparm_category=5d2681841b17e0100888ed7bbc4bcb7f\",\"title\":\"\",\"options\":[],\"url\":\"https://cmsitsm.servicenowservices.com/connect?page=cat_item\u0026sys_id=8d414c9f1bd4e4100888ed7bbc4bcbed\u0026sysparm_category=5d2681841b17e0100888ed7bbc4bcb7f\"},\"field_call_out_link_text\":\"Get started with SOC as a Service\",\"field_call_out_text\":{\"value\":\"Access the latest tools and resources for your FISMA system -- connect with the SOC to onboard your team. \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAccess the latest tools and resources for your FISMA system -- connect with the SOC to onboard your team.\u003c/p\u003e\\n\"},\"field_header\":\"Get SOC-as-a-Service for your team \"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/bdb43863-9f16-4af9-b178-8587c253cc97/paragraph_type?resourceVersion=id%3A16463\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/bdb43863-9f16-4af9-b178-8587c253cc97/relationships/paragraph_type?resourceVersion=id%3A16463\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"caef88fe-5113-4c14-affc-37cc1c84cded\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/caef88fe-5113-4c14-affc-37cc1c84cded?resourceVersion=id%3A16465\"}},\"attributes\":{\"drupal_internal__id\":3366,\"drupal_internal__revision_id\":16465,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:24:55+00:00\",\"parent_id\":\"3367\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://cmsitsm.servicenowservices.com/connect\",\"title\":\"\",\"options\":[],\"url\":\"https://cmsitsm.servicenowservices.com/connect\"},\"field_call_out_link_text\":\"See the catalog\",\"field_call_out_text\":{\"value\":\"Review offerings from the CCIC in the ServiceNOW catalog (VPN required).\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReview offerings from the CCIC in the ServiceNOW catalog (VPN required).\u003c/p\u003e\\n\"},\"field_header\":\"Get the latest from the CCIC \"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/caef88fe-5113-4c14-affc-37cc1c84cded/paragraph_type?resourceVersion=id%3A16465\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/caef88fe-5113-4c14-affc-37cc1c84cded/relationships/paragraph_type?resourceVersion=id%3A16465\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7?resourceVersion=id%3A16467\"}},\"attributes\":{\"drupal_internal__id\":3368,\"drupal_internal__revision_id\":16467,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:25:36+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7/paragraph_type?resourceVersion=id%3A16467\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7/relationships/paragraph_type?resourceVersion=id%3A16467\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":{\"drupal_internal__target_id\":206}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7/field_link?resourceVersion=id%3A16467\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7/relationships/field_link?resourceVersion=id%3A16467\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"fc107bc4-832c-47e5-9f84-8235407eeed2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2?resourceVersion=id%3A16468\"}},\"attributes\":{\"drupal_internal__id\":3369,\"drupal_internal__revision_id\":16468,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:25:41+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2/paragraph_type?resourceVersion=id%3A16468\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2/relationships/paragraph_type?resourceVersion=id%3A16468\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":{\"drupal_internal__target_id\":676}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2/field_link?resourceVersion=id%3A16468\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/fc107bc4-832c-47e5-9f84-8235407eeed2/relationships/field_link?resourceVersion=id%3A16468\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"d51b0447-02a5-4951-bc45-42b3b7ae745b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b?resourceVersion=id%3A16469\"}},\"attributes\":{\"drupal_internal__id\":3370,\"drupal_internal__revision_id\":16469,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:25:47+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b/paragraph_type?resourceVersion=id%3A16469\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b/relationships/paragraph_type?resourceVersion=id%3A16469\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"meta\":{\"drupal_internal__target_id\":771}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b/field_link?resourceVersion=id%3A16469\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d51b0447-02a5-4951-bc45-42b3b7ae745b/relationships/field_link?resourceVersion=id%3A16469\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"4090ef92-e750-496d-8230-dcec4f6d312d\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d?resourceVersion=id%3A16470\"}},\"attributes\":{\"drupal_internal__id\":3371,\"drupal_internal__revision_id\":16470,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:25:52+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d/paragraph_type?resourceVersion=id%3A16470\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d/relationships/paragraph_type?resourceVersion=id%3A16470\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"96fa2caf-c299-4fd4-9a0a-d6d86691328e\",\"meta\":{\"drupal_internal__target_id\":581}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d/field_link?resourceVersion=id%3A16470\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/4090ef92-e750-496d-8230-dcec4f6d312d/relationships/field_link?resourceVersion=id%3A16470\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"d8afa351-48fa-446c-9491-7865d51b2f72\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72?resourceVersion=id%3A16471\"}},\"attributes\":{\"drupal_internal__id\":3372,\"drupal_internal__revision_id\":16471,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:26:11+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72/paragraph_type?resourceVersion=id%3A16471\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72/relationships/paragraph_type?resourceVersion=id%3A16471\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"meta\":{\"drupal_internal__target_id\":391}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72/field_link?resourceVersion=id%3A16471\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d8afa351-48fa-446c-9491-7865d51b2f72/relationships/field_link?resourceVersion=id%3A16471\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"010ab69b-b5ce-499a-a760-d3c0af6a37a8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8?resourceVersion=id%3A16472\"}},\"attributes\":{\"drupal_internal__id\":3373,\"drupal_internal__revision_id\":16472,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T16:26:28+00:00\",\"parent_id\":\"256\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8/paragraph_type?resourceVersion=id%3A16472\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8/relationships/paragraph_type?resourceVersion=id%3A16472\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"9b633ff4-47c4-453c-9669-3bcdd7c85ae3\",\"meta\":{\"drupal_internal__target_id\":471}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8/field_link?resourceVersion=id%3A16472\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/010ab69b-b5ce-499a-a760-d3c0af6a37a8/relationships/field_link?resourceVersion=id%3A16472\"}}}}},{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}},\"attributes\":{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}},{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}},{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}},{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}},{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}},{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}}}}},{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}},\"attributes\":{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}},{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}},{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}},{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}}}}},{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}},\"attributes\":{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/revision_uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}},{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}},{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":{\"target_revision_id\":19171,\"drupal_internal__target_id\":2386}},{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}},{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}},{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}},{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}},{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}},{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_related_collection?resourceVersion=id%3A5861\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_topics?resourceVersion=id%3A5861\"}}}}},{\"type\":\"node--explainer\",\"id\":\"96fa2caf-c299-4fd4-9a0a-d6d86691328e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e?resourceVersion=id%3A5460\"}},\"attributes\":{\"drupal_internal__nid\":581,\"drupal_internal__vid\":5460,\"langcode\":\"en\",\"revision_timestamp\":\"2024-05-17T21:42:11+00:00\",\"status\":true,\"title\":\"Threat Modeling\",\"created\":\"2022-08-29T18:53:20+00:00\",\"changed\":\"2024-05-17T15:09:41+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/threat-modeling\",\"pid\":571,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ThreatModeling@cms.hhs.gov\",\"field_contact_name\":\"CMS Threat Modeling Team\",\"field_short_description\":{\"value\":\"Design practices that facilitate secure software development through organization and collaboration \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDesign practices that facilitate secure software development through organization and collaboration\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-threat-modeling\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/node_type?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/node_type?resourceVersion=id%3A5460\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"ee0c4536-bc99-4440-92eb-6256599174e5\",\"meta\":{\"drupal_internal__target_id\":100}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/revision_uid?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/revision_uid?resourceVersion=id%3A5460\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/uid?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/uid?resourceVersion=id%3A5460\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"72d40c3c-330d-4194-ad1e-c61c29f5a60d\",\"meta\":{\"target_revision_id\":17491,\"drupal_internal__target_id\":3306}},{\"type\":\"paragraph--page_section\",\"id\":\"b46cc06c-9584-4143-8dc1-4e95c87edf2b\",\"meta\":{\"target_revision_id\":17498,\"drupal_internal__target_id\":3313}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_page_section?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_page_section?resourceVersion=id%3A5460\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"362b0424-2e7e-47f8-9515-4e33c749a551\",\"meta\":{\"target_revision_id\":17499,\"drupal_internal__target_id\":3314}},{\"type\":\"paragraph--internal_link\",\"id\":\"de10201a-15bc-4af2-bde0-d2b2f67f3596\",\"meta\":{\"target_revision_id\":17500,\"drupal_internal__target_id\":3315}},{\"type\":\"paragraph--internal_link\",\"id\":\"ded08c1c-6476-43b1-a316-7c38a1746aa4\",\"meta\":{\"target_revision_id\":17501,\"drupal_internal__target_id\":3316}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_related_collection?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_related_collection?resourceVersion=id%3A5460\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_resource_type?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_resource_type?resourceVersion=id%3A5460\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_roles?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_roles?resourceVersion=id%3A5460\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_topics?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_topics?resourceVersion=id%3A5460\"}}}}},{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}},\"attributes\":{\"drupal_internal__nid\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_name\":\"Penetration Testing Team\",\"field_short_description\":{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ccic_sec_eng_and_soc\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":{\"drupal_internal__target_id\":122}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?resourceVersion=id%3A5886\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}},{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}},{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}},{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":{\"target_revision_id\":19221,\"drupal_internal__target_id\":2031}},{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}},{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":{\"target_revision_id\":19223,\"drupal_internal__target_id\":3388}},{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_resource_type?resourceVersion=id%3A5886\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_roles?resourceVersion=id%3A5886\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}}}}},{\"type\":\"node--library\",\"id\":\"9b633ff4-47c4-453c-9669-3bcdd7c85ae3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3?resourceVersion=id%3A5758\"}},\"attributes\":{\"drupal_internal__nid\":471,\"drupal_internal__vid\":5758,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:55:41+00:00\",\"status\":true,\"title\":\"Risk Management Handbook Chapter 8: Incident Response (IR)\",\"created\":\"2022-08-29T17:51:26+00:00\",\"changed\":\"2024-08-05T15:55:41+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"pid\":461,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2021-03-23\",\"field_related_resources\":[{\"uri\":\"entity:node/696\",\"title\":\"Breach Response at CMS\",\"options\":[],\"url\":\"/learn/breach-response\"},{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks (all)\",\"options\":[],\"url\":\"/learn/cms-security-and-privacy-handbooks\"}],\"field_short_description\":{\"value\":\"This chapter (RMH Chapter 8) identifies the policies and standards for the Incident Response family of controls\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThis chapter (RMH Chapter 8) identifies the policies and standards for the Incident Response family of controls\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/node_type?resourceVersion=id%3A5758\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/node_type?resourceVersion=id%3A5758\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/revision_uid?resourceVersion=id%3A5758\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/revision_uid?resourceVersion=id%3A5758\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/uid?resourceVersion=id%3A5758\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/uid?resourceVersion=id%3A5758\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/field_resource_type?resourceVersion=id%3A5758\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/field_resource_type?resourceVersion=id%3A5758\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/field_roles?resourceVersion=id%3A5758\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/field_roles?resourceVersion=id%3A5758\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/field_topics?resourceVersion=id%3A5758\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/9b633ff4-47c4-453c-9669-3bcdd7c85ae3/relationships/field_topics?resourceVersion=id%3A5758\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1e\",\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\":\"$28\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2c\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$30\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$4a\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$64\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7e\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$98\",\"0534f7e2-9894-488d-a526-3c0255df2ad5\":\"$b2\",\"59fda20c-2255-44ef-9fb0-d0834c579aa4\":\"$cc\",\"859d0236-1261-46a5-b0de-417573614a67\":\"$df\",\"b4617ce8-95fc-4897-818b-c27cc6651aa2\":\"$f4\",\"80be8345-ad19-448f-83b6-3c5d0681969a\":\"$109\",\"bdb43863-9f16-4af9-b178-8587c253cc97\":\"$118\",\"caef88fe-5113-4c14-affc-37cc1c84cded\":\"$127\",\"dcee9e9b-8a9f-40b1-a539-fa9d9fbb8fd7\":\"$136\",\"fc107bc4-832c-47e5-9f84-8235407eeed2\":\"$148\",\"d51b0447-02a5-4951-bc45-42b3b7ae745b\":\"$15a\",\"4090ef92-e750-496d-8230-dcec4f6d312d\":\"$16c\",\"d8afa351-48fa-446c-9491-7865d51b2f72\":\"$17e\",\"010ab69b-b5ce-499a-a760-d3c0af6a37a8\":\"$190\",\"defa7277-790b-4bbd-b6ee-cc539e121df2\":\"$1a2\",\"1f32f891-d557-40ae-84b5-2cecc9300e08\":\"$1ec\",\"dfeef1d1-c536-4496-97ad-5488a965a6cf\":\"$232\",\"96fa2caf-c299-4fd4-9a0a-d6d86691328e\":\"$284\",\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\":\"$2ce\",\"9b633ff4-47c4-453c-9669-3bcdd7c85ae3\":\"$31e\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Cybersecurity Integration Center (CCIC) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"The CCIC uses data to address incidents through risk management and monitoring activities across CMS \"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Cybersecurity Integration Center (CCIC) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"The CCIC uses data to address incidents through risk management and monitoring activities across CMS \"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Cybersecurity Integration Center (CCIC) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"The CCIC uses data to address incidents through risk management and monitoring activities across CMS \"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink