publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/cms-interconnection-security-agreement-isa
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
385 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Interconnection Security Agreement (ISA) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Defining the relationship between CMS information systems and external systems"/><link rel="canonical" href="https://security.cms.gov/learn/cms-interconnection-security-agreement-isa"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Interconnection Security Agreement (ISA) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Defining the relationship between CMS information systems and external systems"/><meta property="og:url" content="https://security.cms.gov/learn/cms-interconnection-security-agreement-isa"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/cms-interconnection-security-agreement-isa/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Interconnection Security Agreement (ISA) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Defining the relationship between CMS information systems and external systems"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/cms-interconnection-security-agreement-isa/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Interconnection Security Agreement (ISA)</h1><p class="hero__description">Defining the relationship between CMS information systems and external systems</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-privacy-agreement-consults</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is an Interconnection Security Agreement (ISA)?</h2><p>An Interconnection Security Agreement (ISA) is a document that defines the security-related aspects of an intended connection between an agency system and an external system. The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit.&nbsp;</p><p>In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations and listing appropriate courses of action in the event of a security incident or breach. ISAs also authorize mutual permission to connect both parties and establish a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.&nbsp;&nbsp;</p><p>ISAs are typically preceded by a formal Memorandum of Understanding (MOU) that defines high-level roles and responsibilities for the management of the planned cross-domain connection.</p><p>Federal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks.&nbsp; All CMS ISAs are based on the <a href="https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final">National Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems Special Publication (SP) 800-47 Rev. 1</a>.&nbsp;</p><h2>Interconnection Security Agreement (ISA) Template</h2><p><em>ISAs require the use of the <strong>Interconnection Security Agreement (ISA) Template</strong>. The template is provided below -- your team may copy the information from this page and substitute the information relevant to your specific system and connection needs.</em>&nbsp;</p><p>This CMS and <strong>&lt;Insert Non-CMS Organization Name&gt;</strong> ISA Review Log is maintained to record the annual reviews.&nbsp; The CMS<strong> </strong>and <strong>&lt;Insert Non-CMS Organization Name&gt;</strong> ISA Review Log is provided below.</p><h3>ISA review log</h3><table><thead><tr><th><strong>Date of Review</strong></th><th><strong>Initials of Reviewer</strong></th><th><strong>Name of Reviewer</strong></th><th><strong>Organization of Reviewer</strong></th><th><strong>ISA Version</strong></th></tr></thead><tbody><tr><td>&lt;insert Date of the review&gt;</td><td>&lt;insert Initials of the reviewer&gt;</td><td>&lt;insert Staff name of the reviewer&gt;</td><td>&lt;insert staff reviewer's organization&gt;</td><td>&lt;insert ISA Version reviewed&gt;</td></tr></tbody></table><p>&nbsp;</p><h3>Purpose</h3><p>The purpose of this Interconnection Security Agreement (ISA) is to establish procedures for mutual cooperation and coordination between the Centers for Medicare &amp; Medicaid Services (CMS) and <strong>&lt;Insert Non-CMS Organization Name&gt;</strong> hereafter referenced as the “Non-CMS Organization,” regarding the development, management, operation, and security of a connection between CMS <strong>&lt;Insert CMS' Network Name &amp; Acronym&gt;</strong>, hereafter known as the CMS Network, and the Non-CMS Organizations network. This ISA is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of CMS information as well as the information that is owned by the external organization that has a network interconnection with CMS. This ISA ensures the adequate security of CMS information being accessed and provides that all network access satisfies the mission requirements of both CMS and Non-CMS Organizations, hereafter known as “both parties.”</p><ul><li><em><strong>“Information”</strong> is defined as “any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government.” (Executive Order 12958)</em></li><li><em><strong>“Network interconnection”</strong> is defined as “the direct connection of two or more IT networks for the purpose of sharing data and other information resources.”&nbsp; (This is based on the definition of system interconnection in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)</em></li><li><em><strong>“Adequate security”</strong> is defined as “a level of security that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information.”&nbsp; (Office of Management and Budget (OMB) Circular A-130)</em></li></ul><p>Federal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. This ISA is based on the <a href="https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final">National Institute of Standards and Technology (NIST) <em>Security Guide for Interconnecting Information Technology Systems</em> (Special Publication (SP) 800-47)</a>. NIST SP 800-47 states: “A system approved by an ISA for interconnection with one organizations system shall meet the protection requirements equal to, or greater than, those implemented by the other organizations system.” The guidelines establish information security (IS) measures that shall be taken to protect the connected systems and shared data. CMS IT managers and IS personnel shall comply with NIST SP 800-47 or any successor document in managing the process of interconnecting information systems and networks.</p><p>The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit. In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations, and listing appropriate recourses. It also authorizes&nbsp;</p><p>mutual permission to connect both parties and establishes a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.&nbsp; Through this ISA, both parties shall minimize the susceptibility of their connected systems and networks to IS risks and aid in mitigation and recovery from IS incidents.</p><h3>CMS Background</h3><h4>CMS</h4><p>As an agency of the Department of Health and Human Services (DHHS), CMS administers the Medicare, Medicaid, and State Childrens Health Insurance Program (SCHIP) programs. Its mission is to ensure effective, up-to-date healthcare coverage and to promote quality care for beneficiaries.</p><h4>CMS Information Security Program</h4><p>The CMS IS Program helps CMS accomplish its mission by ensuring the CIA of CMS information resources.&nbsp; The CMS IS Program has developed policies, standards, procedures, and guidelines that ensure the adequate protection of agency information and comply with Federal laws and regulations.&nbsp; CMS monitors the security of its network twenty-four (24) hours a day, seven (7) days a week, i.e., 24/7, through a variety of administrative, operational, and technical processes.&nbsp; Training initiatives are continuously updated to ensure that managers, users, and technical personnel know they are responsible for the adequate security of their information systems.</p><h3>CMS Roles and Responsibilities</h3><h4>CMS Chief Information Officer (CIO)</h4><p>The CMS CIO is responsible for the overall implementation and administration of the CMS Information Security Program.</p><h4>CMS Chief Information Security Officer (CISO)</h4><p>The CMS CISO supports the CIO in implementing the CMS IS Program. The CMS CISO directs, coordinates, and evaluates the IS policy of CMS.</p><h4>CMS Information System Security Officer (ISSO)</h4><p>The CMS ISSO is the liaison for IS within their assigned portfolio of systems. ISSOs implement standard IS policies and collaborate across CMS concerning the CIA of information resources. Although the ISSOs report directly to their own management, as part of their IS responsibilities, the ISSOs have responsibilities to the CMS CISO and, thus, to the CMS CIO. In their IS role, ISSOs take direction from the CMS CIO or the CMS CISO when action is required to protect CMS assets from potential vulnerabilities and threats. The CMS CISO and ISSOs will work with Non-CMS Organizations to enhance IS measures.</p><h4>CMS Business Owners (BO)</h4><p>The CMS Business Owner (BO) is responsible for the management and oversight of the&nbsp;<strong>&lt;Insert CMS information system name &amp; acronym&gt;</strong>&nbsp;hereafter known as the CMS information system that requires the interconnection with the Non-CMS Organization. The BO serves as the primary point of contact (POC) for the Non-CMS Organization on matters related to <strong>&lt;Insert CMS information system name &amp; acronym&gt;</strong>.</p><h3>Non-CMS Organization</h3><p><strong>&lt;Insert background information about Organization B, including a brief description of the organization and its mission&gt;</strong></p><h4>IT Security Program</h4><p><strong>&lt;Insert a brief description of the Organization IS program&gt;</strong></p><h3>Roles and Responsibilities</h3><p>&lt;Insert a brief description of each role and associated responsibilities of the Non-CMS Organization that are equivalent to the CMS roles and responsible for implementing IT and IS policies, procedures, and tools that support CIA.&gt;</p><h4>(ROLE)</h4><p><strong>&lt;Insert roles and responsibilities&gt;</strong></p><h4>(ROLE)</h4><p><strong>&lt;Insert roles and responsibilities&gt;</strong></p><h4>(ROLE)</h4><p><strong>&lt;Insert roles and responsibilities&gt;</strong></p><h3>Scope</h3><p>The scope of this ISA is based on the following, but not limited to the:</p><ul><li>Interconnection between CMS information system and the Non-CMS Organization.</li><li>Existing and future users including employees from both parties; contractors and subcontractors at any tier; and other federally and non-federally-funded users managing, engineering, accessing, or utilizing the Non-CMS Organization Network.</li><li>Related network components belonging to both parties, such as hosts, routers, and switches; IT devices that assist in managing security such as firewalls, intrusion detection systems (IDS), and vulnerability scanning tools; desktop workstations; servers; and major applications (MA) that are associated with the network connection between both parties.</li></ul><h3>Authority</h3><p>By interconnecting with the CMS network and CMS information system, Non-CMS Organization agrees to be bound by this ISA and the use of CMS Network and CMS information system in compliance with this ISA.</p><p>The authority for this ISA is based on the following, but not limited to the:</p><ul><li>Federal Information Security Management Act of 2002 (FISMA);</li><li>OMB Circular A-130, Appendix III, <em>Security of Federal Automated Information Systems;</em></li><li>18 United States Code U.S.C. 641 Criminal Code: Public Money, Property or Records;</li><li>18 U.S.C. 1905 Criminal Code: Disclosure of Confidential Information;</li><li>Privacy Act of 1974, 5 U.S.C. § 552a; and</li><li>Health Insurance Portability and Accountability Act (HIPAA) of 1996 P.L. 104-191 (only if there is an exchange of PHI)</li></ul><p>This ISA is also in compliance with <a href="http://www.hhs.gov/ocio/index.html">DHHS policies</a> and <a href="http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/">CMS policies</a>. These sites may be updated periodically. Where new policies and guidance affect the content of this ISA, the ISA will continue to be in effect and will be updated at its next periodic review.</p><ul><li><em>A <strong>“major application” </strong>is an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (OMB A-130)</em></li></ul><h3>Statement of Requirements</h3><p>The expected benefit of the interconnection is <strong>&lt;Insert Business Expectation&gt;</strong></p><h3>General Information/Data Description</h3><p><strong>&lt;Insert a description of the information and data that will be made available, exchanged, or passed one-way only by the interconnection of the two systems / networks&gt;</strong></p><h3>Services Offered</h3><p><strong>CMS shall:</strong></p><ul><li>Provide 24/7 operation of the CMS IT Service Desk (1-800-562-1963, 410-786-2580 or <a href="mailto:cms_it_service.desk@cms.hhs.gov">mailto:cms_it_service.desk@cms.hhs.gov</a>) for the Non-CMS Organization Point of Contact (POC) to communicate any security issues; and</li><li>Provide installation, configuration, and maintenance of CMS edge router(s) with interfaces to multiple CMS core and edge routers.</li></ul><p><strong>The Non-CMS Organization shall:</strong></p><p><strong>&lt;Insert Non-CMS Organization IT Help Desk information regarding operating times, process, and contact information&gt;</strong></p><h3>System Descriptions</h3><h4>CMS System</h4><p><strong>Name:&nbsp; CMS</strong></p><p><strong>Function:</strong>&nbsp; <strong>&lt;Insert CMS System Function&gt;</strong></p><p><strong>Location:</strong>&nbsp; <strong>&lt;Insert CMS physical site location&gt;</strong></p><p>Description of data, including Sensitivity or Classification level: <strong>&lt;Insert description&gt;</strong></p><table><tbody><tr><td>Describe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.&nbsp; Refer to the <em>CMS Information Security Levels</em> document on&nbsp;</td></tr></tbody></table><table><tbody><tr><td>&nbsp;</td><td><strong>Information Category</strong></td><td><strong>Level</strong></td></tr><tr><td><strong>Security Level</strong></td><td>&lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.&gt;</td><td>&lt;Insert HIGH, MODERATE or LOW.&gt;</td></tr></tbody></table><p>Overall Security Level Designation:&nbsp; <strong>&lt;Insert highest level from the table above&gt;</strong></p><h4>Non-CMS Organization System</h4><p><strong>Name:</strong>&nbsp; <strong>&lt;Insert Organization Bs System&gt;</strong></p><p><strong>Function</strong>: <strong>&lt;Insert Organization Bs System Function&gt;</strong></p><p><strong>Location:</strong> &nbsp;&nbsp;<strong>&lt;Insert Organization Bs Physical Site Location&gt;</strong></p><p>Description of data, including Sensitivity or Classification level: <strong>&lt;Insert description&gt;</strong></p><table><tbody><tr><td>Describe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.&nbsp; Refer to the <a href="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf">NIST FIPS 199</a>. For additional guidance, refer to <a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl"><em>CMS Risk Management Handbook Chapter 12 Security and Privacy Planning</em></a><em>.</em></td></tr></tbody></table><table><tbody><tr><td>&nbsp;</td><td><strong>Information Category</strong></td><td><strong>Level</strong></td></tr><tr><td><strong>Security Level</strong></td><td>&lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.&gt;</td><td>&lt;Insert HIGH, MODERATE or LOW.&gt;</td></tr></tbody></table><p>Overall Security Level Designation:&nbsp; <strong>&lt;Insert highest level from the table above&gt;</strong></p><h4>Topological Diagram</h4><p>Appendix A of this ISA must include a topological drawing that illustrates the interconnectivity between both systems, including all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, computer workstations, and storage location for receiving system).&nbsp; Both parties shall notify each other of any requirements such as additional router connections or increases in volume associated with this ISA.</p><h3>Security Responsibilities&nbsp;</h3><p><strong>Both parties shall</strong> maintain a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained on the system with the highest sensitivity levels.</p><h4>Communication/Information Security Points of Contact</h4><p><strong>Both parties shall:</strong></p><ul><li>Designate a technical lead for their respective network and provide POC information to facilitate direct contacts between technical leads to support the management and operation of the interconnection;</li><li>Maintain open lines of communication between POCs at both the managerial and technical levels to ensure the successful management and operation of the interconnection; and</li><li>Inform their counterpart promptly of any change in technical POCs and interconnections.</li></ul><p><strong>CMS shall:</strong></p><ul><li>Inform their counterpart promptly of any change in technical POC and interconnection;</li><li>Identify a CMS ISSO to serve as a liaison between both parties and assist the Non-CMS Organization in ensuring that its IS controls meet or exceed CMS requirements.</li></ul><p><strong>Non-CMS Organization shall </strong>designate an IS POC the equivalent of the CMS ISSO, who shall act on behalf of the Non-CMS Organization and communicate all IS issues involving the Non-CMS Organization to CMS via the CMS ISSO.</p><h4>Responsible Parties</h4><p>Appendix B is a list of the responsible parties and contacts for each system.&nbsp;It is the responsibility of each respective approving authority to ensure the timely updating of Appendix B and for the notification of such changes to the alternate party within 30 days of any personnel change. Updating Appendix B does not require the re-signing of this ISA by either party.</p><h3>Personnel/User Security&nbsp;</h3><h4>User Community</h4><p><strong>Both parties shall:</strong></p><ul><li>Ensure that all employees, contractors, and other authorized users with access to the CMS Network and the Non-CMS Organization and the data sent and received from either organization are not security risks and meet the requirements of the <a href="http://www.whitehouse.gov/omb/">Office of Management and Budget (OMB)</a> at and the HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005.</li><li>Enforce the following IS best practices:</li><li>Least Privilege:&nbsp; Only authorizing access to the minimal amount of resources required for a function;</li><li>Separation of Duties:&nbsp; A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals; and</li><li>Role-Based Security:&nbsp; Access controls to perform certain operations ('permissions') are assigned to specific roles.</li></ul><h3>Commitment to Protect Sensitive Information</h3><p><strong>Both parties shall </strong>not release, publish, or disclose information to unauthorized personnel, and shall protect such information in accordance with provisions of the laws cited in Section 5 and any other pertinent laws and regulations governing the adequate safeguard of the agency.</p><p><strong>The Non-CMS Organization shall:</strong></p><ul><li>Ensure that each of the Non-CMS Organization contractor employee signs form CMS R-0235, <a href="https://security.cms.gov/learn/cms-data-use-agreement-dua">CMS Data Use Agreement</a>.</li><li>Ensure that outsourced operations where non-CMS personnel may have access to information, CMS systems, and network components shall also comply with the security required by <a href="https://www.acquisition.gov/far/52.239-1">Federal Acquisition Regulation (FAR) clause 52.239-1</a>, Privacy or Security Safeguards and CMS IS policies, standards, and procedures.</li></ul><h3>Training and Awareness</h3><p><strong>Both parties shall</strong> have all users, including employees, contractors, and other authorized users complete the CMS IS awareness training upon enactment of this ISA and then annually thereafter at: <a href="https://www.cms.gov/cbt/">https://www.cms.gov/cbt/</a>.</p><h3>Personnel Changes/De-registration</h3><p><strong>Both parties shall:</strong></p><ul><li>Provide notification to their respective BOs of the separation or long-term absence of their network owner or technical lead.</li><li>Provide notification to their respective BO of any changes in the ISSO or POC information.</li><li>Provide notification to the CMS Access Administrator (CAA) of changes to user profiles, including users who resign or change job responsibilities.&nbsp;<a href="https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity">list of current CAA</a>&nbsp;</li></ul><h3>Policies</h3><p><strong>Both parties shall</strong> adhere to all DHHS and CMS IS policies, procedures, and guidelines on the <a href="https://security.cms.gov/">ISPG website</a>.&nbsp;</p><h4>Rules of Behavior</h4><p><strong>Both parties shall</strong> ensure that all users with access to the CMS Network, the CMS information system, the Non-CMS Organization network and any data received from the other organization shall adhere to all current <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Rules-of-Behavior-for-Use-of-HHS-Information-and-IT-Resources-Policy.html?DLPage=1&amp;DLEntries=10&amp;DLFilter=rule&amp;DLSort=0&amp;DLSortDir=ascending"><em>HHS Rules of Behavior (RoB) (For Use of Technology Resources and Information)</em></a><em>.</em></p><h4>Security Documentation</h4><p><strong>Both parties shall</strong> ensure that security is planned for, documented, and integrated into the System Life-Cycle from the IT systems initiation to the systems disposal.&nbsp; For guidance, see <a href="https://security.cms.gov/learn/cms-security-and-privacy-handbooks">the CMS Security and Privacy Handbooks.&nbsp;</a></p><p><strong>CMS shall</strong> review the <a href="https://security.cms.gov/learn/system-security-and-privacy-plan-sspp"><em>CMS System Security Plan (SSPP)</em></a> for CMS information system and the CMS network annually and update when a major modification as required by the CMS SSP Procedures.</p><p><strong>The Non-CMS Organization shall:</strong></p><ul><li>Maintain an SSPP on the Non-CMS Organizations network and update whenever there is a major modification. The SSPP shall be compliant with the <a href="http://csrc.nist.gov/publications/PubsSPs.html">National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18<em> Guide for Developing Security Plans for IT Systems</em>.</a></li><li>Make accessible to CMS all IS program documents from the Non-CMS Organization.</li></ul><h3>Network Security</h3><h4>Network Management</h4><p><strong>Both parties shall:</strong></p><ul><li>Ensure that this interconnection is completely isolated from the Internet.</li><li>Ensure that this interconnection is completely isolated from all other customer / business processes.</li></ul><h4>Material Network Changes</h4><p><strong>Both parties shall:</strong></p><ul><li>Submit to the CMS CIO any proposed changes to either network or the interconnecting medium accompanied by a valid business justification;</li><li>Renegotiate this ISA before any changes are implemented;</li><li>Report planned technical changes to the network architecture that affect the interconnection through the CMS BO to the Office of Information Technology (OIT), Infrastructure User Services Group (IUSG);</li><li>Conduct a risk assessment based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation;</li><li>Conduct a Security Impact Analysis (SIA) based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation; and</li><li>Notify the respective BOs and OIT, IUSG (through the CMS BO) when access is no longer required.</li></ul><h4>New Interconnections</h4><p><strong>Both parties shall</strong> prohibit new interconnections unless expressly agreed upon in a modification to this ISA and signed by both parties.</p><h4>Network Inventory</h4><p><strong>Non-CMS Organization shall</strong> maintain and make available to CMS upon request a list of all Non-CMS Organization<strong> </strong>subnets connected to CMS network and periodically update the information including information on each owner, physical location, IP address, hosts name, hardware, operating system version, and applications.</p><h4>Firewall Management</h4><ul><li>Configure the CMS network perimeter firewall in accordance with OIT, IUSG.</li><li>Block all network traffic incoming from the Internet to CMS unless it is explicitly permitted.</li><li>Install a firewall between the perimeter (demarcation point) of the Non-CMS Organizations network and CMS network if deemed necessary by OIT, IUSG.</li></ul><p><strong>The Non-CMS Organization shall:</strong></p><ul><li>Maintain responsibility for configuring all Non-CMS Organization network perimeter firewalls with a policy at least as stringent as OIT, IUSG.</li><li>Provide to OIT, IUSG through the CMS BO a list of Non-CMS Organization authorized web (HTTP), FTP and SMTP servers (identified individually as HTTP, FTP, and/or SMTP) on the Non-CMS Organizations network.</li></ul><h3>Incident Prevention, Detection, and Response</h3><h4>Incident Handling</h4><p><strong>Both parties shall:</strong></p><ul><li>Handle and report incidents in accordance with the <a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><em>CMS RMH Chapter 8 Incident Handling</em></a></li><li>Notify their designated technical counterparts immediately by telephone or e-mail when a security incident is detected, so that the other party may take steps to determine whether its network has been compromised and to take appropriate security precautions.</li></ul><h4>Vulnerability Scanning</h4><p><strong>Both parties shall:</strong></p><ul><li>Disseminate intrusion detection alerts to respective BO counterparts for all subnets within the scope of this ISA;</li><li>Report to both the CMS BO and the Non-CMS Organizations BO any security incident that either organization subnets within the scope of this ISA; and</li><li>Block inbound and outbound access for any CMS or Non-CMS Organization information systems on the subnets within the scope of this ISA that are the source of unauthorized access attempts, or the subject of any security events, until the risk is remediated.</li></ul><h4>Disasters and Other Contingencies</h4><p><strong>Both parties shall</strong>&nbsp;immediately notify their designated counterparts as defined in the information system contingency plan in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected networks.</p><h3>Modifications</h3><p>If any personnel changes occur involving the POCs listed in this ISA, the terms of this ISA shall remain in full force and effect, unless formally modified by both parties.&nbsp; Any modifications that change the security posture to this ISA shall be in writing and agreed upon and approved in writing by either parties or their designees.</p><h3>Compliance</h3><p>Non-compliance with the terms of this ISA by either party may lead to termination of the interconnection.&nbsp; CMS may block network access for the Non-CMS Organization if the Non-CMS Organization does not implement reasonable precautions to prevent the risk of security incidents spreading to CMS network.&nbsp; CMS is authorized to audit the security of Non-CMS Organizations Network periodically by requesting that Non-CMS Organization provide documentation of compliance with the security requirements in this ISA (see Section 20, RECORDS).&nbsp; The Non-CMS Organization shall provide CMS access to its IT resources impacted by this ISA for the purposes of audits.</p><h3>Cost Considerations</h3><p>Both parties agree to be responsible for their own systems and costs of the interconnecting mechanism and/or media.&nbsp; No financial commitments to reimburse the other party shall be made without the written concurrence of both parties.&nbsp; Modifications to either system that are necessary to support the interconnection are the responsibility of the respective system/network owners organization.&nbsp; This ISA does not authorize, require, nor preclude any transfer of funds without the agreement of both parties.</p><h3>Timeline</h3><p>This ISA shall become effective upon the signature of the parties involved and remain in effect until terminated by either party.&nbsp; This ISA is subject to annual review and must be reauthorized when&nbsp; significant changes (that can affect the security state of the information system) are implemented that impact that validity of the agreement as an effective enforcement of security requirements. .&nbsp; If one or both of the parties wish to terminate this agreement, they may do so upon thirty (30) days written notice or in an event of a security incident or suspected incident CMS has the right to immediately terminate the connection.</p><h3>Order of Precedence&nbsp;</h3><p>In the event of an inconsistency between the terms and conditions of this ISA and the terms and conditions of any other agreement, memorandum of understanding, or acquisition between CMS and Non-CMS Organization, the terms and conditions of this ISA shall have precedence.</p><h3>Confidentiality&nbsp;</h3><p>Subject to applicable statutes and regulations, including the Freedom of Information Act, the parties agree that the terms and conditions (any proprietary information) of this ISA shall not be disclosed to any third party outside of the Government without the prior written consent of the other party.</p><h3>Survival</h3><p>The parties rights and obligations shall survive expiration or termination of this ISA.</p><h3>Records</h3><p>The Non-CMS Organization shall maintain all records that it may create in the normal course of its business in connection with activity under this ISA for the term of this ISA and for at least three (3) years after the date this ISA terminates or expires.&nbsp; Such records shall be made available to CMS to ensure compliance with the terms and conditions of this ISA. The records shall be made available during regular business hours at the Non-CMS Organization offices, and CMS review shall not interfere unreasonably with the Non-CMS Organization<strong> </strong>business activities.</p><h3>Severability</h3><p>If any term or condition of this ISA becomes inoperative or unenforceable for any reason, such circumstances shall not have the effect of rendering the term or condition in question inoperative or unenforceable in any other case or circumstances, or of rendering any other term or condition contained in this ISA to be invalid, inoperative, or unenforceable to any extent whatsoever.&nbsp; The invalidity of a term or condition of this ISA shall not affect the remaining terms and conditions of this ISA.</p><p>CMS does not warrant that Non-CMS Organization interconnection to the CMS network under this ISA will meet Non-CMS Organization requirements, expectations, or even the stated expected benefit of Non-CMS Organization interconnection to the CMS (see Provision 6, Statement of Requirements).&nbsp; Non-CMS Organization bears the entire risk regarding the quality and performance of its interconnection with the CMS, and Non-CMS Organization exclusive remedy is to terminate this ISA in accordance with the terms and conditions herein.</p><p>CMS EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARD TO NON-CMS ORGANIZATIONS INTERCONNECTION TO THE CMS.</p><h3>Limitation of Liability</h3><p>UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL CMS BE LIABLE TO NON-CMS ORGANIZATION OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.</p><h3>Force Majeure</h3><p>Non-CMS Organization failure to comply with any term or condition of this ISA as a result of conditions beyond its fault, negligence, or reasonable control (such as, but not limited to, war, strikes, floods, governmental restrictions, riots, fire, other natural disasters or similar causes beyond Non-CMS Organization<strong> </strong>control) shall not be deemed a breach of this ISA.</p><h3>Signatures</h3><p>Both parties agree to work together to ensure the joint security of the connected networks and the data they store, process, and transmit, as specified in this ISA.&nbsp; Each party certifies that its respective network is designed, managed, and operated in compliance with all relevant federal laws, regulations, and policies. &nbsp;</p><p>We agree to the terms and conditions of this ISA.</p><p><strong>Director, OIT Project Manager (equivalent)</strong></p><p><strong>_______________________________ ________________________________</strong></p><p>(Name) (Name)</p><p><strong>_______________________________ ________________________________</strong></p><p>(Signature) (Date) (Signature) (Date)</p><p>&nbsp;</p><p><strong>CMS Chief Information Security Officer Chief Information Security Officer (equivalent)</strong></p><p><strong>_______________________________ ________________________________</strong></p><p>(Name) (Name)</p><p><strong>_______________________________ ________________________________</strong></p><p>(Signature) (Date) (Signature) (Date)</p><p>&nbsp;</p><p><strong>CMS ISSO ISSO (equivalent)</strong></p><p><strong>_______________________________ ______________________________</strong></p><p>(Name) (Name)</p><p><strong>_______________________________ ________________________________</strong></p><p>(Signature) (Date) (Signature) (Date)</p><p>&nbsp;</p><p><strong>CMS Business Owner Business Owner (equivalent)</strong></p><p><strong>_______________________________ ________________________________</strong></p><p>(Name) (Name)</p><p><strong>_______________________________ ________________________________</strong></p><p>(Signature) (Date) (Signature) (Date)</p><p>&nbsp;</p><p><strong>CMS Project Officer</strong></p><p><strong>_______________________________</strong></p><p>(Name)</p><p><strong>_______________________________</strong></p><p>(Title)</p><p><strong>_______________________________</strong></p><p>(Signature) (Date)</p><p>&nbsp;</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/national-institute-standards-and-technology-nist">National Institute of Standards and Technology (NIST)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Information about NIST and how the agency&#x27;s policies and guidance relate to security and privacy at CMS</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-interconnection-security-agreement-isa\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"cms-interconnection-security-agreement-isa\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-interconnection-security-agreement-isa\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-interconnection-security-agreement-isa\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T8f3b,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is an Interconnection Security Agreement (ISA)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAn Interconnection Security Agreement (ISA) is a document that defines the security-related aspects of an intended connection between an agency system and an external system. The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations and listing appropriate courses of action in the event of a security incident or breach. ISAs also authorize mutual permission to connect both parties and establish a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eISAs are typically preceded by a formal Memorandum of Understanding (MOU) that defines high-level roles and responsibilities for the management of the planned cross-domain connection.\u003c/p\u003e\u003cp\u003eFederal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks.\u0026nbsp; All CMS ISAs are based on the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final\"\u003eNational Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems Special Publication (SP) 800-47 Rev. 1\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eInterconnection Security Agreement (ISA) Template\u003c/h2\u003e\u003cp\u003e\u003cem\u003eISAs require the use of the \u003cstrong\u003eInterconnection Security Agreement (ISA) Template\u003c/strong\u003e. The template is provided below -- your team may copy the information from this page and substitute the information relevant to your specific system and connection needs.\u003c/em\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis CMS and \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e ISA Review Log is maintained to record the annual reviews.\u0026nbsp; The CMS\u003cstrong\u003e \u003c/strong\u003eand \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e ISA Review Log is provided below.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISA review log\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDate of Review\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eInitials of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eName of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOrganization of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eISA Version\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026lt;insert Date of the review\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert Initials of the reviewer\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert Staff name of the reviewer\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert staff reviewer's organization\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert ISA Version reviewed\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this Interconnection Security Agreement (ISA) is to establish procedures for mutual cooperation and coordination between the Centers for Medicare \u0026amp; Medicaid Services (CMS) and \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e hereafter referenced as the “Non-CMS Organization,” regarding the development, management, operation, and security of a connection between CMS \u003cstrong\u003e\u0026lt;Insert CMS' Network Name \u0026amp; Acronym\u0026gt;\u003c/strong\u003e, hereafter known as the CMS Network, and the Non-CMS Organizations network. This ISA is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of CMS information as well as the information that is owned by the external organization that has a network interconnection with CMS. This ISA ensures the adequate security of CMS information being accessed and provides that all network access satisfies the mission requirements of both CMS and Non-CMS Organizations, hereafter known as “both parties.”\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Information”\u003c/strong\u003e is defined as “any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government.” (Executive Order 12958)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Network interconnection”\u003c/strong\u003e is defined as “the direct connection of two or more IT networks for the purpose of sharing data and other information resources.”\u0026nbsp; (This is based on the definition of system interconnection in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Adequate security”\u003c/strong\u003e is defined as “a level of security that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information.”\u0026nbsp; (Office of Management and Budget (OMB) Circular A-130)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFederal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. This ISA is based on the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final\"\u003eNational Institute of Standards and Technology (NIST) \u003cem\u003eSecurity Guide for Interconnecting Information Technology Systems\u003c/em\u003e (Special Publication (SP) 800-47)\u003c/a\u003e. NIST SP 800-47 states: “A system approved by an ISA for interconnection with one organizations system shall meet the protection requirements equal to, or greater than, those implemented by the other organizations system.” The guidelines establish information security (IS) measures that shall be taken to protect the connected systems and shared data. CMS IT managers and IS personnel shall comply with NIST SP 800-47 or any successor document in managing the process of interconnecting information systems and networks.\u003c/p\u003e\u003cp\u003eThe ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit. In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations, and listing appropriate recourses. It also authorizes\u0026nbsp;\u003c/p\u003e\u003cp\u003emutual permission to connect both parties and establishes a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.\u0026nbsp; Through this ISA, both parties shall minimize the susceptibility of their connected systems and networks to IS risks and aid in mitigation and recovery from IS incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Background\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs an agency of the Department of Health and Human Services (DHHS), CMS administers the Medicare, Medicaid, and State Childrens Health Insurance Program (SCHIP) programs. Its mission is to ensure effective, up-to-date healthcare coverage and to promote quality care for beneficiaries.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information Security Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS IS Program helps CMS accomplish its mission by ensuring the CIA of CMS information resources.\u0026nbsp; The CMS IS Program has developed policies, standards, procedures, and guidelines that ensure the adequate protection of agency information and comply with Federal laws and regulations.\u0026nbsp; CMS monitors the security of its network twenty-four (24) hours a day, seven (7) days a week, i.e., 24/7, through a variety of administrative, operational, and technical processes.\u0026nbsp; Training initiatives are continuously updated to ensure that managers, users, and technical personnel know they are responsible for the adequate security of their information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Roles and Responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Chief Information Officer (CIO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CIO is responsible for the overall implementation and administration of the CMS Information Security Program.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Chief Information Security Officer (CISO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CISO supports the CIO in implementing the CMS IS Program. The CMS CISO directs, coordinates, and evaluates the IS policy of CMS.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISSO is the liaison for IS within their assigned portfolio of systems. ISSOs implement standard IS policies and collaborate across CMS concerning the CIA of information resources. Although the ISSOs report directly to their own management, as part of their IS responsibilities, the ISSOs have responsibilities to the CMS CISO and, thus, to the CMS CIO. In their IS role, ISSOs take direction from the CMS CIO or the CMS CISO when action is required to protect CMS assets from potential vulnerabilities and threats. The CMS CISO and ISSOs will work with Non-CMS Organizations to enhance IS measures.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Business Owners (BO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Business Owner (BO) is responsible for the management and oversight of the\u0026nbsp;\u003cstrong\u003e\u0026lt;Insert CMS information system name \u0026amp; acronym\u0026gt;\u003c/strong\u003e\u0026nbsp;hereafter known as the CMS information system that requires the interconnection with the Non-CMS Organization. The BO serves as the primary point of contact (POC) for the Non-CMS Organization on matters related to \u003cstrong\u003e\u0026lt;Insert CMS information system name \u0026amp; acronym\u0026gt;\u003c/strong\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNon-CMS Organization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert background information about Organization B, including a brief description of the organization and its mission\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIT Security Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert a brief description of the Organization IS program\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;Insert a brief description of each role and associated responsibilities of the Non-CMS Organization that are equivalent to the CMS roles and responsible for implementing IT and IS policies, procedures, and tools that support CIA.\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe scope of this ISA is based on the following, but not limited to the:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInterconnection between CMS information system and the Non-CMS Organization.\u003c/li\u003e\u003cli\u003eExisting and future users including employees from both parties; contractors and subcontractors at any tier; and other federally and non-federally-funded users managing, engineering, accessing, or utilizing the Non-CMS Organization Network.\u003c/li\u003e\u003cli\u003eRelated network components belonging to both parties, such as hosts, routers, and switches; IT devices that assist in managing security such as firewalls, intrusion detection systems (IDS), and vulnerability scanning tools; desktop workstations; servers; and major applications (MA) that are associated with the network connection between both parties.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAuthority\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBy interconnecting with the CMS network and CMS information system, Non-CMS Organization agrees to be bound by this ISA and the use of CMS Network and CMS information system in compliance with this ISA.\u003c/p\u003e\u003cp\u003eThe authority for this ISA is based on the following, but not limited to the:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFederal Information Security Management Act of 2002 (FISMA);\u003c/li\u003e\u003cli\u003eOMB Circular A-130, Appendix III, \u003cem\u003eSecurity of Federal Automated Information Systems;\u003c/em\u003e\u003c/li\u003e\u003cli\u003e18 United States Code U.S.C. 641 Criminal Code: Public Money, Property or Records;\u003c/li\u003e\u003cli\u003e18 U.S.C. 1905 Criminal Code: Disclosure of Confidential Information;\u003c/li\u003e\u003cli\u003ePrivacy Act of 1974, 5 U.S.C. § 552a; and\u003c/li\u003e\u003cli\u003eHealth Insurance Portability and Accountability Act (HIPAA) of 1996 P.L. 104-191 (only if there is an exchange of PHI)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis ISA is also in compliance with \u003ca href=\"http://www.hhs.gov/ocio/index.html \"\u003eDHHS policies\u003c/a\u003e and \u003ca href=\"http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/\"\u003eCMS policies\u003c/a\u003e. These sites may be updated periodically. Where new policies and guidance affect the content of this ISA, the ISA will continue to be in effect and will be updated at its next periodic review.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eA \u003cstrong\u003e“major application” \u003c/strong\u003eis an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (OMB A-130)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eStatement of Requirements\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe expected benefit of the interconnection is \u003cstrong\u003e\u0026lt;Insert Business Expectation\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGeneral Information/Data Description\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert a description of the information and data that will be made available, exchanged, or passed one-way only by the interconnection of the two systems / networks\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eServices Offered\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide 24/7 operation of the CMS IT Service Desk (1-800-562-1963, 410-786-2580 or \u003ca href=\"mailto:cms_it_service.desk@cms.hhs.gov\"\u003emailto:cms_it_service.desk@cms.hhs.gov\u003c/a\u003e) for the Non-CMS Organization Point of Contact (POC) to communicate any security issues; and\u003c/li\u003e\u003cli\u003eProvide installation, configuration, and maintenance of CMS edge router(s) with interfaces to multiple CMS core and edge routers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert Non-CMS Organization IT Help Desk information regarding operating times, process, and contact information\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003eSystem Descriptions\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS System\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eName:\u0026nbsp; CMS\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFunction:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert CMS System Function\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert CMS physical site location\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDescription of data, including Sensitivity or Classification level: \u003cstrong\u003e\u0026lt;Insert description\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDescribe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.\u0026nbsp; Refer to the \u003cem\u003eCMS Information Security Levels\u003c/em\u003e document on\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInformation Category\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLevel\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSecurity Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;Insert HIGH, MODERATE or LOW.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eOverall Security Level Designation:\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert highest level from the table above\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNon-CMS Organization System\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eName:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert Organization Bs System\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFunction\u003c/strong\u003e: \u003cstrong\u003e\u0026lt;Insert Organization Bs System Function\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e \u0026nbsp;\u0026nbsp;\u003cstrong\u003e\u0026lt;Insert Organization Bs Physical Site Location\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDescription of data, including Sensitivity or Classification level: \u003cstrong\u003e\u0026lt;Insert description\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDescribe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.\u0026nbsp; Refer to the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eNIST FIPS 199\u003c/a\u003e. For additional guidance, refer to \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl\"\u003e\u003cem\u003eCMS Risk Management Handbook Chapter 12 Security and Privacy Planning\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInformation Category\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLevel\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSecurity Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;Insert HIGH, MODERATE or LOW.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eOverall Security Level Designation:\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert highest level from the table above\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTopological Diagram\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAppendix A of this ISA must include a topological drawing that illustrates the interconnectivity between both systems, including all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, computer workstations, and storage location for receiving system).\u0026nbsp; Both parties shall notify each other of any requirements such as additional router connections or increases in volume associated with this ISA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Responsibilities\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e maintain a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained on the system with the highest sensitivity levels.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCommunication/Information Security Points of Contact\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDesignate a technical lead for their respective network and provide POC information to facilitate direct contacts between technical leads to support the management and operation of the interconnection;\u003c/li\u003e\u003cli\u003eMaintain open lines of communication between POCs at both the managerial and technical levels to ensure the successful management and operation of the interconnection; and\u003c/li\u003e\u003cli\u003eInform their counterpart promptly of any change in technical POCs and interconnections.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eInform their counterpart promptly of any change in technical POC and interconnection;\u003c/li\u003e\u003cli\u003eIdentify a CMS ISSO to serve as a liaison between both parties and assist the Non-CMS Organization in ensuring that its IS controls meet or exceed CMS requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eNon-CMS Organization shall \u003c/strong\u003edesignate an IS POC the equivalent of the CMS ISSO, who shall act on behalf of the Non-CMS Organization and communicate all IS issues involving the Non-CMS Organization to CMS via the CMS ISSO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsible Parties\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAppendix B is a list of the responsible parties and contacts for each system.\u0026nbsp;It is the responsibility of each respective approving authority to ensure the timely updating of Appendix B and for the notification of such changes to the alternate party within 30 days of any personnel change. Updating Appendix B does not require the re-signing of this ISA by either party.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel/User Security\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eUser Community\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that all employees, contractors, and other authorized users with access to the CMS Network and the Non-CMS Organization and the data sent and received from either organization are not security risks and meet the requirements of the \u003ca href=\"http://www.whitehouse.gov/omb/\"\u003eOffice of Management and Budget (OMB)\u003c/a\u003e at and the HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005.\u003c/li\u003e\u003cli\u003eEnforce the following IS best practices:\u003c/li\u003e\u003cli\u003eLeast Privilege:\u0026nbsp; Only authorizing access to the minimal amount of resources required for a function;\u003c/li\u003e\u003cli\u003eSeparation of Duties:\u0026nbsp; A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals; and\u003c/li\u003e\u003cli\u003eRole-Based Security:\u0026nbsp; Access controls to perform certain operations ('permissions') are assigned to specific roles.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCommitment to Protect Sensitive Information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall \u003c/strong\u003enot release, publish, or disclose information to unauthorized personnel, and shall protect such information in accordance with provisions of the laws cited in Section 5 and any other pertinent laws and regulations governing the adequate safeguard of the agency.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that each of the Non-CMS Organization contractor employee signs form CMS R-0235, \u003ca href=\"https://security.cms.gov/learn/cms-data-use-agreement-dua\"\u003eCMS Data Use Agreement\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eEnsure that outsourced operations where non-CMS personnel may have access to information, CMS systems, and network components shall also comply with the security required by \u003ca href=\"https://www.acquisition.gov/far/52.239-1\"\u003eFederal Acquisition Regulation (FAR) clause 52.239-1\u003c/a\u003e, Privacy or Security Safeguards and CMS IS policies, standards, and procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTraining and Awareness\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e have all users, including employees, contractors, and other authorized users complete the CMS IS awareness training upon enactment of this ISA and then annually thereafter at: \u003ca href=\"https://www.cms.gov/cbt/\"\u003ehttps://www.cms.gov/cbt/\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel Changes/De-registration\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide notification to their respective BOs of the separation or long-term absence of their network owner or technical lead.\u003c/li\u003e\u003cli\u003eProvide notification to their respective BO of any changes in the ISSO or POC information.\u003c/li\u003e\u003cli\u003eProvide notification to the CMS Access Administrator (CAA) of changes to user profiles, including users who resign or change job responsibilities.\u0026nbsp;\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity\"\u003elist of current CAA\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePolicies\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e adhere to all DHHS and CMS IS policies, procedures, and guidelines on the \u003ca href=\"https://security.cms.gov/\"\u003eISPG website\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRules of Behavior\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e ensure that all users with access to the CMS Network, the CMS information system, the Non-CMS Organization network and any data received from the other organization shall adhere to all current \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Rules-of-Behavior-for-Use-of-HHS-Information-and-IT-Resources-Policy.html?DLPage=1\u0026amp;DLEntries=10\u0026amp;DLFilter=rule\u0026amp;DLSort=0\u0026amp;DLSortDir=ascending\"\u003e\u003cem\u003eHHS Rules of Behavior (RoB) (For Use of Technology Resources and Information)\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Documentation\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e ensure that security is planned for, documented, and integrated into the System Life-Cycle from the IT systems initiation to the systems disposal.\u0026nbsp; For guidance, see \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003ethe CMS Security and Privacy Handbooks.\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS shall\u003c/strong\u003e review the \u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003e\u003cem\u003eCMS System Security Plan (SSPP)\u003c/em\u003e\u003c/a\u003e for CMS information system and the CMS network annually and update when a major modification as required by the CMS SSP Procedures.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain an SSPP on the Non-CMS Organizations network and update whenever there is a major modification. The SSPP shall be compliant with the \u003ca href=\"http://csrc.nist.gov/publications/PubsSPs.html\"\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-18\u003cem\u003e Guide for Developing Security Plans for IT Systems\u003c/em\u003e.\u003c/a\u003e\u003c/li\u003e\u003cli\u003eMake accessible to CMS all IS program documents from the Non-CMS Organization.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eNetwork Security\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eNetwork Management\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that this interconnection is completely isolated from the Internet.\u003c/li\u003e\u003cli\u003eEnsure that this interconnection is completely isolated from all other customer / business processes.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eMaterial Network Changes\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSubmit to the CMS CIO any proposed changes to either network or the interconnecting medium accompanied by a valid business justification;\u003c/li\u003e\u003cli\u003eRenegotiate this ISA before any changes are implemented;\u003c/li\u003e\u003cli\u003eReport planned technical changes to the network architecture that affect the interconnection through the CMS BO to the Office of Information Technology (OIT), Infrastructure User Services Group (IUSG);\u003c/li\u003e\u003cli\u003eConduct a risk assessment based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation;\u003c/li\u003e\u003cli\u003eConduct a Security Impact Analysis (SIA) based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation; and\u003c/li\u003e\u003cli\u003eNotify the respective BOs and OIT, IUSG (through the CMS BO) when access is no longer required.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eNew Interconnections\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e prohibit new interconnections unless expressly agreed upon in a modification to this ISA and signed by both parties.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNetwork Inventory\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eNon-CMS Organization shall\u003c/strong\u003e maintain and make available to CMS upon request a list of all Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003esubnets connected to CMS network and periodically update the information including information on each owner, physical location, IP address, hosts name, hardware, operating system version, and applications.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFirewall Management\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eConfigure the CMS network perimeter firewall in accordance with OIT, IUSG.\u003c/li\u003e\u003cli\u003eBlock all network traffic incoming from the Internet to CMS unless it is explicitly permitted.\u003c/li\u003e\u003cli\u003eInstall a firewall between the perimeter (demarcation point) of the Non-CMS Organizations network and CMS network if deemed necessary by OIT, IUSG.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain responsibility for configuring all Non-CMS Organization network perimeter firewalls with a policy at least as stringent as OIT, IUSG.\u003c/li\u003e\u003cli\u003eProvide to OIT, IUSG through the CMS BO a list of Non-CMS Organization authorized web (HTTP), FTP and SMTP servers (identified individually as HTTP, FTP, and/or SMTP) on the Non-CMS Organizations network.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eIncident Prevention, Detection, and Response\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eIncident Handling\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eHandle and report incidents in accordance with the \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003e\u003cem\u003eCMS RMH Chapter 8 Incident Handling\u003c/em\u003e\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNotify their designated technical counterparts immediately by telephone or e-mail when a security incident is detected, so that the other party may take steps to determine whether its network has been compromised and to take appropriate security precautions.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eVulnerability Scanning\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisseminate intrusion detection alerts to respective BO counterparts for all subnets within the scope of this ISA;\u003c/li\u003e\u003cli\u003eReport to both the CMS BO and the Non-CMS Organizations BO any security incident that either organization subnets within the scope of this ISA; and\u003c/li\u003e\u003cli\u003eBlock inbound and outbound access for any CMS or Non-CMS Organization information systems on the subnets within the scope of this ISA that are the source of unauthorized access attempts, or the subject of any security events, until the risk is remediated.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eDisasters and Other Contingencies\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e\u0026nbsp;immediately notify their designated counterparts as defined in the information system contingency plan in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected networks.\u003c/p\u003e\u003ch3\u003eModifications\u003c/h3\u003e\u003cp\u003eIf any personnel changes occur involving the POCs listed in this ISA, the terms of this ISA shall remain in full force and effect, unless formally modified by both parties.\u0026nbsp; Any modifications that change the security posture to this ISA shall be in writing and agreed upon and approved in writing by either parties or their designees.\u003c/p\u003e\u003ch3\u003eCompliance\u003c/h3\u003e\u003cp\u003eNon-compliance with the terms of this ISA by either party may lead to termination of the interconnection.\u0026nbsp; CMS may block network access for the Non-CMS Organization if the Non-CMS Organization does not implement reasonable precautions to prevent the risk of security incidents spreading to CMS network.\u0026nbsp; CMS is authorized to audit the security of Non-CMS Organizations Network periodically by requesting that Non-CMS Organization provide documentation of compliance with the security requirements in this ISA (see Section 20, RECORDS).\u0026nbsp; The Non-CMS Organization shall provide CMS access to its IT resources impacted by this ISA for the purposes of audits.\u003c/p\u003e\u003ch3\u003eCost Considerations\u003c/h3\u003e\u003cp\u003eBoth parties agree to be responsible for their own systems and costs of the interconnecting mechanism and/or media.\u0026nbsp; No financial commitments to reimburse the other party shall be made without the written concurrence of both parties.\u0026nbsp; Modifications to either system that are necessary to support the interconnection are the responsibility of the respective system/network owners organization.\u0026nbsp; This ISA does not authorize, require, nor preclude any transfer of funds without the agreement of both parties.\u003c/p\u003e\u003ch3\u003eTimeline\u003c/h3\u003e\u003cp\u003eThis ISA shall become effective upon the signature of the parties involved and remain in effect until terminated by either party.\u0026nbsp; This ISA is subject to annual review and must be reauthorized when\u0026nbsp; significant changes (that can affect the security state of the information system) are implemented that impact that validity of the agreement as an effective enforcement of security requirements. .\u0026nbsp; If one or both of the parties wish to terminate this agreement, they may do so upon thirty (30) days written notice or in an event of a security incident or suspected incident CMS has the right to immediately terminate the connection.\u003c/p\u003e\u003ch3\u003eOrder of Precedence\u0026nbsp;\u003c/h3\u003e\u003cp\u003eIn the event of an inconsistency between the terms and conditions of this ISA and the terms and conditions of any other agreement, memorandum of understanding, or acquisition between CMS and Non-CMS Organization, the terms and conditions of this ISA shall have precedence.\u003c/p\u003e\u003ch3\u003eConfidentiality\u0026nbsp;\u003c/h3\u003e\u003cp\u003eSubject to applicable statutes and regulations, including the Freedom of Information Act, the parties agree that the terms and conditions (any proprietary information) of this ISA shall not be disclosed to any third party outside of the Government without the prior written consent of the other party.\u003c/p\u003e\u003ch3\u003eSurvival\u003c/h3\u003e\u003cp\u003eThe parties rights and obligations shall survive expiration or termination of this ISA.\u003c/p\u003e\u003ch3\u003eRecords\u003c/h3\u003e\u003cp\u003eThe Non-CMS Organization shall maintain all records that it may create in the normal course of its business in connection with activity under this ISA for the term of this ISA and for at least three (3) years after the date this ISA terminates or expires.\u0026nbsp; Such records shall be made available to CMS to ensure compliance with the terms and conditions of this ISA. The records shall be made available during regular business hours at the Non-CMS Organization offices, and CMS review shall not interfere unreasonably with the Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003ebusiness activities.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSeverability\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf any term or condition of this ISA becomes inoperative or unenforceable for any reason, such circumstances shall not have the effect of rendering the term or condition in question inoperative or unenforceable in any other case or circumstances, or of rendering any other term or condition contained in this ISA to be invalid, inoperative, or unenforceable to any extent whatsoever.\u0026nbsp; The invalidity of a term or condition of this ISA shall not affect the remaining terms and conditions of this ISA.\u003c/p\u003e\u003cp\u003eCMS does not warrant that Non-CMS Organization interconnection to the CMS network under this ISA will meet Non-CMS Organization requirements, expectations, or even the stated expected benefit of Non-CMS Organization interconnection to the CMS (see Provision 6, Statement of Requirements).\u0026nbsp; Non-CMS Organization bears the entire risk regarding the quality and performance of its interconnection with the CMS, and Non-CMS Organization exclusive remedy is to terminate this ISA in accordance with the terms and conditions herein.\u003c/p\u003e\u003cp\u003eCMS EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARD TO NON-CMS ORGANIZATIONS INTERCONNECTION TO THE CMS.\u003c/p\u003e\u003ch3\u003eLimitation of Liability\u003c/h3\u003e\u003cp\u003eUNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL CMS BE LIABLE TO NON-CMS ORGANIZATION OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.\u003c/p\u003e\u003ch3\u003eForce Majeure\u003c/h3\u003e\u003cp\u003eNon-CMS Organization failure to comply with any term or condition of this ISA as a result of conditions beyond its fault, negligence, or reasonable control (such as, but not limited to, war, strikes, floods, governmental restrictions, riots, fire, other natural disasters or similar causes beyond Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003econtrol) shall not be deemed a breach of this ISA.\u003c/p\u003e\u003ch3\u003eSignatures\u003c/h3\u003e\u003cp\u003eBoth parties agree to work together to ensure the joint security of the connected networks and the data they store, process, and transmit, as specified in this ISA.\u0026nbsp; Each party certifies that its respective network is designed, managed, and operated in compliance with all relevant federal laws, regulations, and policies. \u0026nbsp;\u003c/p\u003e\u003cp\u003eWe agree to the terms and conditions of this ISA.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDirector, OIT Project Manager (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Chief Information Security Officer Chief Information Security Officer (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS ISSO ISSO (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Business Owner Business Owner (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Project Officer\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Title)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T8f3f,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is an Interconnection Security Agreement (ISA)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAn Interconnection Security Agreement (ISA) is a document that defines the security-related aspects of an intended connection between an agency system and an external system. The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations and listing appropriate courses of action in the event of a security incident or breach. ISAs also authorize mutual permission to connect both parties and establish a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eISAs are typically preceded by a formal Memorandum of Understanding (MOU) that defines high-level roles and responsibilities for the management of the planned cross-domain connection.\u003c/p\u003e\u003cp\u003eFederal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks.\u0026nbsp; All CMS ISAs are based on the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final\"\u003eNational Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems Special Publication (SP) 800-47 Rev. 1\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eInterconnection Security Agreement (ISA) Template\u003c/h2\u003e\u003cp\u003e\u003cem\u003eISAs require the use of the \u003cstrong\u003eInterconnection Security Agreement (ISA) Template\u003c/strong\u003e. The template is provided below -- your team may copy the information from this page and substitute the information relevant to your specific system and connection needs.\u003c/em\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis CMS and \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e ISA Review Log is maintained to record the annual reviews.\u0026nbsp; The CMS\u003cstrong\u003e \u003c/strong\u003eand \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e ISA Review Log is provided below.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISA review log\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDate of Review\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eInitials of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eName of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOrganization of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eISA Version\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026lt;insert Date of the review\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert Initials of the reviewer\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert Staff name of the reviewer\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert staff reviewer's organization\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert ISA Version reviewed\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this Interconnection Security Agreement (ISA) is to establish procedures for mutual cooperation and coordination between the Centers for Medicare \u0026amp; Medicaid Services (CMS) and \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e hereafter referenced as the “Non-CMS Organization,” regarding the development, management, operation, and security of a connection between CMS \u003cstrong\u003e\u0026lt;Insert CMS' Network Name \u0026amp; Acronym\u0026gt;\u003c/strong\u003e, hereafter known as the CMS Network, and the Non-CMS Organizations network. This ISA is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of CMS information as well as the information that is owned by the external organization that has a network interconnection with CMS. This ISA ensures the adequate security of CMS information being accessed and provides that all network access satisfies the mission requirements of both CMS and Non-CMS Organizations, hereafter known as “both parties.”\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Information”\u003c/strong\u003e is defined as “any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government.” (Executive Order 12958)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Network interconnection”\u003c/strong\u003e is defined as “the direct connection of two or more IT networks for the purpose of sharing data and other information resources.”\u0026nbsp; (This is based on the definition of system interconnection in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Adequate security”\u003c/strong\u003e is defined as “a level of security that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information.”\u0026nbsp; (Office of Management and Budget (OMB) Circular A-130)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFederal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. This ISA is based on the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final\"\u003eNational Institute of Standards and Technology (NIST) \u003cem\u003eSecurity Guide for Interconnecting Information Technology Systems\u003c/em\u003e (Special Publication (SP) 800-47)\u003c/a\u003e. NIST SP 800-47 states: “A system approved by an ISA for interconnection with one organizations system shall meet the protection requirements equal to, or greater than, those implemented by the other organizations system.” The guidelines establish information security (IS) measures that shall be taken to protect the connected systems and shared data. CMS IT managers and IS personnel shall comply with NIST SP 800-47 or any successor document in managing the process of interconnecting information systems and networks.\u003c/p\u003e\u003cp\u003eThe ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit. In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations, and listing appropriate recourses. It also authorizes\u0026nbsp;\u003c/p\u003e\u003cp\u003emutual permission to connect both parties and establishes a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.\u0026nbsp; Through this ISA, both parties shall minimize the susceptibility of their connected systems and networks to IS risks and aid in mitigation and recovery from IS incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Background\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs an agency of the Department of Health and Human Services (DHHS), CMS administers the Medicare, Medicaid, and State Childrens Health Insurance Program (SCHIP) programs. Its mission is to ensure effective, up-to-date healthcare coverage and to promote quality care for beneficiaries.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information Security Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS IS Program helps CMS accomplish its mission by ensuring the CIA of CMS information resources.\u0026nbsp; The CMS IS Program has developed policies, standards, procedures, and guidelines that ensure the adequate protection of agency information and comply with Federal laws and regulations.\u0026nbsp; CMS monitors the security of its network twenty-four (24) hours a day, seven (7) days a week, i.e., 24/7, through a variety of administrative, operational, and technical processes.\u0026nbsp; Training initiatives are continuously updated to ensure that managers, users, and technical personnel know they are responsible for the adequate security of their information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Roles and Responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Chief Information Officer (CIO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CIO is responsible for the overall implementation and administration of the CMS Information Security Program.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Chief Information Security Officer (CISO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CISO supports the CIO in implementing the CMS IS Program. The CMS CISO directs, coordinates, and evaluates the IS policy of CMS.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISSO is the liaison for IS within their assigned portfolio of systems. ISSOs implement standard IS policies and collaborate across CMS concerning the CIA of information resources. Although the ISSOs report directly to their own management, as part of their IS responsibilities, the ISSOs have responsibilities to the CMS CISO and, thus, to the CMS CIO. In their IS role, ISSOs take direction from the CMS CIO or the CMS CISO when action is required to protect CMS assets from potential vulnerabilities and threats. The CMS CISO and ISSOs will work with Non-CMS Organizations to enhance IS measures.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Business Owners (BO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Business Owner (BO) is responsible for the management and oversight of the\u0026nbsp;\u003cstrong\u003e\u0026lt;Insert CMS information system name \u0026amp; acronym\u0026gt;\u003c/strong\u003e\u0026nbsp;hereafter known as the CMS information system that requires the interconnection with the Non-CMS Organization. The BO serves as the primary point of contact (POC) for the Non-CMS Organization on matters related to \u003cstrong\u003e\u0026lt;Insert CMS information system name \u0026amp; acronym\u0026gt;\u003c/strong\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNon-CMS Organization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert background information about Organization B, including a brief description of the organization and its mission\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIT Security Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert a brief description of the Organization IS program\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;Insert a brief description of each role and associated responsibilities of the Non-CMS Organization that are equivalent to the CMS roles and responsible for implementing IT and IS policies, procedures, and tools that support CIA.\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe scope of this ISA is based on the following, but not limited to the:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInterconnection between CMS information system and the Non-CMS Organization.\u003c/li\u003e\u003cli\u003eExisting and future users including employees from both parties; contractors and subcontractors at any tier; and other federally and non-federally-funded users managing, engineering, accessing, or utilizing the Non-CMS Organization Network.\u003c/li\u003e\u003cli\u003eRelated network components belonging to both parties, such as hosts, routers, and switches; IT devices that assist in managing security such as firewalls, intrusion detection systems (IDS), and vulnerability scanning tools; desktop workstations; servers; and major applications (MA) that are associated with the network connection between both parties.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAuthority\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBy interconnecting with the CMS network and CMS information system, Non-CMS Organization agrees to be bound by this ISA and the use of CMS Network and CMS information system in compliance with this ISA.\u003c/p\u003e\u003cp\u003eThe authority for this ISA is based on the following, but not limited to the:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFederal Information Security Management Act of 2002 (FISMA);\u003c/li\u003e\u003cli\u003eOMB Circular A-130, Appendix III, \u003cem\u003eSecurity of Federal Automated Information Systems;\u003c/em\u003e\u003c/li\u003e\u003cli\u003e18 United States Code U.S.C. 641 Criminal Code: Public Money, Property or Records;\u003c/li\u003e\u003cli\u003e18 U.S.C. 1905 Criminal Code: Disclosure of Confidential Information;\u003c/li\u003e\u003cli\u003ePrivacy Act of 1974, 5 U.S.C. § 552a; and\u003c/li\u003e\u003cli\u003eHealth Insurance Portability and Accountability Act (HIPAA) of 1996 P.L. 104-191 (only if there is an exchange of PHI)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis ISA is also in compliance with \u003ca href=\"http://www.hhs.gov/ocio/index.html\u0026nbsp;\"\u003eDHHS policies\u003c/a\u003e and \u003ca href=\"http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/\"\u003eCMS policies\u003c/a\u003e. These sites may be updated periodically. Where new policies and guidance affect the content of this ISA, the ISA will continue to be in effect and will be updated at its next periodic review.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eA \u003cstrong\u003e“major application” \u003c/strong\u003eis an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (OMB A-130)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eStatement of Requirements\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe expected benefit of the interconnection is \u003cstrong\u003e\u0026lt;Insert Business Expectation\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGeneral Information/Data Description\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert a description of the information and data that will be made available, exchanged, or passed one-way only by the interconnection of the two systems / networks\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eServices Offered\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide 24/7 operation of the CMS IT Service Desk (1-800-562-1963, 410-786-2580 or \u003ca href=\"mailto:cms_it_service.desk@cms.hhs.gov\"\u003emailto:cms_it_service.desk@cms.hhs.gov\u003c/a\u003e) for the Non-CMS Organization Point of Contact (POC) to communicate any security issues; and\u003c/li\u003e\u003cli\u003eProvide installation, configuration, and maintenance of CMS edge router(s) with interfaces to multiple CMS core and edge routers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert Non-CMS Organization IT Help Desk information regarding operating times, process, and contact information\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003eSystem Descriptions\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS System\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eName:\u0026nbsp; CMS\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFunction:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert CMS System Function\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert CMS physical site location\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDescription of data, including Sensitivity or Classification level: \u003cstrong\u003e\u0026lt;Insert description\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDescribe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.\u0026nbsp; Refer to the \u003cem\u003eCMS Information Security Levels\u003c/em\u003e document on\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInformation Category\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLevel\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSecurity Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;Insert HIGH, MODERATE or LOW.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eOverall Security Level Designation:\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert highest level from the table above\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNon-CMS Organization System\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eName:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert Organization Bs System\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFunction\u003c/strong\u003e: \u003cstrong\u003e\u0026lt;Insert Organization Bs System Function\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e \u0026nbsp;\u0026nbsp;\u003cstrong\u003e\u0026lt;Insert Organization Bs Physical Site Location\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDescription of data, including Sensitivity or Classification level: \u003cstrong\u003e\u0026lt;Insert description\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDescribe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.\u0026nbsp; Refer to the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eNIST FIPS 199\u003c/a\u003e. For additional guidance, refer to \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl\"\u003e\u003cem\u003eCMS Risk Management Handbook Chapter 12 Security and Privacy Planning\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInformation Category\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLevel\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSecurity Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;Insert HIGH, MODERATE or LOW.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eOverall Security Level Designation:\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert highest level from the table above\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTopological Diagram\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAppendix A of this ISA must include a topological drawing that illustrates the interconnectivity between both systems, including all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, computer workstations, and storage location for receiving system).\u0026nbsp; Both parties shall notify each other of any requirements such as additional router connections or increases in volume associated with this ISA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Responsibilities\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e maintain a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained on the system with the highest sensitivity levels.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCommunication/Information Security Points of Contact\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDesignate a technical lead for their respective network and provide POC information to facilitate direct contacts between technical leads to support the management and operation of the interconnection;\u003c/li\u003e\u003cli\u003eMaintain open lines of communication between POCs at both the managerial and technical levels to ensure the successful management and operation of the interconnection; and\u003c/li\u003e\u003cli\u003eInform their counterpart promptly of any change in technical POCs and interconnections.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eInform their counterpart promptly of any change in technical POC and interconnection;\u003c/li\u003e\u003cli\u003eIdentify a CMS ISSO to serve as a liaison between both parties and assist the Non-CMS Organization in ensuring that its IS controls meet or exceed CMS requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eNon-CMS Organization shall \u003c/strong\u003edesignate an IS POC the equivalent of the CMS ISSO, who shall act on behalf of the Non-CMS Organization and communicate all IS issues involving the Non-CMS Organization to CMS via the CMS ISSO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsible Parties\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAppendix B is a list of the responsible parties and contacts for each system.\u0026nbsp;It is the responsibility of each respective approving authority to ensure the timely updating of Appendix B and for the notification of such changes to the alternate party within 30 days of any personnel change. Updating Appendix B does not require the re-signing of this ISA by either party.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel/User Security\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eUser Community\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that all employees, contractors, and other authorized users with access to the CMS Network and the Non-CMS Organization and the data sent and received from either organization are not security risks and meet the requirements of the \u003ca href=\"http://www.whitehouse.gov/omb/\"\u003eOffice of Management and Budget (OMB)\u003c/a\u003e at and the HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005.\u003c/li\u003e\u003cli\u003eEnforce the following IS best practices:\u003c/li\u003e\u003cli\u003eLeast Privilege:\u0026nbsp; Only authorizing access to the minimal amount of resources required for a function;\u003c/li\u003e\u003cli\u003eSeparation of Duties:\u0026nbsp; A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals; and\u003c/li\u003e\u003cli\u003eRole-Based Security:\u0026nbsp; Access controls to perform certain operations ('permissions') are assigned to specific roles.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCommitment to Protect Sensitive Information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall \u003c/strong\u003enot release, publish, or disclose information to unauthorized personnel, and shall protect such information in accordance with provisions of the laws cited in Section 5 and any other pertinent laws and regulations governing the adequate safeguard of the agency.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that each of the Non-CMS Organization contractor employee signs form CMS R-0235, \u003ca href=\"https://security.cms.gov/learn/cms-data-use-agreement-dua\"\u003eCMS Data Use Agreement\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eEnsure that outsourced operations where non-CMS personnel may have access to information, CMS systems, and network components shall also comply with the security required by \u003ca href=\"https://www.acquisition.gov/far/52.239-1\"\u003eFederal Acquisition Regulation (FAR) clause 52.239-1\u003c/a\u003e, Privacy or Security Safeguards and CMS IS policies, standards, and procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTraining and Awareness\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e have all users, including employees, contractors, and other authorized users complete the CMS IS awareness training upon enactment of this ISA and then annually thereafter at: \u003ca href=\"https://www.cms.gov/cbt/\"\u003ehttps://www.cms.gov/cbt/\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel Changes/De-registration\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide notification to their respective BOs of the separation or long-term absence of their network owner or technical lead.\u003c/li\u003e\u003cli\u003eProvide notification to their respective BO of any changes in the ISSO or POC information.\u003c/li\u003e\u003cli\u003eProvide notification to the CMS Access Administrator (CAA) of changes to user profiles, including users who resign or change job responsibilities.\u0026nbsp;\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity\"\u003elist of current CAA\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePolicies\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e adhere to all DHHS and CMS IS policies, procedures, and guidelines on the \u003ca href=\"https://security.cms.gov/\"\u003eISPG website\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRules of Behavior\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e ensure that all users with access to the CMS Network, the CMS information system, the Non-CMS Organization network and any data received from the other organization shall adhere to all current \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Rules-of-Behavior-for-Use-of-HHS-Information-and-IT-Resources-Policy.html?DLPage=1\u0026amp;DLEntries=10\u0026amp;DLFilter=rule\u0026amp;DLSort=0\u0026amp;DLSortDir=ascending\"\u003e\u003cem\u003eHHS Rules of Behavior (RoB) (For Use of Technology Resources and Information)\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Documentation\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e ensure that security is planned for, documented, and integrated into the System Life-Cycle from the IT systems initiation to the systems disposal.\u0026nbsp; For guidance, see \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003ethe CMS Security and Privacy Handbooks.\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS shall\u003c/strong\u003e review the \u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003e\u003cem\u003eCMS System Security Plan (SSPP)\u003c/em\u003e\u003c/a\u003e for CMS information system and the CMS network annually and update when a major modification as required by the CMS SSP Procedures.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain an SSPP on the Non-CMS Organizations network and update whenever there is a major modification. The SSPP shall be compliant with the \u003ca href=\"http://csrc.nist.gov/publications/PubsSPs.html\"\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-18\u003cem\u003e Guide for Developing Security Plans for IT Systems\u003c/em\u003e.\u003c/a\u003e\u003c/li\u003e\u003cli\u003eMake accessible to CMS all IS program documents from the Non-CMS Organization.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eNetwork Security\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eNetwork Management\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that this interconnection is completely isolated from the Internet.\u003c/li\u003e\u003cli\u003eEnsure that this interconnection is completely isolated from all other customer / business processes.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eMaterial Network Changes\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSubmit to the CMS CIO any proposed changes to either network or the interconnecting medium accompanied by a valid business justification;\u003c/li\u003e\u003cli\u003eRenegotiate this ISA before any changes are implemented;\u003c/li\u003e\u003cli\u003eReport planned technical changes to the network architecture that affect the interconnection through the CMS BO to the Office of Information Technology (OIT), Infrastructure User Services Group (IUSG);\u003c/li\u003e\u003cli\u003eConduct a risk assessment based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation;\u003c/li\u003e\u003cli\u003eConduct a Security Impact Analysis (SIA) based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation; and\u003c/li\u003e\u003cli\u003eNotify the respective BOs and OIT, IUSG (through the CMS BO) when access is no longer required.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eNew Interconnections\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e prohibit new interconnections unless expressly agreed upon in a modification to this ISA and signed by both parties.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNetwork Inventory\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eNon-CMS Organization shall\u003c/strong\u003e maintain and make available to CMS upon request a list of all Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003esubnets connected to CMS network and periodically update the information including information on each owner, physical location, IP address, hosts name, hardware, operating system version, and applications.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFirewall Management\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eConfigure the CMS network perimeter firewall in accordance with OIT, IUSG.\u003c/li\u003e\u003cli\u003eBlock all network traffic incoming from the Internet to CMS unless it is explicitly permitted.\u003c/li\u003e\u003cli\u003eInstall a firewall between the perimeter (demarcation point) of the Non-CMS Organizations network and CMS network if deemed necessary by OIT, IUSG.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain responsibility for configuring all Non-CMS Organization network perimeter firewalls with a policy at least as stringent as OIT, IUSG.\u003c/li\u003e\u003cli\u003eProvide to OIT, IUSG through the CMS BO a list of Non-CMS Organization authorized web (HTTP), FTP and SMTP servers (identified individually as HTTP, FTP, and/or SMTP) on the Non-CMS Organizations network.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eIncident Prevention, Detection, and Response\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eIncident Handling\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eHandle and report incidents in accordance with the \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003e\u003cem\u003eCMS RMH Chapter 8 Incident Handling\u003c/em\u003e\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNotify their designated technical counterparts immediately by telephone or e-mail when a security incident is detected, so that the other party may take steps to determine whether its network has been compromised and to take appropriate security precautions.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eVulnerability Scanning\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisseminate intrusion detection alerts to respective BO counterparts for all subnets within the scope of this ISA;\u003c/li\u003e\u003cli\u003eReport to both the CMS BO and the Non-CMS Organizations BO any security incident that either organization subnets within the scope of this ISA; and\u003c/li\u003e\u003cli\u003eBlock inbound and outbound access for any CMS or Non-CMS Organization information systems on the subnets within the scope of this ISA that are the source of unauthorized access attempts, or the subject of any security events, until the risk is remediated.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eDisasters and Other Contingencies\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e\u0026nbsp;immediately notify their designated counterparts as defined in the information system contingency plan in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected networks.\u003c/p\u003e\u003ch3\u003eModifications\u003c/h3\u003e\u003cp\u003eIf any personnel changes occur involving the POCs listed in this ISA, the terms of this ISA shall remain in full force and effect, unless formally modified by both parties.\u0026nbsp; Any modifications that change the security posture to this ISA shall be in writing and agreed upon and approved in writing by either parties or their designees.\u003c/p\u003e\u003ch3\u003eCompliance\u003c/h3\u003e\u003cp\u003eNon-compliance with the terms of this ISA by either party may lead to termination of the interconnection.\u0026nbsp; CMS may block network access for the Non-CMS Organization if the Non-CMS Organization does not implement reasonable precautions to prevent the risk of security incidents spreading to CMS network.\u0026nbsp; CMS is authorized to audit the security of Non-CMS Organizations Network periodically by requesting that Non-CMS Organization provide documentation of compliance with the security requirements in this ISA (see Section 20, RECORDS).\u0026nbsp; The Non-CMS Organization shall provide CMS access to its IT resources impacted by this ISA for the purposes of audits.\u003c/p\u003e\u003ch3\u003eCost Considerations\u003c/h3\u003e\u003cp\u003eBoth parties agree to be responsible for their own systems and costs of the interconnecting mechanism and/or media.\u0026nbsp; No financial commitments to reimburse the other party shall be made without the written concurrence of both parties.\u0026nbsp; Modifications to either system that are necessary to support the interconnection are the responsibility of the respective system/network owners organization.\u0026nbsp; This ISA does not authorize, require, nor preclude any transfer of funds without the agreement of both parties.\u003c/p\u003e\u003ch3\u003eTimeline\u003c/h3\u003e\u003cp\u003eThis ISA shall become effective upon the signature of the parties involved and remain in effect until terminated by either party.\u0026nbsp; This ISA is subject to annual review and must be reauthorized when\u0026nbsp; significant changes (that can affect the security state of the information system) are implemented that impact that validity of the agreement as an effective enforcement of security requirements. .\u0026nbsp; If one or both of the parties wish to terminate this agreement, they may do so upon thirty (30) days written notice or in an event of a security incident or suspected incident CMS has the right to immediately terminate the connection.\u003c/p\u003e\u003ch3\u003eOrder of Precedence\u0026nbsp;\u003c/h3\u003e\u003cp\u003eIn the event of an inconsistency between the terms and conditions of this ISA and the terms and conditions of any other agreement, memorandum of understanding, or acquisition between CMS and Non-CMS Organization, the terms and conditions of this ISA shall have precedence.\u003c/p\u003e\u003ch3\u003eConfidentiality\u0026nbsp;\u003c/h3\u003e\u003cp\u003eSubject to applicable statutes and regulations, including the Freedom of Information Act, the parties agree that the terms and conditions (any proprietary information) of this ISA shall not be disclosed to any third party outside of the Government without the prior written consent of the other party.\u003c/p\u003e\u003ch3\u003eSurvival\u003c/h3\u003e\u003cp\u003eThe parties rights and obligations shall survive expiration or termination of this ISA.\u003c/p\u003e\u003ch3\u003eRecords\u003c/h3\u003e\u003cp\u003eThe Non-CMS Organization shall maintain all records that it may create in the normal course of its business in connection with activity under this ISA for the term of this ISA and for at least three (3) years after the date this ISA terminates or expires.\u0026nbsp; Such records shall be made available to CMS to ensure compliance with the terms and conditions of this ISA. The records shall be made available during regular business hours at the Non-CMS Organization offices, and CMS review shall not interfere unreasonably with the Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003ebusiness activities.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSeverability\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf any term or condition of this ISA becomes inoperative or unenforceable for any reason, such circumstances shall not have the effect of rendering the term or condition in question inoperative or unenforceable in any other case or circumstances, or of rendering any other term or condition contained in this ISA to be invalid, inoperative, or unenforceable to any extent whatsoever.\u0026nbsp; The invalidity of a term or condition of this ISA shall not affect the remaining terms and conditions of this ISA.\u003c/p\u003e\u003cp\u003eCMS does not warrant that Non-CMS Organization interconnection to the CMS network under this ISA will meet Non-CMS Organization requirements, expectations, or even the stated expected benefit of Non-CMS Organization interconnection to the CMS (see Provision 6, Statement of Requirements).\u0026nbsp; Non-CMS Organization bears the entire risk regarding the quality and performance of its interconnection with the CMS, and Non-CMS Organization exclusive remedy is to terminate this ISA in accordance with the terms and conditions herein.\u003c/p\u003e\u003cp\u003eCMS EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARD TO NON-CMS ORGANIZATIONS INTERCONNECTION TO THE CMS.\u003c/p\u003e\u003ch3\u003eLimitation of Liability\u003c/h3\u003e\u003cp\u003eUNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL CMS BE LIABLE TO NON-CMS ORGANIZATION OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.\u003c/p\u003e\u003ch3\u003eForce Majeure\u003c/h3\u003e\u003cp\u003eNon-CMS Organization failure to comply with any term or condition of this ISA as a result of conditions beyond its fault, negligence, or reasonable control (such as, but not limited to, war, strikes, floods, governmental restrictions, riots, fire, other natural disasters or similar causes beyond Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003econtrol) shall not be deemed a breach of this ISA.\u003c/p\u003e\u003ch3\u003eSignatures\u003c/h3\u003e\u003cp\u003eBoth parties agree to work together to ensure the joint security of the connected networks and the data they store, process, and transmit, as specified in this ISA.\u0026nbsp; Each party certifies that its respective network is designed, managed, and operated in compliance with all relevant federal laws, regulations, and policies. \u0026nbsp;\u003c/p\u003e\u003cp\u003eWe agree to the terms and conditions of this ISA.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDirector, OIT Project Manager (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Chief Information Security Officer Chief Information Security Officer (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS ISSO ISSO (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Business Owner Business Owner (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Project Officer\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Title)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"jcallan - retired\"}\n24:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"meg - retired\"}\n28:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04"])</script><script>self.__next_f.push([1,":03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drup"])</script><script>self.__next_f.push([1,"al_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/"])</script><script>self.__next_f.push([1,"jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n61:{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--r"])</script><script>self.__next_f.push([1,"oles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$61\",\"attributes\":\"$63\",\"relationships\":\"$65\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"topics\"}\n81:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16"])</script><script>self.__next_f.push([1,"\"}\n91:{\"related\":\"$92\",\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"vid\":\"$80\",\"revision_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}\n95:{\"self\":\"$96\"}\n98:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n97:{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$98\"}\n9c:{\"drupal_internal__target_id\":\"topics\"}\n9b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$9c\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9a:{\"data\":\"$9b\",\"links\":\"$9d\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\na0:{\"data\":null,\"links\":\"$a1\"}\naa:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$aa\"}\na8:{\"help\":\"$a9\"}\na7:{\"links\":\"$a8\"}\na6:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$a7\"}\na5:[\"$a6\"]\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11"])</script><script>self.__next_f.push([1,"\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}\nab:{\"related\":\"$ac\",\"self\":\"$ad\"}\na4:{\"data\":\"$a5\",\"links\":\"$ab\"}\n99:{\"vid\":\"$9a\",\"revision_user\":\"$a0\",\"parent\":\"$a4\"}\n94:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$99\"}\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e?resourceVersion=id%3A19068\"}\naf:{\"self\":\"$b0\"}\nb2:[]\nb4:T8f3b,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is an Interconnection Security Agreement (ISA)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAn Interconnection Security Agreement (ISA) is a document that defines the security-related aspects of an intended connection between an agency system and an external system. The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations and listing appropriate courses of action in the event of a security incident or breach. ISAs also authorize mutual permission to connect both parties and establish a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eISAs are typically preceded by a formal Memorandum of Understanding (MOU) that defines high-level roles and responsibilities for the management of the planned cross-domain connection.\u003c/p\u003e\u003cp\u003eFederal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks.\u0026nbsp; All CMS ISAs are based on the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final\"\u003eNational Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems Special Publication (SP) 800-47 Rev. 1\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eInterconnection Security Agreement (ISA) Template\u003c/h2\u003e\u003cp\u003e\u003cem\u003eISAs require the use of the \u003cstrong\u003eInterconnection Security Agreement (ISA) Template\u003c/strong\u003e. The template is provided below -- your team may copy the information from this page and substitute the information relevant to your specific system and connection needs.\u003c/em\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis CMS and \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e ISA Review Log is maintained to record the annual reviews.\u0026nbsp; The CMS\u003cstrong\u003e \u003c/strong\u003eand \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e ISA Review Log is provided below.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISA review log\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDate of Review\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eInitials of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eName of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOrganization of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eISA Version\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026lt;insert Date of the review\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert Initials of the reviewer\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert Staff name of the reviewer\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert staff reviewer's organization\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert ISA Version reviewed\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this Interconnection Security Agreement (ISA) is to establish procedures for mutual cooperation and coordination between the Centers for Medicare \u0026amp; Medicaid Services (CMS) and \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e hereafter referenced as the “Non-CMS Organization,” regarding the development, management, operation, and security of a connection between CMS \u003cstrong\u003e\u0026lt;Insert CMS' Network Name \u0026amp; Acronym\u0026gt;\u003c/strong\u003e, hereafter known as the CMS Network, and the Non-CMS Organizations network. This ISA is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of CMS information as well as the information that is owned by the external organization that has a network interconnection with CMS. This ISA ensures the adequate security of CMS information being accessed and provides that all network access satisfies the mission requirements of both CMS and Non-CMS Organizations, hereafter known as “both parties.”\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Information”\u003c/strong\u003e is defined as “any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government.” (Executive Order 12958)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Network interconnection”\u003c/strong\u003e is defined as “the direct connection of two or more IT networks for the purpose of sharing data and other information resources.”\u0026nbsp; (This is based on the definition of system interconnection in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Adequate security”\u003c/strong\u003e is defined as “a level of security that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information.”\u0026nbsp; (Office of Management and Budget (OMB) Circular A-130)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFederal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. This ISA is based on the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final\"\u003eNational Institute of Standards and Technology (NIST) \u003cem\u003eSecurity Guide for Interconnecting Information Technology Systems\u003c/em\u003e (Special Publication (SP) 800-47)\u003c/a\u003e. NIST SP 800-47 states: “A system approved by an ISA for interconnection with one organizations system shall meet the protection requirements equal to, or greater than, those implemented by the other organizations system.” The guidelines establish information security (IS) measures that shall be taken to protect the connected systems and shared data. CMS IT managers and IS personnel shall comply with NIST SP 800-47 or any successor document in managing the process of interconnecting information systems and networks.\u003c/p\u003e\u003cp\u003eThe ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit. In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations, and listing appropriate recourses. It also authorizes\u0026nbsp;\u003c/p\u003e\u003cp\u003emutual permission to connect both parties and establishes a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.\u0026nbsp; Through this ISA, both parties shall minimize the susceptibility of their connected systems and networks to IS risks and aid in mitigation and recovery from IS incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Background\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs an agency of the Department of Health and Human Services (DHHS), CMS administers the Medicare, Medicaid, and State Childrens Health Insurance Program (SCHIP) programs. Its mission is to ensure effective, up-to-date healthcare coverage and to promote quality care for beneficiaries.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information Security Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS IS Program helps CMS accomplish its mission by ensuring the CIA of CMS information resources.\u0026nbsp; The CMS IS Program has developed policies, standards, procedures, and guidelines that ensure the adequate protection of agency information and comply with Federal laws and regulations.\u0026nbsp; CMS monitors the security of its network twenty-four (24) hours a day, seven (7) days a week, i.e., 24/7, through a variety of administrative, operational, and technical processes.\u0026nbsp; Training initiatives are continuously updated to ensure that managers, users, and technical personnel know they are responsible for the adequate security of their information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Roles and Responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Chief Information Officer (CIO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CIO is responsible for the overall implementation and administration of the CMS Information Security Program.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Chief Information Security Officer (CISO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CISO supports the CIO in implementing the CMS IS Program. The CMS CISO directs, coordinates, and evaluates the IS policy of CMS.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISSO is the liaison for IS within their assigned portfolio of systems. ISSOs implement standard IS policies and collaborate across CMS concerning the CIA of information resources. Although the ISSOs report directly to their own management, as part of their IS responsibilities, the ISSOs have responsibilities to the CMS CISO and, thus, to the CMS CIO. In their IS role, ISSOs take direction from the CMS CIO or the CMS CISO when action is required to protect CMS assets from potential vulnerabilities and threats. The CMS CISO and ISSOs will work with Non-CMS Organizations to enhance IS measures.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Business Owners (BO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Business Owner (BO) is responsible for the management and oversight of the\u0026nbsp;\u003cstrong\u003e\u0026lt;Insert CMS information system name \u0026amp; acronym\u0026gt;\u003c/strong\u003e\u0026nbsp;hereafter known as the CMS information system that requires the interconnection with the Non-CMS Organization. The BO serves as the primary point of contact (POC) for the Non-CMS Organization on matters related to \u003cstrong\u003e\u0026lt;Insert CMS information system name \u0026amp; acronym\u0026gt;\u003c/strong\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNon-CMS Organization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert background information about Organization B, including a brief description of the organization and its mission\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIT Security Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert a brief description of the Organization IS program\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;Insert a brief description of each role and associated responsibilities of the Non-CMS Organization that are equivalent to the CMS roles and responsible for implementing IT and IS policies, procedures, and tools that support CIA.\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe scope of this ISA is based on the following, but not limited to the:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInterconnection between CMS information system and the Non-CMS Organization.\u003c/li\u003e\u003cli\u003eExisting and future users including employees from both parties; contractors and subcontractors at any tier; and other federally and non-federally-funded users managing, engineering, accessing, or utilizing the Non-CMS Organization Network.\u003c/li\u003e\u003cli\u003eRelated network components belonging to both parties, such as hosts, routers, and switches; IT devices that assist in managing security such as firewalls, intrusion detection systems (IDS), and vulnerability scanning tools; desktop workstations; servers; and major applications (MA) that are associated with the network connection between both parties.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAuthority\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBy interconnecting with the CMS network and CMS information system, Non-CMS Organization agrees to be bound by this ISA and the use of CMS Network and CMS information system in compliance with this ISA.\u003c/p\u003e\u003cp\u003eThe authority for this ISA is based on the following, but not limited to the:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFederal Information Security Management Act of 2002 (FISMA);\u003c/li\u003e\u003cli\u003eOMB Circular A-130, Appendix III, \u003cem\u003eSecurity of Federal Automated Information Systems;\u003c/em\u003e\u003c/li\u003e\u003cli\u003e18 United States Code U.S.C. 641 Criminal Code: Public Money, Property or Records;\u003c/li\u003e\u003cli\u003e18 U.S.C. 1905 Criminal Code: Disclosure of Confidential Information;\u003c/li\u003e\u003cli\u003ePrivacy Act of 1974, 5 U.S.C. § 552a; and\u003c/li\u003e\u003cli\u003eHealth Insurance Portability and Accountability Act (HIPAA) of 1996 P.L. 104-191 (only if there is an exchange of PHI)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis ISA is also in compliance with \u003ca href=\"http://www.hhs.gov/ocio/index.html \"\u003eDHHS policies\u003c/a\u003e and \u003ca href=\"http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/\"\u003eCMS policies\u003c/a\u003e. These sites may be updated periodically. Where new policies and guidance affect the content of this ISA, the ISA will continue to be in effect and will be updated at its next periodic review.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eA \u003cstrong\u003e“major application” \u003c/strong\u003eis an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (OMB A-130)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eStatement of Requirements\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe expected benefit of the interconnection is \u003cstrong\u003e\u0026lt;Insert Business Expectation\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGeneral Information/Data Description\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert a description of the information and data that will be made available, exchanged, or passed one-way only by the interconnection of the two systems / networks\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eServices Offered\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide 24/7 operation of the CMS IT Service Desk (1-800-562-1963, 410-786-2580 or \u003ca href=\"mailto:cms_it_service.desk@cms.hhs.gov\"\u003emailto:cms_it_service.desk@cms.hhs.gov\u003c/a\u003e) for the Non-CMS Organization Point of Contact (POC) to communicate any security issues; and\u003c/li\u003e\u003cli\u003eProvide installation, configuration, and maintenance of CMS edge router(s) with interfaces to multiple CMS core and edge routers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert Non-CMS Organization IT Help Desk information regarding operating times, process, and contact information\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003eSystem Descriptions\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS System\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eName:\u0026nbsp; CMS\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFunction:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert CMS System Function\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert CMS physical site location\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDescription of data, including Sensitivity or Classification level: \u003cstrong\u003e\u0026lt;Insert description\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDescribe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.\u0026nbsp; Refer to the \u003cem\u003eCMS Information Security Levels\u003c/em\u003e document on\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInformation Category\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLevel\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSecurity Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;Insert HIGH, MODERATE or LOW.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eOverall Security Level Designation:\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert highest level from the table above\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNon-CMS Organization System\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eName:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert Organization Bs System\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFunction\u003c/strong\u003e: \u003cstrong\u003e\u0026lt;Insert Organization Bs System Function\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e \u0026nbsp;\u0026nbsp;\u003cstrong\u003e\u0026lt;Insert Organization Bs Physical Site Location\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDescription of data, including Sensitivity or Classification level: \u003cstrong\u003e\u0026lt;Insert description\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDescribe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.\u0026nbsp; Refer to the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eNIST FIPS 199\u003c/a\u003e. For additional guidance, refer to \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl\"\u003e\u003cem\u003eCMS Risk Management Handbook Chapter 12 Security and Privacy Planning\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInformation Category\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLevel\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSecurity Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;Insert HIGH, MODERATE or LOW.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eOverall Security Level Designation:\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert highest level from the table above\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTopological Diagram\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAppendix A of this ISA must include a topological drawing that illustrates the interconnectivity between both systems, including all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, computer workstations, and storage location for receiving system).\u0026nbsp; Both parties shall notify each other of any requirements such as additional router connections or increases in volume associated with this ISA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Responsibilities\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e maintain a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained on the system with the highest sensitivity levels.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCommunication/Information Security Points of Contact\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDesignate a technical lead for their respective network and provide POC information to facilitate direct contacts between technical leads to support the management and operation of the interconnection;\u003c/li\u003e\u003cli\u003eMaintain open lines of communication between POCs at both the managerial and technical levels to ensure the successful management and operation of the interconnection; and\u003c/li\u003e\u003cli\u003eInform their counterpart promptly of any change in technical POCs and interconnections.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eInform their counterpart promptly of any change in technical POC and interconnection;\u003c/li\u003e\u003cli\u003eIdentify a CMS ISSO to serve as a liaison between both parties and assist the Non-CMS Organization in ensuring that its IS controls meet or exceed CMS requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eNon-CMS Organization shall \u003c/strong\u003edesignate an IS POC the equivalent of the CMS ISSO, who shall act on behalf of the Non-CMS Organization and communicate all IS issues involving the Non-CMS Organization to CMS via the CMS ISSO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsible Parties\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAppendix B is a list of the responsible parties and contacts for each system.\u0026nbsp;It is the responsibility of each respective approving authority to ensure the timely updating of Appendix B and for the notification of such changes to the alternate party within 30 days of any personnel change. Updating Appendix B does not require the re-signing of this ISA by either party.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel/User Security\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eUser Community\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that all employees, contractors, and other authorized users with access to the CMS Network and the Non-CMS Organization and the data sent and received from either organization are not security risks and meet the requirements of the \u003ca href=\"http://www.whitehouse.gov/omb/\"\u003eOffice of Management and Budget (OMB)\u003c/a\u003e at and the HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005.\u003c/li\u003e\u003cli\u003eEnforce the following IS best practices:\u003c/li\u003e\u003cli\u003eLeast Privilege:\u0026nbsp; Only authorizing access to the minimal amount of resources required for a function;\u003c/li\u003e\u003cli\u003eSeparation of Duties:\u0026nbsp; A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals; and\u003c/li\u003e\u003cli\u003eRole-Based Security:\u0026nbsp; Access controls to perform certain operations ('permissions') are assigned to specific roles.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCommitment to Protect Sensitive Information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall \u003c/strong\u003enot release, publish, or disclose information to unauthorized personnel, and shall protect such information in accordance with provisions of the laws cited in Section 5 and any other pertinent laws and regulations governing the adequate safeguard of the agency.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that each of the Non-CMS Organization contractor employee signs form CMS R-0235, \u003ca href=\"https://security.cms.gov/learn/cms-data-use-agreement-dua\"\u003eCMS Data Use Agreement\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eEnsure that outsourced operations where non-CMS personnel may have access to information, CMS systems, and network components shall also comply with the security required by \u003ca href=\"https://www.acquisition.gov/far/52.239-1\"\u003eFederal Acquisition Regulation (FAR) clause 52.239-1\u003c/a\u003e, Privacy or Security Safeguards and CMS IS policies, standards, and procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTraining and Awareness\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e have all users, including employees, contractors, and other authorized users complete the CMS IS awareness training upon enactment of this ISA and then annually thereafter at: \u003ca href=\"https://www.cms.gov/cbt/\"\u003ehttps://www.cms.gov/cbt/\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel Changes/De-registration\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide notification to their respective BOs of the separation or long-term absence of their network owner or technical lead.\u003c/li\u003e\u003cli\u003eProvide notification to their respective BO of any changes in the ISSO or POC information.\u003c/li\u003e\u003cli\u003eProvide notification to the CMS Access Administrator (CAA) of changes to user profiles, including users who resign or change job responsibilities.\u0026nbsp;\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity\"\u003elist of current CAA\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePolicies\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e adhere to all DHHS and CMS IS policies, procedures, and guidelines on the \u003ca href=\"https://security.cms.gov/\"\u003eISPG website\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRules of Behavior\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e ensure that all users with access to the CMS Network, the CMS information system, the Non-CMS Organization network and any data received from the other organization shall adhere to all current \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Rules-of-Behavior-for-Use-of-HHS-Information-and-IT-Resources-Policy.html?DLPage=1\u0026amp;DLEntries=10\u0026amp;DLFilter=rule\u0026amp;DLSort=0\u0026amp;DLSortDir=ascending\"\u003e\u003cem\u003eHHS Rules of Behavior (RoB) (For Use of Technology Resources and Information)\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Documentation\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e ensure that security is planned for, documented, and integrated into the System Life-Cycle from the IT systems initiation to the systems disposal.\u0026nbsp; For guidance, see \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003ethe CMS Security and Privacy Handbooks.\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS shall\u003c/strong\u003e review the \u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003e\u003cem\u003eCMS System Security Plan (SSPP)\u003c/em\u003e\u003c/a\u003e for CMS information system and the CMS network annually and update when a major modification as required by the CMS SSP Procedures.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain an SSPP on the Non-CMS Organizations network and update whenever there is a major modification. The SSPP shall be compliant with the \u003ca href=\"http://csrc.nist.gov/publications/PubsSPs.html\"\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-18\u003cem\u003e Guide for Developing Security Plans for IT Systems\u003c/em\u003e.\u003c/a\u003e\u003c/li\u003e\u003cli\u003eMake accessible to CMS all IS program documents from the Non-CMS Organization.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eNetwork Security\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eNetwork Management\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that this interconnection is completely isolated from the Internet.\u003c/li\u003e\u003cli\u003eEnsure that this interconnection is completely isolated from all other customer / business processes.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eMaterial Network Changes\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSubmit to the CMS CIO any proposed changes to either network or the interconnecting medium accompanied by a valid business justification;\u003c/li\u003e\u003cli\u003eRenegotiate this ISA before any changes are implemented;\u003c/li\u003e\u003cli\u003eReport planned technical changes to the network architecture that affect the interconnection through the CMS BO to the Office of Information Technology (OIT), Infrastructure User Services Group (IUSG);\u003c/li\u003e\u003cli\u003eConduct a risk assessment based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation;\u003c/li\u003e\u003cli\u003eConduct a Security Impact Analysis (SIA) based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation; and\u003c/li\u003e\u003cli\u003eNotify the respective BOs and OIT, IUSG (through the CMS BO) when access is no longer required.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eNew Interconnections\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e prohibit new interconnections unless expressly agreed upon in a modification to this ISA and signed by both parties.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNetwork Inventory\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eNon-CMS Organization shall\u003c/strong\u003e maintain and make available to CMS upon request a list of all Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003esubnets connected to CMS network and periodically update the information including information on each owner, physical location, IP address, hosts name, hardware, operating system version, and applications.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFirewall Management\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eConfigure the CMS network perimeter firewall in accordance with OIT, IUSG.\u003c/li\u003e\u003cli\u003eBlock all network traffic incoming from the Internet to CMS unless it is explicitly permitted.\u003c/li\u003e\u003cli\u003eInstall a firewall between the perimeter (demarcation point) of the Non-CMS Organizations network and CMS network if deemed necessary by OIT, IUSG.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain responsibility for configuring all Non-CMS Organization network perimeter firewalls with a policy at least as stringent as OIT, IUSG.\u003c/li\u003e\u003cli\u003eProvide to OIT, IUSG through the CMS BO a list of Non-CMS Organization authorized web (HTTP), FTP and SMTP servers (identified individually as HTTP, FTP, and/or SMTP) on the Non-CMS Organizations network.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eIncident Prevention, Detection, and Response\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eIncident Handling\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eHandle and report incidents in accordance with the \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003e\u003cem\u003eCMS RMH Chapter 8 Incident Handling\u003c/em\u003e\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNotify their designated technical counterparts immediately by telephone or e-mail when a security incident is detected, so that the other party may take steps to determine whether its network has been compromised and to take appropriate security precautions.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eVulnerability Scanning\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisseminate intrusion detection alerts to respective BO counterparts for all subnets within the scope of this ISA;\u003c/li\u003e\u003cli\u003eReport to both the CMS BO and the Non-CMS Organizations BO any security incident that either organization subnets within the scope of this ISA; and\u003c/li\u003e\u003cli\u003eBlock inbound and outbound access for any CMS or Non-CMS Organization information systems on the subnets within the scope of this ISA that are the source of unauthorized access attempts, or the subject of any security events, until the risk is remediated.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eDisasters and Other Contingencies\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e\u0026nbsp;immediately notify their designated counterparts as defined in the information system contingency plan in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected networks.\u003c/p\u003e\u003ch3\u003eModifications\u003c/h3\u003e\u003cp\u003eIf any personnel changes occur involving the POCs listed in this ISA, the terms of this ISA shall remain in full force and effect, unless formally modified by both parties.\u0026nbsp; Any modifications that change the security posture to this ISA shall be in writing and agreed upon and approved in writing by either parties or their designees.\u003c/p\u003e\u003ch3\u003eCompliance\u003c/h3\u003e\u003cp\u003eNon-compliance with the terms of this ISA by either party may lead to termination of the interconnection.\u0026nbsp; CMS may block network access for the Non-CMS Organization if the Non-CMS Organization does not implement reasonable precautions to prevent the risk of security incidents spreading to CMS network.\u0026nbsp; CMS is authorized to audit the security of Non-CMS Organizations Network periodically by requesting that Non-CMS Organization provide documentation of compliance with the security requirements in this ISA (see Section 20, RECORDS).\u0026nbsp; The Non-CMS Organization shall provide CMS access to its IT resources impacted by this ISA for the purposes of audits.\u003c/p\u003e\u003ch3\u003eCost Considerations\u003c/h3\u003e\u003cp\u003eBoth parties agree to be responsible for their own systems and costs of the interconnecting mechanism and/or media.\u0026nbsp; No financial commitments to reimburse the other party shall be made without the written concurrence of both parties.\u0026nbsp; Modifications to either system that are necessary to support the interconnection are the responsibility of the respective system/network owners organization.\u0026nbsp; This ISA does not authorize, require, nor preclude any transfer of funds without the agreement of both parties.\u003c/p\u003e\u003ch3\u003eTimeline\u003c/h3\u003e\u003cp\u003eThis ISA shall become effective upon the signature of the parties involved and remain in effect until terminated by either party.\u0026nbsp; This ISA is subject to annual review and must be reauthorized when\u0026nbsp; significant changes (that can affect the security state of the information system) are implemented that impact that validity of the agreement as an effective enforcement of security requirements. .\u0026nbsp; If one or both of the parties wish to terminate this agreement, they may do so upon thirty (30) days written notice or in an event of a security incident or suspected incident CMS has the right to immediately terminate the connection.\u003c/p\u003e\u003ch3\u003eOrder of Precedence\u0026nbsp;\u003c/h3\u003e\u003cp\u003eIn the event of an inconsistency between the terms and conditions of this ISA and the terms and conditions of any other agreement, memorandum of understanding, or acquisition between CMS and Non-CMS Organization, the terms and conditions of this ISA shall have precedence.\u003c/p\u003e\u003ch3\u003eConfidentiality\u0026nbsp;\u003c/h3\u003e\u003cp\u003eSubject to applicable statutes and regulations, including the Freedom of Information Act, the parties agree that the terms and conditions (any proprietary information) of this ISA shall not be disclosed to any third party outside of the Government without the prior written consent of the other party.\u003c/p\u003e\u003ch3\u003eSurvival\u003c/h3\u003e\u003cp\u003eThe parties rights and obligations shall survive expiration or termination of this ISA.\u003c/p\u003e\u003ch3\u003eRecords\u003c/h3\u003e\u003cp\u003eThe Non-CMS Organization shall maintain all records that it may create in the normal course of its business in connection with activity under this ISA for the term of this ISA and for at least three (3) years after the date this ISA terminates or expires.\u0026nbsp; Such records shall be made available to CMS to ensure compliance with the terms and conditions of this ISA. The records shall be made available during regular business hours at the Non-CMS Organization offices, and CMS review shall not interfere unreasonably with the Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003ebusiness activities.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSeverability\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf any term or condition of this ISA becomes inoperative or unenforceable for any reason, such circumstances shall not have the effect of rendering the term or condition in question inoperative or unenforceable in any other case or circumstances, or of rendering any other term or condition contained in this ISA to be invalid, inoperative, or unenforceable to any extent whatsoever.\u0026nbsp; The invalidity of a term or condition of this ISA shall not affect the remaining terms and conditions of this ISA.\u003c/p\u003e\u003cp\u003eCMS does not warrant that Non-CMS Organization interconnection to the CMS network under this ISA will meet Non-CMS Organization requirements, expectations, or even the stated expected benefit of Non-CMS Organization interconnection to the CMS (see Provision 6, Statement of Requirements).\u0026nbsp; Non-CMS Organization bears the entire risk regarding the quality and performance of its interconnection with the CMS, and Non-CMS Organization exclusive remedy is to terminate this ISA in accordance with the terms and conditions herein.\u003c/p\u003e\u003cp\u003eCMS EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARD TO NON-CMS ORGANIZATIONS INTERCONNECTION TO THE CMS.\u003c/p\u003e\u003ch3\u003eLimitation of Liability\u003c/h3\u003e\u003cp\u003eUNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL CMS BE LIABLE TO NON-CMS ORGANIZATION OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.\u003c/p\u003e\u003ch3\u003eForce Majeure\u003c/h3\u003e\u003cp\u003eNon-CMS Organization failure to comply with any term or condition of this ISA as a result of conditions beyond its fault, negligence, or reasonable control (such as, but not limited to, war, strikes, floods, governmental restrictions, riots, fire, other natural disasters or similar causes beyond Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003econtrol) shall not be deemed a breach of this ISA.\u003c/p\u003e\u003ch3\u003eSignatures\u003c/h3\u003e\u003cp\u003eBoth parties agree to work together to ensure the joint security of the connected networks and the data they store, process, and transmit, as specified in this ISA.\u0026nbsp; Each party certifies that its respective network is designed, managed, and operated in compliance with all relevant federal laws, regulations, and policies. \u0026nbsp;\u003c/p\u003e\u003cp\u003eWe agree to the terms and conditions of this ISA.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDirector, OIT Project Manager (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Chief Information Security Officer Chief Information Security Officer (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS ISSO ISSO (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Business Owner Business Owner (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Project Officer\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Title)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"b5:T8f3f,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is an Interconnection Security Agreement (ISA)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAn Interconnection Security Agreement (ISA) is a document that defines the security-related aspects of an intended connection between an agency system and an external system. The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations and listing appropriate courses of action in the event of a security incident or breach. ISAs also authorize mutual permission to connect both parties and establish a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eISAs are typically preceded by a formal Memorandum of Understanding (MOU) that defines high-level roles and responsibilities for the management of the planned cross-domain connection.\u003c/p\u003e\u003cp\u003eFederal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks.\u0026nbsp; All CMS ISAs are based on the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final\"\u003eNational Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems Special Publication (SP) 800-47 Rev. 1\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eInterconnection Security Agreement (ISA) Template\u003c/h2\u003e\u003cp\u003e\u003cem\u003eISAs require the use of the \u003cstrong\u003eInterconnection Security Agreement (ISA) Template\u003c/strong\u003e. The template is provided below -- your team may copy the information from this page and substitute the information relevant to your specific system and connection needs.\u003c/em\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis CMS and \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e ISA Review Log is maintained to record the annual reviews.\u0026nbsp; The CMS\u003cstrong\u003e \u003c/strong\u003eand \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e ISA Review Log is provided below.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISA review log\u003c/strong\u003e\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eDate of Review\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eInitials of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eName of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eOrganization of Reviewer\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eISA Version\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026lt;insert Date of the review\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert Initials of the reviewer\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert Staff name of the reviewer\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert staff reviewer's organization\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;insert ISA Version reviewed\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe purpose of this Interconnection Security Agreement (ISA) is to establish procedures for mutual cooperation and coordination between the Centers for Medicare \u0026amp; Medicaid Services (CMS) and \u003cstrong\u003e\u0026lt;Insert Non-CMS Organization Name\u0026gt;\u003c/strong\u003e hereafter referenced as the “Non-CMS Organization,” regarding the development, management, operation, and security of a connection between CMS \u003cstrong\u003e\u0026lt;Insert CMS' Network Name \u0026amp; Acronym\u0026gt;\u003c/strong\u003e, hereafter known as the CMS Network, and the Non-CMS Organizations network. This ISA is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of CMS information as well as the information that is owned by the external organization that has a network interconnection with CMS. This ISA ensures the adequate security of CMS information being accessed and provides that all network access satisfies the mission requirements of both CMS and Non-CMS Organizations, hereafter known as “both parties.”\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Information”\u003c/strong\u003e is defined as “any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government.” (Executive Order 12958)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Network interconnection”\u003c/strong\u003e is defined as “the direct connection of two or more IT networks for the purpose of sharing data and other information resources.”\u0026nbsp; (This is based on the definition of system interconnection in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003e\u003cstrong\u003e“Adequate security”\u003c/strong\u003e is defined as “a level of security that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information.”\u0026nbsp; (Office of Management and Budget (OMB) Circular A-130)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFederal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. This ISA is based on the \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/final\"\u003eNational Institute of Standards and Technology (NIST) \u003cem\u003eSecurity Guide for Interconnecting Information Technology Systems\u003c/em\u003e (Special Publication (SP) 800-47)\u003c/a\u003e. NIST SP 800-47 states: “A system approved by an ISA for interconnection with one organizations system shall meet the protection requirements equal to, or greater than, those implemented by the other organizations system.” The guidelines establish information security (IS) measures that shall be taken to protect the connected systems and shared data. CMS IT managers and IS personnel shall comply with NIST SP 800-47 or any successor document in managing the process of interconnecting information systems and networks.\u003c/p\u003e\u003cp\u003eThe ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit. In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations, and listing appropriate recourses. It also authorizes\u0026nbsp;\u003c/p\u003e\u003cp\u003emutual permission to connect both parties and establishes a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.\u0026nbsp; Through this ISA, both parties shall minimize the susceptibility of their connected systems and networks to IS risks and aid in mitigation and recovery from IS incidents.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Background\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs an agency of the Department of Health and Human Services (DHHS), CMS administers the Medicare, Medicaid, and State Childrens Health Insurance Program (SCHIP) programs. Its mission is to ensure effective, up-to-date healthcare coverage and to promote quality care for beneficiaries.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information Security Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS IS Program helps CMS accomplish its mission by ensuring the CIA of CMS information resources.\u0026nbsp; The CMS IS Program has developed policies, standards, procedures, and guidelines that ensure the adequate protection of agency information and comply with Federal laws and regulations.\u0026nbsp; CMS monitors the security of its network twenty-four (24) hours a day, seven (7) days a week, i.e., 24/7, through a variety of administrative, operational, and technical processes.\u0026nbsp; Training initiatives are continuously updated to ensure that managers, users, and technical personnel know they are responsible for the adequate security of their information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Roles and Responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Chief Information Officer (CIO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CIO is responsible for the overall implementation and administration of the CMS Information Security Program.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Chief Information Security Officer (CISO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CISO supports the CIO in implementing the CMS IS Program. The CMS CISO directs, coordinates, and evaluates the IS policy of CMS.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISSO is the liaison for IS within their assigned portfolio of systems. ISSOs implement standard IS policies and collaborate across CMS concerning the CIA of information resources. Although the ISSOs report directly to their own management, as part of their IS responsibilities, the ISSOs have responsibilities to the CMS CISO and, thus, to the CMS CIO. In their IS role, ISSOs take direction from the CMS CIO or the CMS CISO when action is required to protect CMS assets from potential vulnerabilities and threats. The CMS CISO and ISSOs will work with Non-CMS Organizations to enhance IS measures.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Business Owners (BO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Business Owner (BO) is responsible for the management and oversight of the\u0026nbsp;\u003cstrong\u003e\u0026lt;Insert CMS information system name \u0026amp; acronym\u0026gt;\u003c/strong\u003e\u0026nbsp;hereafter known as the CMS information system that requires the interconnection with the Non-CMS Organization. The BO serves as the primary point of contact (POC) for the Non-CMS Organization on matters related to \u003cstrong\u003e\u0026lt;Insert CMS information system name \u0026amp; acronym\u0026gt;\u003c/strong\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNon-CMS Organization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert background information about Organization B, including a brief description of the organization and its mission\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eIT Security Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert a brief description of the Organization IS program\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u0026lt;Insert a brief description of each role and associated responsibilities of the Non-CMS Organization that are equivalent to the CMS roles and responsible for implementing IT and IS policies, procedures, and tools that support CIA.\u0026gt;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e(ROLE)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert roles and responsibilities\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe scope of this ISA is based on the following, but not limited to the:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInterconnection between CMS information system and the Non-CMS Organization.\u003c/li\u003e\u003cli\u003eExisting and future users including employees from both parties; contractors and subcontractors at any tier; and other federally and non-federally-funded users managing, engineering, accessing, or utilizing the Non-CMS Organization Network.\u003c/li\u003e\u003cli\u003eRelated network components belonging to both parties, such as hosts, routers, and switches; IT devices that assist in managing security such as firewalls, intrusion detection systems (IDS), and vulnerability scanning tools; desktop workstations; servers; and major applications (MA) that are associated with the network connection between both parties.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAuthority\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBy interconnecting with the CMS network and CMS information system, Non-CMS Organization agrees to be bound by this ISA and the use of CMS Network and CMS information system in compliance with this ISA.\u003c/p\u003e\u003cp\u003eThe authority for this ISA is based on the following, but not limited to the:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFederal Information Security Management Act of 2002 (FISMA);\u003c/li\u003e\u003cli\u003eOMB Circular A-130, Appendix III, \u003cem\u003eSecurity of Federal Automated Information Systems;\u003c/em\u003e\u003c/li\u003e\u003cli\u003e18 United States Code U.S.C. 641 Criminal Code: Public Money, Property or Records;\u003c/li\u003e\u003cli\u003e18 U.S.C. 1905 Criminal Code: Disclosure of Confidential Information;\u003c/li\u003e\u003cli\u003ePrivacy Act of 1974, 5 U.S.C. § 552a; and\u003c/li\u003e\u003cli\u003eHealth Insurance Portability and Accountability Act (HIPAA) of 1996 P.L. 104-191 (only if there is an exchange of PHI)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis ISA is also in compliance with \u003ca href=\"http://www.hhs.gov/ocio/index.html\u0026nbsp;\"\u003eDHHS policies\u003c/a\u003e and \u003ca href=\"http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/\"\u003eCMS policies\u003c/a\u003e. These sites may be updated periodically. Where new policies and guidance affect the content of this ISA, the ISA will continue to be in effect and will be updated at its next periodic review.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eA \u003cstrong\u003e“major application” \u003c/strong\u003eis an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (OMB A-130)\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eStatement of Requirements\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe expected benefit of the interconnection is \u003cstrong\u003e\u0026lt;Insert Business Expectation\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGeneral Information/Data Description\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert a description of the information and data that will be made available, exchanged, or passed one-way only by the interconnection of the two systems / networks\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eServices Offered\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide 24/7 operation of the CMS IT Service Desk (1-800-562-1963, 410-786-2580 or \u003ca href=\"mailto:cms_it_service.desk@cms.hhs.gov\"\u003emailto:cms_it_service.desk@cms.hhs.gov\u003c/a\u003e) for the Non-CMS Organization Point of Contact (POC) to communicate any security issues; and\u003c/li\u003e\u003cli\u003eProvide installation, configuration, and maintenance of CMS edge router(s) with interfaces to multiple CMS core and edge routers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u0026lt;Insert Non-CMS Organization IT Help Desk information regarding operating times, process, and contact information\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch3\u003eSystem Descriptions\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS System\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eName:\u0026nbsp; CMS\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFunction:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert CMS System Function\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert CMS physical site location\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDescription of data, including Sensitivity or Classification level: \u003cstrong\u003e\u0026lt;Insert description\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDescribe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.\u0026nbsp; Refer to the \u003cem\u003eCMS Information Security Levels\u003c/em\u003e document on\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInformation Category\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLevel\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSecurity Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;Insert HIGH, MODERATE or LOW.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eOverall Security Level Designation:\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert highest level from the table above\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNon-CMS Organization System\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eName:\u003c/strong\u003e\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert Organization Bs System\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFunction\u003c/strong\u003e: \u003cstrong\u003e\u0026lt;Insert Organization Bs System Function\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e \u0026nbsp;\u0026nbsp;\u003cstrong\u003e\u0026lt;Insert Organization Bs Physical Site Location\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDescription of data, including Sensitivity or Classification level: \u003cstrong\u003e\u0026lt;Insert description\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eDescribe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH.\u0026nbsp; Refer to the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"\u003eNIST FIPS 199\u003c/a\u003e. For additional guidance, refer to \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-12-security-privacy-planning-pl\"\u003e\u003cem\u003eCMS Risk Management Handbook Chapter 12 Security and Privacy Planning\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eInformation Category\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eLevel\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eSecurity Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.\u0026gt;\u003c/td\u003e\u003ctd\u003e\u0026lt;Insert HIGH, MODERATE or LOW.\u0026gt;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eOverall Security Level Designation:\u0026nbsp; \u003cstrong\u003e\u0026lt;Insert highest level from the table above\u0026gt;\u003c/strong\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTopological Diagram\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAppendix A of this ISA must include a topological drawing that illustrates the interconnectivity between both systems, including all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, computer workstations, and storage location for receiving system).\u0026nbsp; Both parties shall notify each other of any requirements such as additional router connections or increases in volume associated with this ISA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Responsibilities\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e maintain a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained on the system with the highest sensitivity levels.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCommunication/Information Security Points of Contact\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDesignate a technical lead for their respective network and provide POC information to facilitate direct contacts between technical leads to support the management and operation of the interconnection;\u003c/li\u003e\u003cli\u003eMaintain open lines of communication between POCs at both the managerial and technical levels to ensure the successful management and operation of the interconnection; and\u003c/li\u003e\u003cli\u003eInform their counterpart promptly of any change in technical POCs and interconnections.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eCMS shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eInform their counterpart promptly of any change in technical POC and interconnection;\u003c/li\u003e\u003cli\u003eIdentify a CMS ISSO to serve as a liaison between both parties and assist the Non-CMS Organization in ensuring that its IS controls meet or exceed CMS requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eNon-CMS Organization shall \u003c/strong\u003edesignate an IS POC the equivalent of the CMS ISSO, who shall act on behalf of the Non-CMS Organization and communicate all IS issues involving the Non-CMS Organization to CMS via the CMS ISSO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsible Parties\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAppendix B is a list of the responsible parties and contacts for each system.\u0026nbsp;It is the responsibility of each respective approving authority to ensure the timely updating of Appendix B and for the notification of such changes to the alternate party within 30 days of any personnel change. Updating Appendix B does not require the re-signing of this ISA by either party.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel/User Security\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eUser Community\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that all employees, contractors, and other authorized users with access to the CMS Network and the Non-CMS Organization and the data sent and received from either organization are not security risks and meet the requirements of the \u003ca href=\"http://www.whitehouse.gov/omb/\"\u003eOffice of Management and Budget (OMB)\u003c/a\u003e at and the HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005.\u003c/li\u003e\u003cli\u003eEnforce the following IS best practices:\u003c/li\u003e\u003cli\u003eLeast Privilege:\u0026nbsp; Only authorizing access to the minimal amount of resources required for a function;\u003c/li\u003e\u003cli\u003eSeparation of Duties:\u0026nbsp; A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals; and\u003c/li\u003e\u003cli\u003eRole-Based Security:\u0026nbsp; Access controls to perform certain operations ('permissions') are assigned to specific roles.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCommitment to Protect Sensitive Information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall \u003c/strong\u003enot release, publish, or disclose information to unauthorized personnel, and shall protect such information in accordance with provisions of the laws cited in Section 5 and any other pertinent laws and regulations governing the adequate safeguard of the agency.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that each of the Non-CMS Organization contractor employee signs form CMS R-0235, \u003ca href=\"https://security.cms.gov/learn/cms-data-use-agreement-dua\"\u003eCMS Data Use Agreement\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eEnsure that outsourced operations where non-CMS personnel may have access to information, CMS systems, and network components shall also comply with the security required by \u003ca href=\"https://www.acquisition.gov/far/52.239-1\"\u003eFederal Acquisition Regulation (FAR) clause 52.239-1\u003c/a\u003e, Privacy or Security Safeguards and CMS IS policies, standards, and procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTraining and Awareness\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e have all users, including employees, contractors, and other authorized users complete the CMS IS awareness training upon enactment of this ISA and then annually thereafter at: \u003ca href=\"https://www.cms.gov/cbt/\"\u003ehttps://www.cms.gov/cbt/\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel Changes/De-registration\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide notification to their respective BOs of the separation or long-term absence of their network owner or technical lead.\u003c/li\u003e\u003cli\u003eProvide notification to their respective BO of any changes in the ISSO or POC information.\u003c/li\u003e\u003cli\u003eProvide notification to the CMS Access Administrator (CAA) of changes to user profiles, including users who resign or change job responsibilities.\u0026nbsp;\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity\"\u003elist of current CAA\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePolicies\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e adhere to all DHHS and CMS IS policies, procedures, and guidelines on the \u003ca href=\"https://security.cms.gov/\"\u003eISPG website\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRules of Behavior\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e ensure that all users with access to the CMS Network, the CMS information system, the Non-CMS Organization network and any data received from the other organization shall adhere to all current \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/HHS-Rules-of-Behavior-for-Use-of-HHS-Information-and-IT-Resources-Policy.html?DLPage=1\u0026amp;DLEntries=10\u0026amp;DLFilter=rule\u0026amp;DLSort=0\u0026amp;DLSortDir=ascending\"\u003e\u003cem\u003eHHS Rules of Behavior (RoB) (For Use of Technology Resources and Information)\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Documentation\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e ensure that security is planned for, documented, and integrated into the System Life-Cycle from the IT systems initiation to the systems disposal.\u0026nbsp; For guidance, see \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003ethe CMS Security and Privacy Handbooks.\u0026nbsp;\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS shall\u003c/strong\u003e review the \u003ca href=\"https://security.cms.gov/learn/system-security-and-privacy-plan-sspp\"\u003e\u003cem\u003eCMS System Security Plan (SSPP)\u003c/em\u003e\u003c/a\u003e for CMS information system and the CMS network annually and update when a major modification as required by the CMS SSP Procedures.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain an SSPP on the Non-CMS Organizations network and update whenever there is a major modification. The SSPP shall be compliant with the \u003ca href=\"http://csrc.nist.gov/publications/PubsSPs.html\"\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-18\u003cem\u003e Guide for Developing Security Plans for IT Systems\u003c/em\u003e.\u003c/a\u003e\u003c/li\u003e\u003cli\u003eMake accessible to CMS all IS program documents from the Non-CMS Organization.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eNetwork Security\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eNetwork Management\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that this interconnection is completely isolated from the Internet.\u003c/li\u003e\u003cli\u003eEnsure that this interconnection is completely isolated from all other customer / business processes.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eMaterial Network Changes\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSubmit to the CMS CIO any proposed changes to either network or the interconnecting medium accompanied by a valid business justification;\u003c/li\u003e\u003cli\u003eRenegotiate this ISA before any changes are implemented;\u003c/li\u003e\u003cli\u003eReport planned technical changes to the network architecture that affect the interconnection through the CMS BO to the Office of Information Technology (OIT), Infrastructure User Services Group (IUSG);\u003c/li\u003e\u003cli\u003eConduct a risk assessment based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation;\u003c/li\u003e\u003cli\u003eConduct a Security Impact Analysis (SIA) based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation; and\u003c/li\u003e\u003cli\u003eNotify the respective BOs and OIT, IUSG (through the CMS BO) when access is no longer required.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eNew Interconnections\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e prohibit new interconnections unless expressly agreed upon in a modification to this ISA and signed by both parties.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNetwork Inventory\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eNon-CMS Organization shall\u003c/strong\u003e maintain and make available to CMS upon request a list of all Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003esubnets connected to CMS network and periodically update the information including information on each owner, physical location, IP address, hosts name, hardware, operating system version, and applications.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFirewall Management\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eConfigure the CMS network perimeter firewall in accordance with OIT, IUSG.\u003c/li\u003e\u003cli\u003eBlock all network traffic incoming from the Internet to CMS unless it is explicitly permitted.\u003c/li\u003e\u003cli\u003eInstall a firewall between the perimeter (demarcation point) of the Non-CMS Organizations network and CMS network if deemed necessary by OIT, IUSG.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eThe Non-CMS Organization shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain responsibility for configuring all Non-CMS Organization network perimeter firewalls with a policy at least as stringent as OIT, IUSG.\u003c/li\u003e\u003cli\u003eProvide to OIT, IUSG through the CMS BO a list of Non-CMS Organization authorized web (HTTP), FTP and SMTP servers (identified individually as HTTP, FTP, and/or SMTP) on the Non-CMS Organizations network.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eIncident Prevention, Detection, and Response\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eIncident Handling\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eHandle and report incidents in accordance with the \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003e\u003cem\u003eCMS RMH Chapter 8 Incident Handling\u003c/em\u003e\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNotify their designated technical counterparts immediately by telephone or e-mail when a security incident is detected, so that the other party may take steps to determine whether its network has been compromised and to take appropriate security precautions.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eVulnerability Scanning\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisseminate intrusion detection alerts to respective BO counterparts for all subnets within the scope of this ISA;\u003c/li\u003e\u003cli\u003eReport to both the CMS BO and the Non-CMS Organizations BO any security incident that either organization subnets within the scope of this ISA; and\u003c/li\u003e\u003cli\u003eBlock inbound and outbound access for any CMS or Non-CMS Organization information systems on the subnets within the scope of this ISA that are the source of unauthorized access attempts, or the subject of any security events, until the risk is remediated.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eDisasters and Other Contingencies\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003e\u003cstrong\u003eBoth parties shall\u003c/strong\u003e\u0026nbsp;immediately notify their designated counterparts as defined in the information system contingency plan in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected networks.\u003c/p\u003e\u003ch3\u003eModifications\u003c/h3\u003e\u003cp\u003eIf any personnel changes occur involving the POCs listed in this ISA, the terms of this ISA shall remain in full force and effect, unless formally modified by both parties.\u0026nbsp; Any modifications that change the security posture to this ISA shall be in writing and agreed upon and approved in writing by either parties or their designees.\u003c/p\u003e\u003ch3\u003eCompliance\u003c/h3\u003e\u003cp\u003eNon-compliance with the terms of this ISA by either party may lead to termination of the interconnection.\u0026nbsp; CMS may block network access for the Non-CMS Organization if the Non-CMS Organization does not implement reasonable precautions to prevent the risk of security incidents spreading to CMS network.\u0026nbsp; CMS is authorized to audit the security of Non-CMS Organizations Network periodically by requesting that Non-CMS Organization provide documentation of compliance with the security requirements in this ISA (see Section 20, RECORDS).\u0026nbsp; The Non-CMS Organization shall provide CMS access to its IT resources impacted by this ISA for the purposes of audits.\u003c/p\u003e\u003ch3\u003eCost Considerations\u003c/h3\u003e\u003cp\u003eBoth parties agree to be responsible for their own systems and costs of the interconnecting mechanism and/or media.\u0026nbsp; No financial commitments to reimburse the other party shall be made without the written concurrence of both parties.\u0026nbsp; Modifications to either system that are necessary to support the interconnection are the responsibility of the respective system/network owners organization.\u0026nbsp; This ISA does not authorize, require, nor preclude any transfer of funds without the agreement of both parties.\u003c/p\u003e\u003ch3\u003eTimeline\u003c/h3\u003e\u003cp\u003eThis ISA shall become effective upon the signature of the parties involved and remain in effect until terminated by either party.\u0026nbsp; This ISA is subject to annual review and must be reauthorized when\u0026nbsp; significant changes (that can affect the security state of the information system) are implemented that impact that validity of the agreement as an effective enforcement of security requirements. .\u0026nbsp; If one or both of the parties wish to terminate this agreement, they may do so upon thirty (30) days written notice or in an event of a security incident or suspected incident CMS has the right to immediately terminate the connection.\u003c/p\u003e\u003ch3\u003eOrder of Precedence\u0026nbsp;\u003c/h3\u003e\u003cp\u003eIn the event of an inconsistency between the terms and conditions of this ISA and the terms and conditions of any other agreement, memorandum of understanding, or acquisition between CMS and Non-CMS Organization, the terms and conditions of this ISA shall have precedence.\u003c/p\u003e\u003ch3\u003eConfidentiality\u0026nbsp;\u003c/h3\u003e\u003cp\u003eSubject to applicable statutes and regulations, including the Freedom of Information Act, the parties agree that the terms and conditions (any proprietary information) of this ISA shall not be disclosed to any third party outside of the Government without the prior written consent of the other party.\u003c/p\u003e\u003ch3\u003eSurvival\u003c/h3\u003e\u003cp\u003eThe parties rights and obligations shall survive expiration or termination of this ISA.\u003c/p\u003e\u003ch3\u003eRecords\u003c/h3\u003e\u003cp\u003eThe Non-CMS Organization shall maintain all records that it may create in the normal course of its business in connection with activity under this ISA for the term of this ISA and for at least three (3) years after the date this ISA terminates or expires.\u0026nbsp; Such records shall be made available to CMS to ensure compliance with the terms and conditions of this ISA. The records shall be made available during regular business hours at the Non-CMS Organization offices, and CMS review shall not interfere unreasonably with the Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003ebusiness activities.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSeverability\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf any term or condition of this ISA becomes inoperative or unenforceable for any reason, such circumstances shall not have the effect of rendering the term or condition in question inoperative or unenforceable in any other case or circumstances, or of rendering any other term or condition contained in this ISA to be invalid, inoperative, or unenforceable to any extent whatsoever.\u0026nbsp; The invalidity of a term or condition of this ISA shall not affect the remaining terms and conditions of this ISA.\u003c/p\u003e\u003cp\u003eCMS does not warrant that Non-CMS Organization interconnection to the CMS network under this ISA will meet Non-CMS Organization requirements, expectations, or even the stated expected benefit of Non-CMS Organization interconnection to the CMS (see Provision 6, Statement of Requirements).\u0026nbsp; Non-CMS Organization bears the entire risk regarding the quality and performance of its interconnection with the CMS, and Non-CMS Organization exclusive remedy is to terminate this ISA in accordance with the terms and conditions herein.\u003c/p\u003e\u003cp\u003eCMS EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARD TO NON-CMS ORGANIZATIONS INTERCONNECTION TO THE CMS.\u003c/p\u003e\u003ch3\u003eLimitation of Liability\u003c/h3\u003e\u003cp\u003eUNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL CMS BE LIABLE TO NON-CMS ORGANIZATION OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.\u003c/p\u003e\u003ch3\u003eForce Majeure\u003c/h3\u003e\u003cp\u003eNon-CMS Organization failure to comply with any term or condition of this ISA as a result of conditions beyond its fault, negligence, or reasonable control (such as, but not limited to, war, strikes, floods, governmental restrictions, riots, fire, other natural disasters or similar causes beyond Non-CMS Organization\u003cstrong\u003e \u003c/strong\u003econtrol) shall not be deemed a breach of this ISA.\u003c/p\u003e\u003ch3\u003eSignatures\u003c/h3\u003e\u003cp\u003eBoth parties agree to work together to ensure the joint security of the connected networks and the data they store, process, and transmit, as specified in this ISA.\u0026nbsp; Each party certifies that its respective network is designed, managed, and operated in compliance with all relevant federal laws, regulations, and policies. \u0026nbsp;\u003c/p\u003e\u003cp\u003eWe agree to the terms and conditions of this ISA.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDirector, OIT Project Manager (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Chief Information Security Officer Chief Information Security Officer (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS ISSO ISSO (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Business Owner Business Owner (equivalent)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name) (Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________ ________________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date) (Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS Project Officer\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Name)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Title)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e_______________________________\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e(Signature) (Date)\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"b3:{\"value\":\"$b4\",\"format\":\"body_text\",\"processed\":\"$b5\"}\nb1:{\"drupal_internal__id\":471,\"drupal_internal__revision_id\":19068,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T15:39:00+00:00\",\"parent_id\":\"651\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$b2\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$b3\"}\nb9:{\"drupal_internal__target_id\":\"page_section\"}\nb8:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$b9\"}\nbb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e/paragraph_type?resourceVersion=id%3A19068\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e/relationships/paragraph_type?resourceVersion=id%3A19068\"}\nba:{\"related\":\"$bb\",\"self\":\"$bc\"}\nb7:{\"data\":\"$b8\",\"links\":\"$ba\"}\nbf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e/field_specialty_item?resourceVersion=id%3A19068\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e/relationships/field_specialty_item?resourceVersion=id%3A19068\"}\nbe:{\"related\":\"$bf\",\"self\":\"$c0\"}\nbd:{\"data\":null,\"links\":\"$be\"}\nb6:{\"paragraph_type\":\"$b7\",\"field_specialty_item\":\"$bd\"}\nae:{\"type\":\"paragraph--page_section\",\"id\":\"da1f3f7f-d36b-4de6-8cb6-f3ae5144517e\",\"links\":\"$af\",\"attributes\":\"$b1\",\"relationships\":\"$b6\"}\nc3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3?resourceVersion=id%3A19069\"}\nc2:{\"self\":\"$c3\"}\nc5:[]\nc4:{\"drupal_internal__id\":1971,\"drupal_internal__revision_id\":19069,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:01:00+00:00\",\"parent_id\":\"651\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$c5\",\"default_langcode\":true,\"revision_translation_affected\":true}\nc9:{\"drupal_internal__target_id\":\"internal_link\"}\nc8:{\"type\":\"paragraphs_t"])</script><script>self.__next_f.push([1,"ype--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$c9\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3/paragraph_type?resourceVersion=id%3A19069\"}\ncc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3/relationships/paragraph_type?resourceVersion=id%3A19069\"}\nca:{\"related\":\"$cb\",\"self\":\"$cc\"}\nc7:{\"data\":\"$c8\",\"links\":\"$ca\"}\nd2:{\"about\":\"Usage and meaning of the 'missing' resource identifier.\"}\nd1:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#missing\",\"meta\":\"$d2\"}\nd0:{\"help\":\"$d1\"}\ncf:{\"links\":\"$d0\"}\nce:{\"type\":\"unknown\",\"id\":\"missing\",\"meta\":\"$cf\"}\nd4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3/field_link?resourceVersion=id%3A19069\"}\nd5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3/relationships/field_link?resourceVersion=id%3A19069\"}\nd3:{\"related\":\"$d4\",\"self\":\"$d5\"}\ncd:{\"data\":\"$ce\",\"links\":\"$d3\"}\nc6:{\"paragraph_type\":\"$c7\",\"field_link\":\"$cd\"}\nc1:{\"type\":\"paragraph--internal_link\",\"id\":\"da9ed939-59c5-4f5a-b714-5aa88a5478f3\",\"links\":\"$c2\",\"attributes\":\"$c4\",\"relationships\":\"$c6\"}\nd8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53?resourceVersion=id%3A19070\"}\nd7:{\"self\":\"$d8\"}\nda:[]\nd9:{\"drupal_internal__id\":1976,\"drupal_internal__revision_id\":19070,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:01:15+00:00\",\"parent_id\":\"651\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$da\",\"default_langcode\":true,\"revision_translation_affected\":true}\nde:{\"drupal_internal__target_id\":\"internal_link\"}\ndd:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$de\"}\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53/paragraph_type?resourceVersion=id%3A19070\""])</script><script>self.__next_f.push([1,"}\ne1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53/relationships/paragraph_type?resourceVersion=id%3A19070\"}\ndf:{\"related\":\"$e0\",\"self\":\"$e1\"}\ndc:{\"data\":\"$dd\",\"links\":\"$df\"}\ne7:{\"about\":\"Usage and meaning of the 'missing' resource identifier.\"}\ne6:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#missing\",\"meta\":\"$e7\"}\ne5:{\"help\":\"$e6\"}\ne4:{\"links\":\"$e5\"}\ne3:{\"type\":\"unknown\",\"id\":\"missing\",\"meta\":\"$e4\"}\ne9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53/field_link?resourceVersion=id%3A19070\"}\nea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53/relationships/field_link?resourceVersion=id%3A19070\"}\ne8:{\"related\":\"$e9\",\"self\":\"$ea\"}\ne2:{\"data\":\"$e3\",\"links\":\"$e8\"}\ndb:{\"paragraph_type\":\"$dc\",\"field_link\":\"$e2\"}\nd6:{\"type\":\"paragraph--internal_link\",\"id\":\"a9b181c6-d845-47ca-8a46-7e88b5e22a53\",\"links\":\"$d7\",\"attributes\":\"$d9\",\"relationships\":\"$db\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041?resourceVersion=id%3A19071\"}\nec:{\"self\":\"$ed\"}\nef:[]\nee:{\"drupal_internal__id\":1981,\"drupal_internal__revision_id\":19071,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:01:25+00:00\",\"parent_id\":\"651\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$ef\",\"default_langcode\":true,\"revision_translation_affected\":true}\nf3:{\"drupal_internal__target_id\":\"internal_link\"}\nf2:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$f3\"}\nf5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041/paragraph_type?resourceVersion=id%3A19071\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041/relationships/paragraph_type?resourceVersion=id%3A19071\"}\nf4:{\"related\":\"$f5\",\"self\":\"$f6\"}\nf1:{\"data\":\"$f2\",\"links\":\"$f"])</script><script>self.__next_f.push([1,"4\"}\nf9:{\"drupal_internal__target_id\":381}\nf8:{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"meta\":\"$f9\"}\nfb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041/field_link?resourceVersion=id%3A19071\"}\nfc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041/relationships/field_link?resourceVersion=id%3A19071\"}\nfa:{\"related\":\"$fb\",\"self\":\"$fc\"}\nf7:{\"data\":\"$f8\",\"links\":\"$fa\"}\nf0:{\"paragraph_type\":\"$f1\",\"field_link\":\"$f7\"}\neb:{\"type\":\"paragraph--internal_link\",\"id\":\"27483139-4280-4515-b78e-efbcd7cdb041\",\"links\":\"$ec\",\"attributes\":\"$ee\",\"relationships\":\"$f0\"}\nff:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e?resourceVersion=id%3A5993\"}\nfe:{\"self\":\"$ff\"}\n101:{\"alias\":\"/learn/national-institute-standards-and-technology-nist\",\"pid\":371,\"langcode\":\"en\"}\n102:{\"value\":\"Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation about NIST and how the agency\u0026#039;s policies and guidance relate to security and privacy at CMS\u003c/p\u003e\\n\"}\n103:[\"#security_community\"]\n100:{\"drupal_internal__nid\":381,\"drupal_internal__vid\":5993,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-03T14:43:06+00:00\",\"status\":true,\"title\":\"National Institute of Standards and Technology (NIST)\",\"created\":\"2022-08-29T16:46:36+00:00\",\"changed\":\"2024-12-03T14:43:06+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$101\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$102\",\"field_slack_channel\":\"$103\"}\n107:{\"drupal_internal__target_id\":\"explainer\"}\n106:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-"])</script><script>self.__next_f.push([1,"85cb-b04f304dfb1b\",\"meta\":\"$107\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/node_type?resourceVersion=id%3A5993\"}\n10a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/node_type?resourceVersion=id%3A5993\"}\n108:{\"related\":\"$109\",\"self\":\"$10a\"}\n105:{\"data\":\"$106\",\"links\":\"$108\"}\n10d:{\"drupal_internal__target_id\":6}\n10c:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$10d\"}\n10f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/revision_uid?resourceVersion=id%3A5993\"}\n110:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/revision_uid?resourceVersion=id%3A5993\"}\n10e:{\"related\":\"$10f\",\"self\":\"$110\"}\n10b:{\"data\":\"$10c\",\"links\":\"$10e\"}\n113:{\"drupal_internal__target_id\":26}\n112:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$113\"}\n115:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/uid?resourceVersion=id%3A5993\"}\n116:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/uid?resourceVersion=id%3A5993\"}\n114:{\"related\":\"$115\",\"self\":\"$116\"}\n111:{\"data\":\"$112\",\"links\":\"$114\"}\n11a:{\"target_revision_id\":19645,\"drupal_internal__target_id\":496}\n119:{\"type\":\"paragraph--page_section\",\"id\":\"65807e01-7389-4561-8818-b4453d59c7ac\",\"meta\":\"$11a\"}\n118:[\"$119\"]\n11c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_page_section?resourceVersion=id%3A5993\"}\n11d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_page_section?resourceVersion=id%3A5993\"}\n11b:{\"related\":\"$11c\",\"self\":\"$11d\"}\n117:{\"data\":\"$118\",\"links\":\"$11b\"}\n121:{\"target_revision_id\":19646,\"drupal_internal__target_id\":2001}\n120:{\"type\":\"paragraph--internal_link\",\"id\":\"858b57e7-3499-42a6-9fd4-b045a2a"])</script><script>self.__next_f.push([1,"a9c42\",\"meta\":\"$121\"}\n123:{\"target_revision_id\":19647,\"drupal_internal__target_id\":2011}\n122:{\"type\":\"paragraph--internal_link\",\"id\":\"d171c5fe-3bb3-47be-bd3e-c53cc75c4f9e\",\"meta\":\"$123\"}\n125:{\"target_revision_id\":19648,\"drupal_internal__target_id\":2286}\n124:{\"type\":\"paragraph--internal_link\",\"id\":\"26c9c7a0-fcc3-4d04-ab8c-21924a868e28\",\"meta\":\"$125\"}\n127:{\"target_revision_id\":19649,\"drupal_internal__target_id\":2281}\n126:{\"type\":\"paragraph--internal_link\",\"id\":\"4e888450-31b6-43e1-95a0-9ac56298fcc9\",\"meta\":\"$127\"}\n129:{\"target_revision_id\":19650,\"drupal_internal__target_id\":2291}\n128:{\"type\":\"paragraph--internal_link\",\"id\":\"f43c4cb2-4d4e-4020-a165-aab378f6254d\",\"meta\":\"$129\"}\n11f:[\"$120\",\"$122\",\"$124\",\"$126\",\"$128\"]\n12b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_related_collection?resourceVersion=id%3A5993\"}\n12c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_related_collection?resourceVersion=id%3A5993\"}\n12a:{\"related\":\"$12b\",\"self\":\"$12c\"}\n11e:{\"data\":\"$11f\",\"links\":\"$12a\"}\n12f:{\"drupal_internal__target_id\":131}\n12e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$12f\"}\n131:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_resource_type?resourceVersion=id%3A5993\"}\n132:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_resource_type?resourceVersion=id%3A5993\"}\n130:{\"related\":\"$131\",\"self\":\"$132\"}\n12d:{\"data\":\"$12e\",\"links\":\"$130\"}\n134:[]\n136:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_roles?resourceVersion=id%3A5993\"}\n137:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_roles?resourceVersion=id%3A5993\"}\n135:{\"related\":\"$136\",\"self\":\"$137\"}\n133:{\"data\":\"$134\",\"links\":\"$135\"}\n13b:{\"drupal_internal__target_id\":21}\n13a:{"])</script><script>self.__next_f.push([1,"\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$13b\"}\n139:[\"$13a\"]\n13d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_topics?resourceVersion=id%3A5993\"}\n13e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_topics?resourceVersion=id%3A5993\"}\n13c:{\"related\":\"$13d\",\"self\":\"$13e\"}\n138:{\"data\":\"$139\",\"links\":\"$13c\"}\n104:{\"node_type\":\"$105\",\"revision_uid\":\"$10b\",\"uid\":\"$111\",\"field_page_section\":\"$117\",\"field_related_collection\":\"$11e\",\"field_resource_type\":\"$12d\",\"field_roles\":\"$133\",\"field_topics\":\"$138\"}\nfd:{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"links\":\"$fe\",\"attributes\":\"$100\",\"relationships\":\"$104\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"784c2319-9f10-4abc-a3f3-0ee8be8ed4f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4?resourceVersion=id%3A5760\"}},\"attributes\":{\"drupal_internal__nid\":651,\"drupal_internal__vid\":5760,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:56:46+00:00\",\"status\":true,\"title\":\"CMS Interconnection Security Agreement (ISA)\",\"created\":\"2023-02-02T15:36:30+00:00\",\"changed\":\"2024-08-05T15:56:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-interconnection-security-agreement-isa\",\"pid\":641,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Defining the relationship between CMS information systems and external systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDefining the relationship between CMS information systems and external systems\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-privacy-agreement-consults\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/node_type?resourceVersion=id%3A5760\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/relationships/node_type?resourceVersion=id%3A5760\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/revision_uid?resourceVersion=id%3A5760\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/relationships/revision_uid?resourceVersion=id%3A5760\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/uid?resourceVersion=id%3A5760\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/relationships/uid?resourceVersion=id%3A5760\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"da1f3f7f-d36b-4de6-8cb6-f3ae5144517e\",\"meta\":{\"target_revision_id\":19068,\"drupal_internal__target_id\":471}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/field_page_section?resourceVersion=id%3A5760\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/relationships/field_page_section?resourceVersion=id%3A5760\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"da9ed939-59c5-4f5a-b714-5aa88a5478f3\",\"meta\":{\"target_revision_id\":19069,\"drupal_internal__target_id\":1971}},{\"type\":\"paragraph--internal_link\",\"id\":\"a9b181c6-d845-47ca-8a46-7e88b5e22a53\",\"meta\":{\"target_revision_id\":19070,\"drupal_internal__target_id\":1976}},{\"type\":\"paragraph--internal_link\",\"id\":\"27483139-4280-4515-b78e-efbcd7cdb041\",\"meta\":{\"target_revision_id\":19071,\"drupal_internal__target_id\":1981}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/field_related_collection?resourceVersion=id%3A5760\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/relationships/field_related_collection?resourceVersion=id%3A5760\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/field_resource_type?resourceVersion=id%3A5760\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/relationships/field_resource_type?resourceVersion=id%3A5760\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/field_roles?resourceVersion=id%3A5760\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/relationships/field_roles?resourceVersion=id%3A5760\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/field_topics?resourceVersion=id%3A5760\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/784c2319-9f10-4abc-a3f3-0ee8be8ed4f4/relationships/field_topics?resourceVersion=id%3A5760\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}},\"attributes\":{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"da1f3f7f-d36b-4de6-8cb6-f3ae5144517e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e?resourceVersion=id%3A19068\"}},\"attributes\":{\"drupal_internal__id\":471,\"drupal_internal__revision_id\":19068,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-02T15:39:00+00:00\",\"parent_id\":\"651\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e/paragraph_type?resourceVersion=id%3A19068\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e/relationships/paragraph_type?resourceVersion=id%3A19068\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e/field_specialty_item?resourceVersion=id%3A19068\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/da1f3f7f-d36b-4de6-8cb6-f3ae5144517e/relationships/field_specialty_item?resourceVersion=id%3A19068\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"da9ed939-59c5-4f5a-b714-5aa88a5478f3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3?resourceVersion=id%3A19069\"}},\"attributes\":{\"drupal_internal__id\":1971,\"drupal_internal__revision_id\":19069,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:01:00+00:00\",\"parent_id\":\"651\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3/paragraph_type?resourceVersion=id%3A19069\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3/relationships/paragraph_type?resourceVersion=id%3A19069\"}}},\"field_link\":{\"data\":{\"type\":\"unknown\",\"id\":\"missing\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#missing\",\"meta\":{\"about\":\"Usage and meaning of the 'missing' resource identifier.\"}}}}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3/field_link?resourceVersion=id%3A19069\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/da9ed939-59c5-4f5a-b714-5aa88a5478f3/relationships/field_link?resourceVersion=id%3A19069\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"a9b181c6-d845-47ca-8a46-7e88b5e22a53\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53?resourceVersion=id%3A19070\"}},\"attributes\":{\"drupal_internal__id\":1976,\"drupal_internal__revision_id\":19070,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:01:15+00:00\",\"parent_id\":\"651\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53/paragraph_type?resourceVersion=id%3A19070\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53/relationships/paragraph_type?resourceVersion=id%3A19070\"}}},\"field_link\":{\"data\":{\"type\":\"unknown\",\"id\":\"missing\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#missing\",\"meta\":{\"about\":\"Usage and meaning of the 'missing' resource identifier.\"}}}}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53/field_link?resourceVersion=id%3A19070\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a9b181c6-d845-47ca-8a46-7e88b5e22a53/relationships/field_link?resourceVersion=id%3A19070\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"27483139-4280-4515-b78e-efbcd7cdb041\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041?resourceVersion=id%3A19071\"}},\"attributes\":{\"drupal_internal__id\":1981,\"drupal_internal__revision_id\":19071,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T21:01:25+00:00\",\"parent_id\":\"651\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041/paragraph_type?resourceVersion=id%3A19071\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041/relationships/paragraph_type?resourceVersion=id%3A19071\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"meta\":{\"drupal_internal__target_id\":381}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041/field_link?resourceVersion=id%3A19071\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/27483139-4280-4515-b78e-efbcd7cdb041/relationships/field_link?resourceVersion=id%3A19071\"}}}}},{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e?resourceVersion=id%3A5993\"}},\"attributes\":{\"drupal_internal__nid\":381,\"drupal_internal__vid\":5993,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-03T14:43:06+00:00\",\"status\":true,\"title\":\"National Institute of Standards and Technology (NIST)\",\"created\":\"2022-08-29T16:46:36+00:00\",\"changed\":\"2024-12-03T14:43:06+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/national-institute-standards-and-technology-nist\",\"pid\":371,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation about NIST and how the agency\u0026#039;s policies and guidance relate to security and privacy at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#security_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/node_type?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/node_type?resourceVersion=id%3A5993\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/revision_uid?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/revision_uid?resourceVersion=id%3A5993\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/uid?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/uid?resourceVersion=id%3A5993\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"65807e01-7389-4561-8818-b4453d59c7ac\",\"meta\":{\"target_revision_id\":19645,\"drupal_internal__target_id\":496}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_page_section?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_page_section?resourceVersion=id%3A5993\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"858b57e7-3499-42a6-9fd4-b045a2aa9c42\",\"meta\":{\"target_revision_id\":19646,\"drupal_internal__target_id\":2001}},{\"type\":\"paragraph--internal_link\",\"id\":\"d171c5fe-3bb3-47be-bd3e-c53cc75c4f9e\",\"meta\":{\"target_revision_id\":19647,\"drupal_internal__target_id\":2011}},{\"type\":\"paragraph--internal_link\",\"id\":\"26c9c7a0-fcc3-4d04-ab8c-21924a868e28\",\"meta\":{\"target_revision_id\":19648,\"drupal_internal__target_id\":2286}},{\"type\":\"paragraph--internal_link\",\"id\":\"4e888450-31b6-43e1-95a0-9ac56298fcc9\",\"meta\":{\"target_revision_id\":19649,\"drupal_internal__target_id\":2281}},{\"type\":\"paragraph--internal_link\",\"id\":\"f43c4cb2-4d4e-4020-a165-aab378f6254d\",\"meta\":{\"target_revision_id\":19650,\"drupal_internal__target_id\":2291}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_related_collection?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_related_collection?resourceVersion=id%3A5993\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_resource_type?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_resource_type?resourceVersion=id%3A5993\"}}},\"field_roles\":{\"data\":[],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_roles?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_roles?resourceVersion=id%3A5993\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_topics?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_topics?resourceVersion=id%3A5993\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1a\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$24\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$28\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$2c\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$46\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$60\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$7a\",\"0bc7c1d0-b569-4514-b66c-367457dead7e\":\"$94\",\"da1f3f7f-d36b-4de6-8cb6-f3ae5144517e\":\"$ae\",\"da9ed939-59c5-4f5a-b714-5aa88a5478f3\":\"$c1\",\"a9b181c6-d845-47ca-8a46-7e88b5e22a53\":\"$d6\",\"27483139-4280-4515-b78e-efbcd7cdb041\":\"$eb\",\"af385f5f-f61b-47af-a235-7dc48efd251e\":\"$fd\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Interconnection Security Agreement (ISA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Defining the relationship between CMS information systems and external systems\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/cms-interconnection-security-agreement-isa\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Interconnection Security Agreement (ISA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Defining the relationship between CMS information systems and external systems\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/cms-interconnection-security-agreement-isa\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/cms-interconnection-security-agreement-isa/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Interconnection Security Agreement (ISA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Defining the relationship between CMS information systems and external systems\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/cms-interconnection-security-agreement-isa/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink