publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/cms-risk-management-framework-rmf
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
604 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Risk Management Framework (RMF) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="A structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST"/><link rel="canonical" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Risk Management Framework (RMF) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="A structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST"/><meta property="og:url" content="https://security.cms.gov/learn/cms-risk-management-framework-rmf"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/cms-risk-management-framework-rmf/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Risk Management Framework (RMF) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="A structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/cms-risk-management-framework-rmf/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Risk Management Framework (RMF)</h1><p class="hero__description">A structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-sec_privacy-policy</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is the Risk Management Framework (RMF)?</h2><p>The <a href="https://csrc.nist.gov/projects/risk-management/about-rmf">Risk Management Framework (RMF)</a> from NIST provides a structured yet flexible process for managing risk throughout a systems life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe.</p><h2>RMF at CMS</h2><p>CMS looks to NIST as an authoritative source of best practices for information system security. We tailor the guidance from NIST (and other organizations such as HHS) to the specific needs of the CMS environment and systems.</p><p>The <strong>CMS Risk Management Framework</strong> refers to any application of the NIST RMF within the CMS environment. Everyone who is responsible for information security and privacy at any point in the system life cycle should be familiar with the RMF and its application at CMS.</p><p>The CMS Risk Management Framework (based on the NIST RMF):</p><ul><li>Integrates information security and privacy protections into the <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/EnterpriseArchitecture">Enterprise Architecture</a>, <a href="https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc">Target Life Cycle (TLC)</a>, and <a href="https://security.cms.gov/learn/cms-technical-reference-architecture-tra">Technical Reference Architecture (TRA)</a></li><li>Provides guidance on the selection, implementation, assessment, and monitoring of controls and the authorization of CMS information systems</li><li>Links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function)</li><li>Establishes responsibility and accountability for security and privacy controls deployed within CMS information systems and inherited by those systems (i.e., common controls)</li></ul><h2>RMF steps</h2><p>The steps of the Risk Management Framework are used by Security and Privacy Officers and other security professionals at CMS during the system authorization process and during the ongoing activities that ensure the security of information throughout a systems life cycle. Each step is defined by its outcomes, which provide a clear roadmap to an effective risk management strategy.&nbsp;</p><p>The steps of the RMF are summarized below, along with links to handbooks that will help you follow each step as implemented at CMS.</p><h3>Prepare</h3><p>Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. Outcomes:</p><ul><li>Key risk management roles identified</li><li>Organizational risk management strategy established, risk tolerance determined</li><li>Organization-wide risk assessment</li><li>Organization-wide strategy for continuous monitoring developed and implemented</li><li>Common controls identified</li></ul><p><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step"><strong>Read the handbook for the Prepare step</strong></a>&nbsp;</p><h3>Categorize</h3><p>Inform organizational risk management processes and tasks by determining the adverse impact&nbsp; with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. Outcomes:</p><ul><li>System characteristics documented</li><li>Security categorization of the system and information completed</li><li>Categorization decision reviewed/approved by authorizing official</li></ul><p><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step"><strong>Read the handbook for the Categorize step</strong></a></p><h3>Select</h3><p>Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk. Outcomes:&nbsp;</p><ul><li>Control baselines selected and tailored</li><li>Controls designated as system-specific, hybrid, or common</li><li>Controls allocated to specific system components</li><li>System-level continuous monitoring strategy developed</li><li>Security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved</li></ul><p><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step"><strong>Read the handbook for the Select step</strong></a></p><h3>Implement</h3><p>Implement the controls in the security and privacy plans for the system and organization. Outcomes:&nbsp;</p><ul><li>Controls specified in security and privacy plans implemented</li><li>Security and privacy plans updated to reflect controls as implemented</li></ul><p><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step"><strong>Read the handbook for the Implement step</strong></a></p><h3>Assess</h3><p>Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization. Outcomes:&nbsp;</p><ul><li>Assessment team selected</li><li>Security and privacy assessment plans developed</li><li>Assessment plans are reviewed and approved</li><li>Control assessments conducted in accordance with assessment plans</li><li>Security and privacy assessment reports developed</li><li>Remediation actions to address deficiencies in controls are taken</li><li>Security and privacy plans are updated to reflect control implemented</li></ul><p><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step"><strong>Read the handbook for the Assess step</strong></a></p><h3>Authorize</h3><p>Provide&nbsp; accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. Outcomes:&nbsp;</p><ul><li>Authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)</li><li>Risk determination rendered</li><li>Risk responses provided</li><li>Authorization for the system or common controls is approved or denied</li></ul><p><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step"><strong>Read the handbook for the Authorize step</strong></a></p><h3>Monitor</h3><p>Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. Outcomes:&nbsp;</p><ul><li>System and environment of operation monitored in accordance with continuous monitoring strategy</li><li>Ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy</li><li>Output of continuous monitoring activities analyzed and responded to</li><li>Process in place to report security and privacy posture to management</li><li>Ongoing authorizations conducted using results of continuous monitoring activities</li></ul><p><a href="https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step"><strong>Read the handbook for the Monitor step</strong></a></p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/national-institute-standards-and-technology-nist">National Institute of Standards and Technology (NIST)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Information about NIST and how the agency&#x27;s policies and guidance relate to security and privacy at CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-information-system-security-officer-isso-handbook">CMS Information System Security Officer (ISSO) Handbook</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Guidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-fisma-continuous-tracking-system-cfacts">CMS FISMA Continuous Tracking System (CFACTS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>CFACTS is a CMS database that tracks application security deficiencies and POA&amp;Ms, and supports the ATO process</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-risk-management-framework-rmf\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"cms-risk-management-framework-rmf\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-risk-management-framework-rmf\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-risk-management-framework-rmf\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T1c95,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is the Risk Management Framework (RMF)?\u003c/h2\u003e\u003cp\u003eThe \u003ca href=\"https://csrc.nist.gov/projects/risk-management/about-rmf\"\u003eRisk Management Framework (RMF)\u003c/a\u003e from NIST provides a structured yet flexible process for managing risk throughout a systems life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe.\u003c/p\u003e\u003ch2\u003eRMF at CMS\u003c/h2\u003e\u003cp\u003eCMS looks to NIST as an authoritative source of best practices for information system security. We tailor the guidance from NIST (and other organizations such as HHS) to the specific needs of the CMS environment and systems.\u003c/p\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Risk Management Framework\u003c/strong\u003e refers to any application of the NIST RMF within the CMS environment. Everyone who is responsible for information security and privacy at any point in the system life cycle should be familiar with the RMF and its application at CMS.\u003c/p\u003e\u003cp\u003eThe CMS Risk Management Framework (based on the NIST RMF):\u003c/p\u003e\u003cul\u003e\u003cli\u003eIntegrates information security and privacy protections into the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/EnterpriseArchitecture\"\u003eEnterprise Architecture\u003c/a\u003e, \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e, and \u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eProvides guidance on the selection, implementation, assessment, and monitoring of controls and the authorization of CMS information systems\u003c/li\u003e\u003cli\u003eLinks risk management processes at the information system level to risk management processes at the organization level through a risk executive (function)\u003c/li\u003e\u003cli\u003eEstablishes responsibility and accountability for security and privacy controls deployed within CMS information systems and inherited by those systems (i.e., common controls)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eRMF steps\u003c/h2\u003e\u003cp\u003eThe steps of the Risk Management Framework are used by Security and Privacy Officers and other security professionals at CMS during the system authorization process and during the ongoing activities that ensure the security of information throughout a systems life cycle. Each step is defined by its outcomes, which provide a clear roadmap to an effective risk management strategy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe steps of the RMF are summarized below, along with links to handbooks that will help you follow each step as implemented at CMS.\u003c/p\u003e\u003ch3\u003ePrepare\u003c/h3\u003e\u003cp\u003eCarry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. Outcomes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eKey risk management roles identified\u003c/li\u003e\u003cli\u003eOrganizational risk management strategy established, risk tolerance determined\u003c/li\u003e\u003cli\u003eOrganization-wide risk assessment\u003c/li\u003e\u003cli\u003eOrganization-wide strategy for continuous monitoring developed and implemented\u003c/li\u003e\u003cli\u003eCommon controls identified\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step\"\u003e\u003cstrong\u003eRead the handbook for the Prepare step\u003c/strong\u003e\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003eCategorize\u003c/h3\u003e\u003cp\u003eInform organizational risk management processes and tasks by determining the adverse impact\u0026nbsp; with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. Outcomes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem characteristics documented\u003c/li\u003e\u003cli\u003eSecurity categorization of the system and information completed\u003c/li\u003e\u003cli\u003eCategorization decision reviewed/approved by authorizing official\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step\"\u003e\u003cstrong\u003eRead the handbook for the Categorize step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eSelect\u003c/h3\u003e\u003cp\u003eSelect, tailor, and document the controls necessary to protect the system and organization commensurate with risk. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl baselines selected and tailored\u003c/li\u003e\u003cli\u003eControls designated as system-specific, hybrid, or common\u003c/li\u003e\u003cli\u003eControls allocated to specific system components\u003c/li\u003e\u003cli\u003eSystem-level continuous monitoring strategy developed\u003c/li\u003e\u003cli\u003eSecurity and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step\"\u003e\u003cstrong\u003eRead the handbook for the Select step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eImplement\u003c/h3\u003e\u003cp\u003eImplement the controls in the security and privacy plans for the system and organization. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eControls specified in security and privacy plans implemented\u003c/li\u003e\u003cli\u003eSecurity and privacy plans updated to reflect controls as implemented\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step\"\u003e\u003cstrong\u003eRead the handbook for the Implement step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAssess\u003c/h3\u003e\u003cp\u003eDetermine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssessment team selected\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment plans developed\u003c/li\u003e\u003cli\u003eAssessment plans are reviewed and approved\u003c/li\u003e\u003cli\u003eControl assessments conducted in accordance with assessment plans\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment reports developed\u003c/li\u003e\u003cli\u003eRemediation actions to address deficiencies in controls are taken\u003c/li\u003e\u003cli\u003eSecurity and privacy plans are updated to reflect control implemented\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step\"\u003e\u003cstrong\u003eRead the handbook for the Assess step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAuthorize\u003c/h3\u003e\u003cp\u003eProvide\u0026nbsp; accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAuthorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)\u003c/li\u003e\u003cli\u003eRisk determination rendered\u003c/li\u003e\u003cli\u003eRisk responses provided\u003c/li\u003e\u003cli\u003eAuthorization for the system or common controls is approved or denied\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step\"\u003e\u003cstrong\u003eRead the handbook for the Authorize step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eMonitor\u003c/h3\u003e\u003cp\u003eMaintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem and environment of operation monitored in accordance with continuous monitoring strategy\u003c/li\u003e\u003cli\u003eOngoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy\u003c/li\u003e\u003cli\u003eOutput of continuous monitoring activities analyzed and responded to\u003c/li\u003e\u003cli\u003eProcess in place to report security and privacy posture to management\u003c/li\u003e\u003cli\u003eOngoing authorizations conducted using results of continuous monitoring activities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step\"\u003e\u003cstrong\u003eRead the handbook for the Monitor step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T1c95,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is the Risk Management Framework (RMF)?\u003c/h2\u003e\u003cp\u003eThe \u003ca href=\"https://csrc.nist.gov/projects/risk-management/about-rmf\"\u003eRisk Management Framework (RMF)\u003c/a\u003e from NIST provides a structured yet flexible process for managing risk throughout a systems life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe.\u003c/p\u003e\u003ch2\u003eRMF at CMS\u003c/h2\u003e\u003cp\u003eCMS looks to NIST as an authoritative source of best practices for information system security. We tailor the guidance from NIST (and other organizations such as HHS) to the specific needs of the CMS environment and systems.\u003c/p\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Risk Management Framework\u003c/strong\u003e refers to any application of the NIST RMF within the CMS environment. Everyone who is responsible for information security and privacy at any point in the system life cycle should be familiar with the RMF and its application at CMS.\u003c/p\u003e\u003cp\u003eThe CMS Risk Management Framework (based on the NIST RMF):\u003c/p\u003e\u003cul\u003e\u003cli\u003eIntegrates information security and privacy protections into the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/EnterpriseArchitecture\"\u003eEnterprise Architecture\u003c/a\u003e, \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e, and \u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eProvides guidance on the selection, implementation, assessment, and monitoring of controls and the authorization of CMS information systems\u003c/li\u003e\u003cli\u003eLinks risk management processes at the information system level to risk management processes at the organization level through a risk executive (function)\u003c/li\u003e\u003cli\u003eEstablishes responsibility and accountability for security and privacy controls deployed within CMS information systems and inherited by those systems (i.e., common controls)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eRMF steps\u003c/h2\u003e\u003cp\u003eThe steps of the Risk Management Framework are used by Security and Privacy Officers and other security professionals at CMS during the system authorization process and during the ongoing activities that ensure the security of information throughout a systems life cycle. Each step is defined by its outcomes, which provide a clear roadmap to an effective risk management strategy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe steps of the RMF are summarized below, along with links to handbooks that will help you follow each step as implemented at CMS.\u003c/p\u003e\u003ch3\u003ePrepare\u003c/h3\u003e\u003cp\u003eCarry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. Outcomes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eKey risk management roles identified\u003c/li\u003e\u003cli\u003eOrganizational risk management strategy established, risk tolerance determined\u003c/li\u003e\u003cli\u003eOrganization-wide risk assessment\u003c/li\u003e\u003cli\u003eOrganization-wide strategy for continuous monitoring developed and implemented\u003c/li\u003e\u003cli\u003eCommon controls identified\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step\"\u003e\u003cstrong\u003eRead the handbook for the Prepare step\u003c/strong\u003e\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003eCategorize\u003c/h3\u003e\u003cp\u003eInform organizational risk management processes and tasks by determining the adverse impact\u0026nbsp; with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. Outcomes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem characteristics documented\u003c/li\u003e\u003cli\u003eSecurity categorization of the system and information completed\u003c/li\u003e\u003cli\u003eCategorization decision reviewed/approved by authorizing official\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step\"\u003e\u003cstrong\u003eRead the handbook for the Categorize step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eSelect\u003c/h3\u003e\u003cp\u003eSelect, tailor, and document the controls necessary to protect the system and organization commensurate with risk. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl baselines selected and tailored\u003c/li\u003e\u003cli\u003eControls designated as system-specific, hybrid, or common\u003c/li\u003e\u003cli\u003eControls allocated to specific system components\u003c/li\u003e\u003cli\u003eSystem-level continuous monitoring strategy developed\u003c/li\u003e\u003cli\u003eSecurity and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step\"\u003e\u003cstrong\u003eRead the handbook for the Select step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eImplement\u003c/h3\u003e\u003cp\u003eImplement the controls in the security and privacy plans for the system and organization. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eControls specified in security and privacy plans implemented\u003c/li\u003e\u003cli\u003eSecurity and privacy plans updated to reflect controls as implemented\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step\"\u003e\u003cstrong\u003eRead the handbook for the Implement step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAssess\u003c/h3\u003e\u003cp\u003eDetermine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssessment team selected\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment plans developed\u003c/li\u003e\u003cli\u003eAssessment plans are reviewed and approved\u003c/li\u003e\u003cli\u003eControl assessments conducted in accordance with assessment plans\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment reports developed\u003c/li\u003e\u003cli\u003eRemediation actions to address deficiencies in controls are taken\u003c/li\u003e\u003cli\u003eSecurity and privacy plans are updated to reflect control implemented\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step\"\u003e\u003cstrong\u003eRead the handbook for the Assess step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAuthorize\u003c/h3\u003e\u003cp\u003eProvide\u0026nbsp; accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAuthorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)\u003c/li\u003e\u003cli\u003eRisk determination rendered\u003c/li\u003e\u003cli\u003eRisk responses provided\u003c/li\u003e\u003cli\u003eAuthorization for the system or common controls is approved or denied\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step\"\u003e\u003cstrong\u003eRead the handbook for the Authorize step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eMonitor\u003c/h3\u003e\u003cp\u003eMaintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem and environment of operation monitored in accordance with continuous monitoring strategy\u003c/li\u003e\u003cli\u003eOngoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy\u003c/li\u003e\u003cli\u003eOutput of continuous monitoring activities analyzed and responded to\u003c/li\u003e\u003cli\u003eProcess in place to report security and privacy posture to management\u003c/li\u003e\u003cli\u003eOngoing authorizations conducted using results of continuous monitoring activities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step\"\u003e\u003cstrong\u003eRead the handbook for the Monitor step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T12321,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook gives practical guidance to Information System Security Officers (ISSO)s at CMS when performing their necessary tasks.\u0026nbsp; It helps new ISSOs get started and explains the responsibilities, resources, and organizational relationships needed for an ISSO to be successful.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis guide is for CMS (Federal) ISSOs, Contractor ISSOs, and contract security support individuals.\u0026nbsp; Business Owners and their staff may also find parts of this handbook useful, particularly when appointing new ISSOs or gaining a better understanding of ISSO tasks.\u003c/p\u003e\u003cp\u003eThe ISSO role is critical to the safe and authorized use of sensitive information in support of CMS commitment to improving healthcare for millions of Americans. As an ISSO,\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat do ISSOs do?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEvery CMS system must formally designate an ISSO who serves as the primary point of contact responsible for the systems security and privacy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISSOs at CMS are responsible for overseeing the security and privacy posture of the system(s) entrusted to their care, coordinating all information system risk management and information privacy activities, and acting as the Business Owners “go-to person” for security questions and needs. Together, the ISSOs make up a supportive community working to ensure the success of the cybersecurity program at CMS.\u003c/p\u003e\u003cp\u003eFor more details, see the section on role and responsibilities.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho do ISSOs work with?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO is part of the\u003cstrong\u003e portfolio team\u003c/strong\u003e the group of people who work together to make sure that any given CMS information system complies with federal security requirements and is managed in a way that protects the personal and health information of those who depend on CMS for benefits. The portfolio team has the following roles:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProgram Executive, Information System Owner (ISO), Business Owner (BO), and Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThese people work together to take full responsibility for implementing the required security and privacy controls and managing the cybersecurity and privacy risk posture for each system. All of these roles must be an agency official (federal government employee) except the ISSO, which may be a federal employee or a contractor.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCRAs are the “go-to” experts in all areas of risk management, and as such they evaluate and communicate the risk posture of each FISMA system to executive leadership and make risk-based recommendations to the Authorizing Official. CRAs also help to identify the types of information processed by a system, assign the appropriate security categorizations, determine the privacy impacts, and manage information security and privacy risk. They facilitate the completion of all federal cybersecurity and privacy requirements and this means that CRAs and ISSOs often work closely together.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Data Guardian coordinates CMS Program activities involving beneficiary and other types of consumer information that require privacy protections.\u0026nbsp; The Data Guardian must be an agency official (federal government employee) and must fulfill shared responsibilities with the CMS Business Owner.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Privacy Advisor is a member of ISPG who provides privacy-related expertise to help the team identify and manage privacy risk.\u0026nbsp; The Privacy Advisor is an agency official (federal government employee) and serves as a point of contact for issues related to the Privacy Act. They also support the completion of privacy-related artifacts such as Systems of Records Notice (SORN), Privacy Act reviews, and FISMA and Privacy Management Report.\u003c/p\u003e\u003cp\u003eDetailed information about all of these roles can be found in the CMS Information Security and Privacy Policy (IS2P2) and the HHS Policy for Information Security and Privacy Protection (IS2P).\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat should an ISSO know?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of every ISSO should be to support the BO to securely provide the service intended by the system. To help accomplish this goal, an ISSO should ideally know and understand their components business processes and how the system supports that business. This knowledge is critically applied during the construction of the System Security and Privacy Plan (SSPP).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation security is a means to an end and not the end in itself\u003c/strong\u003e. In the public sector, information security is secondary to the agency's services provided to its constituency. We, as security professionals, must not lose sight of these goals and objectives.\u003c/p\u003e\u003cp\u003eIn order to help the BO provide a CMS service in a manner that is demonstrably secure and safeguards any sensitive beneficiary information, the ISSO must know (at a minimum):\u003c/p\u003e\u003cul\u003e\u003cli\u003eMission and business functions of their component\u003c/li\u003e\u003cli\u003eHow the system supports the components mission\u003c/li\u003e\u003cli\u003eSystem details, including:\u003cul\u003e\u003cli\u003eArchitecture\u003c/li\u003e\u003cli\u003eSystem components (hardware, software, peripherals, etc.)\u003c/li\u003e\u003cli\u003eLocation of each system component\u003c/li\u003e\u003cli\u003eData flow\u003c/li\u003e\u003cli\u003eInterconnections (internal and external)\u003c/li\u003e\u003cli\u003eSecurity categorization\u0026nbsp;\u003c/li\u003e\u003cli\u003eSecurity requirements\u003c/li\u003e\u003cli\u003eConfiguration management processes and procedures\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eUsers (how many, location, role, etc.)\u003c/li\u003e\u003cli\u003eKey personnel by name\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eHow are ISSOs appointed?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Program Executive in coordination with the Data Guardian, ISO, and Business Owner, is responsible for nominating appropriately qualified ISSO appointees, as defined under FISMA, to the CISO for approval.\u003c/p\u003e\u003cp\u003eThe nominated ISSO, by signing the appointment letter, agrees to maintain the appropriate operational security posture of the information system by fulfilling all of the responsibilities identified in the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Security and Privacy Policy (IS2P2)\u003c/a\u003e and the HHS Policy for Information Security and Privacy Protection (IS2P).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eA subset of the ISSOs duties and responsibilities is contained in the \u003ca href=\"/learn/isso-appointment-letter\"\u003eappointment letter\u003c/a\u003e. ISSO letters must be updated whenever a change occurs. The designated ISSO should be consistently identified in three sources: the ISSO letter, the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e, and in \u003ca href=\"/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe signed appointment letter should be given to the appropriate CRA for further action.\u0026nbsp;\u003cstrong\u003e It is the responsibility of the CRA to upload the letter to CFACTS\u003c/strong\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eGetting started (for new ISSOs)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCongratulations on your new assignment as an Information System Security Officer (ISSO) at CMS! Because you are charged with protecting the sensitive information contained in systems that support healthcare delivery for millions of people, your role is vital to the success of CMS mission. You will learn how to identify and protect information that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eIndividually Identifiable Information (IIF)\u003c/li\u003e\u003cli\u003eProtected Health Information (PHI)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis means that security must become a vital part of your daily routine and always top-of-mind. Your training as an ISSO will ensure that you know and understand the requirements for protecting government assets like classified information, property, and personnel.\u003c/p\u003e\u003cp\u003eMost importantly, you will learn to work as part of a team that is dedicated to making sure CMS information systems can operate securely. While CMS has established a security program to protect assets and keep sensitive information safe, the key ingredient is always \u003cstrong\u003epeople\u003c/strong\u003e. No matter how comprehensive a program may be, you and your coworkers will ultimately determine the success of our established procedures.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAnd we are here to help you along the way! This Handbook is your primary resource for initial information about your role, and will direct you to other sources of help and support.\u003c/p\u003e\u003cp\u003eHere are the steps you should take to get started:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the paperwork\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf you have not already, make sure that your \u003ca href=\"/learn/isso-appointment-letter\"\u003e\u003cstrong\u003eISSO Appointment Letter\u003c/strong\u003e\u003c/a\u003e is completed and submitted to your Cyber Risk Advisor (CRA) by your Business Owner (BO). The Appointment Letter is intended to formally nominate you as an ISSO. It also gives you a wealth of information about your duties and responsibilities. It also contains the qualifications and training to which you should aspire. This document may be your first communication with your CRA — the first of many conversations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf you need a copy of the ISSO Appointment Letter template, contact the ISSO Support Team: \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete ISSO onboarding\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO Support team in ISPG can help get you started. You should ask for an initial meeting with the team to orient you to your new role and next steps. \u0026nbsp; You should also reach out to your CRA, who may wish to meet on a regular basis initially, especially if your system has an important near-term milestone. If your BO did not set this up for you, you can do it yourself by sending a note to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e. It is helpful to put the word “Onboarding” in the subject line.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKnow your systems\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMake sure that in your conversation with your Business Owner, you understand whether you are going to be the primary ISSO (or the only ISSO), or if you are going to be an assistant. Do you know where your system is located? When does the Authority to Operate (ATO) expire? Are you working on a new system? The more you know at the beginning, the easier it will be to prioritize and to work with your integrated team. If you have questions about any of this, reach out to the ISSO Support Team (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMeet your team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIn addition to your BO and your CRA, there are others that you should get to know. We recommend that you reach out to them. We also recommend face to face meetings, at least initially. Some others you should get to know include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOther ISSOs in your component, if applicable\u003c/li\u003e\u003cli\u003eYour systems Technical Lead\u003c/li\u003e\u003cli\u003eWhen appropriate, your systems contractor security support\u003c/li\u003e\u003cli\u003eThe ISSO Support Team (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssess your skills with the ISSO Score Card\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOs come from many backgrounds, both technical and non-technical. Even new ISSOs with a technical background may not be familiar with the “CMS way” of operating. While you will be busy with your new role, you should take some initial time to get a better awareness of your capabilities to be a CMS ISSO through some focused initial training.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWeve made it easy to figure out what training you should prioritize using a self-assessment tool: the \u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eISSO Score Card.\u003c/a\u003e Every ISSO is encouraged to take this assessment regularly as their knowledge expands. The ISSO Score Card is:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eConfidential\u003c/strong\u003e - only you will see the results\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eQuick\u003c/strong\u003e - only taking 10-15 minutes to complete\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eGeared to ISSO duties\u003c/strong\u003e - taken directly from CMS policies and requirements\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePersonalized\u003c/strong\u003e - youll get a customized report to help you make a training plan\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEasy\u003c/strong\u003e - using a simple online web interface\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eGo to the ISSO Score Card\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSign up for training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs an ISSO, it is vital that you understand security and privacy fundamentals and how they are applied at CMS. Regardless of your prior level of experience, you will need to know the CMS-specific workflows and governance. There is a wealth of training available to you, both for getting started and deepening your knowledge.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWondering where to start\u003c/strong\u003e? Heres a simple checklist to make sure you complete the essential training that will start you on the road to success:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFigure out what you need to know (or brush up on) using the \u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eISSO Score Card\u003c/a\u003e. Use the results to sign up for training that is customized to your level.\u003c/li\u003e\u003cli\u003eLearn about 6 key job functions of ISSOs using the \u003ca href=\"https://www.cms.gov/cbt/login/default.aspx\"\u003evideo training series from CMS\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eSign up for CFACTS training its worth the 2-day time investment to get a solid grasp on this essential tool for the ISSOs daily work. (This is available in the CMS Computer Based Training platform).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFinally, to build upon the checklist above, we have provided a list of Basic, Intermediate, and Advanced ISSO training courses that are free for you to take. See the Training section of this Handbook for details.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGet a mentor\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOptionally, you can join the \u003ca href=\"/learn/isso-mentorship-program\"\u003e\u003cstrong\u003eISSO Mentorship Program\u003c/strong\u003e\u003c/a\u003e to be paired with an experienced ISSO. Once paired, you should work together to develop a cadence for meeting and knowledge sharing. This allows you to gain confidence faster and get hands-on support. Learn more about the ISSO Mentorship Program here.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eJoin the community\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe cybersecurity community at CMS is alive and growing. There are all kinds of ways that you can get involved, get an idea of whats going on at CMS, and learn how it affects you. Attend the CMS Cybersecurity Community Forum, read the ISSO Journal, and look for ISPG-sponsored security and privacy activities.\u003c/p\u003e\u003cp\u003eFinally, if you have any questions along the way, just ask. Your job is very important to the success of CMS programs, and everyone at ISPG is here to support you!\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGoals for your first year\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBy the end of your first year as an ISSO, it should be your goal to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLearn the security planning and administrative security procedures for systems that process sensitive information such as PHI, PII, FTI, and classified and national intelligence data\u003c/li\u003e\u003cli\u003eUnderstand the implementation and enforcement of CMS Information System Security and Privacy policies and practices\u0026nbsp;\u003c/li\u003e\u003cli\u003eKnow the concerns and requirements that determine the administration and management of physical, system, and data access controls based on the sensitivity of the data processed and the corresponding authorization requirements\u003c/li\u003e\u003cli\u003eLearn the identification, analysis, assessment and evaluation of information system threats and vulnerabilities and their impact on their components critical information infrastructures\u003c/li\u003e\u003cli\u003eBe able to identify management, technical, personnel, operational and physical security controls\u003c/li\u003e\u003cli\u003eUnderstand any additional critical areas of knowledge related to your system\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eRole and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISSOs maintain a strong security and privacy posture for their assigned system(s) in the following high-level ways:\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eServe as principal advisor\u003c/strong\u003e to the System Owner (SO), Business Owner (BO), and the Chief Information Security Officer (CISO) on all system security and privacy matters\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMaintain system authorization \u003c/strong\u003eby following the \u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eNIST Risk Management Framework\u003c/a\u003e to select, implement, document, test, and maintain the security and privacy controls required to authorize and operate information systems within CMSs risk tolerance throughout the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle\u003c/a\u003e (TLC)\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMaintain security and privacy operations\u003c/strong\u003e capabilities sufficient to identify, detect, protect, respond, and recover from security incidents (as per the \u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-cybersecurity-framework-csf\"\u003eNIST Cybersecurity Framework\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMeet federal reporting requirements\u003c/strong\u003e for information security and privacy, including documenting and mitigating weaknesses and reporting incidents and breaches\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eManage privacy requirements\u003c/strong\u003e by working collaboratively with Data Guardians and Privacy Advisors\u003c/p\u003e\u003cp\u003eThe official role and specific responsibilities for ISSOs are outlined in detail by the CMS Information Security and Privacy Policy (IS2P2), which is based upon the related policy document from HHS (IS2P). The following list is based on those policy documents and includes some key duties for ISSOs:\u003c/p\u003e\u003cul\u003e\u003cli\u003eComplete the security categorization for the FISMA system using the CFACTS tool\u003c/li\u003e\u003cli\u003eComplete and maintain the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e using the CFACTS tool\u003c/li\u003e\u003cli\u003eEnsure \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e and \u003ca href=\"/learn/penetration-testing\"\u003ePenetration Tests\u003c/a\u003e have been scheduled and completed in a timely manner\u003c/li\u003e\u003cli\u003eDevelop, document and maintain an inventory of hardware and software components within the FISMA systems authorization boundary\u003c/li\u003e\u003cli\u003eCoordinate the development of a \u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan\u003c/a\u003e and ensure the plan is tested and maintained accordingly\u003c/li\u003e\u003cli\u003eMaintain primary responsibility for the actions and activities associated with the FISMA system receiving and maintaining an \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the ISO, BO, and CRA to manage information security and privacy risk\u003c/li\u003e\u003cli\u003eMonitor and update all POA\u0026amp;Ms in accordance with current requirements and instruction\u003c/li\u003e\u003cli\u003eSubmit recommendations to the CRA for system configuration deviations from the required baseline\u003c/li\u003e\u003cli\u003eIdentify the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems;\u003c/li\u003e\u003cli\u003eCoordinate with the ISO, BO, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for sensitive information in accordance with the Privacy Act, E-Government Act, and all other applicable guidance\u003c/li\u003e\u003cli\u003eCoordinate with the BO, Contracting Officer, ISO, and CISO to ensure that all requirements specified by the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS 5.1\u003c/a\u003e and the \u003ca href=\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\"\u003eRMH\u003c/a\u003e are implemented and enforced for applicable information and information systems\u003c/li\u003e\u003cli\u003eReport and manage IT Security and Privacy Incidents in accordance to the RMH and other applicable federal guidance\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTypes of ISSO roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe specific type of ISSO role assigned to a system will depend on the needs of the system and the available personnel. The descriptions below are taken from the CMS Information Security and Privacy Policy (IS2P2).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrimary Information System Security Officer (P-ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS P-ISSO may be either a federal government employee or a contractor and must fulfill all of the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.24, System Security and System Privacy Officers. ISSO must ensure the duties of the Security Control Assessor and Contingency Planning Coordinator are completed as described in the IS2P Sections 7.26 and 7.30.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecondary Information System Security Officer (S-ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS S-ISSO may be either a federal government employee or a contractor identified in the IS2P Section 7.25, ISSO Designated Representative / Security Steward and must assist the P-ISSO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Security Officer Contractor Support (ISSOCS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe ISSOCS is a contractor-only role that assists and supports the P-ISSO and S-ISSO roles in fulfillment of their CMS cybersecurity duties.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity or Privacy Control Assessor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Security or Privacy Control Assessor role may be performed by an ISSO. The CMS Security or Privacy Control Assessor must fulfill all the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.23.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eContingency Planning Coordinator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Contingency Planning Coordinator may either be a federal government employee or a contractor. The role may also be performed by an ISSO. The CMS Contingency Planning Coordinator must fulfill all the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.30.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO checklist\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis section provides a list of specific tasks an ISSO should perform periodically. The timelines listed for each task are general guidelines, which may vary depending on the Component guidance or system circumstances. This list isnt comprehensive, but serves as a quick reference to help you plan your work. You may choose to make a spreadsheet for yourself to keep track of recurring tasks and due dates.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWeekly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview audit logs\u003c/li\u003e\u003cli\u003eRoutinely evaluate risk posture based upon change requests\u003c/li\u003e\u003cli\u003eEnsure data is backed up\u003c/li\u003e\u003cli\u003eCheck status of any \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eMonthly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview / deactivate unused accounts\u003c/li\u003e\u003cli\u003eEnsure all POA\u0026amp;Ms with Open or Delay status are annotated with current status\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eQuarterly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that all data in CFACTS is current and accurate one week before the end of the quarter (CMS submits a quarterly FISMA report to OMB based on this data)\u003c/li\u003e\u003cli\u003eEnsure the completion of internal vulnerability scans\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAnnually\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview and update all \u003cstrong\u003eSecurity Authorization Process documentation\u003c/strong\u003e, such as those listed below. Remember that most of these require months of effort to complete, so you must be working on them well in advance.\u003cul\u003e\u003cli\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eInformation System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessment (PIA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e Note: Updating security control implementation is a necessary first step to updating the SSPP. When updating any documents, ensure the old copy is retained.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure that all system users and people with significant security responsibilities (e.g., ISSOs) receive their required annual awareness training\u003c/li\u003e\u003cli\u003eConduct a Contingency Plan Test with associated training, after-action, and updated POA\u0026amp;Ms as necessary. Ensure that the Business Owner certifies (signs) any updated CP document.\u003c/li\u003e\u003cli\u003eReview the Privacy Impact Assessment (PIA) for your system(s) and update as appropriate\u003c/li\u003e\u003cli\u003eEnsure vulnerability assessments are completed at least annually, or when significant changes are made to the system\u003c/li\u003e\u003cli\u003eReview and validate user access rights\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOngoing\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eContinual security control assessment to ensure no risks are present\u003c/li\u003e\u003cli\u003eContinual work on tests and assessments (as needed) such as:\u003cul\u003e\u003cli\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/li\u003e\u003cli\u003ePenetration Testing\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eContinual updating of the \u003cstrong\u003eSecurity Authorization Process documentation\u003c/strong\u003e (see list in the section above). All of these should be updated as changes occur, and all require an annual review and update.\u003c/li\u003e\u003cli\u003eComplete incident response reports (as required)\u003c/li\u003e\u003cli\u003eATO updates (as required)\u003c/li\u003e\u003cli\u003eRespond to any CCIC monitoring alerts (as required)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eISSO activities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eUse this section to learn in-depth about the activities you must understand and perform as an ISSO from the very beginning of your systems development. These activities support the CMS \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle\u003c/a\u003e (TLC), which is the framework that standardizes how IT systems are built, maintained, and retired at CMS. The ISSO activities also support the Risk Management Framework (RMF) from NIST, which helps organizations integrate security considerations into their software development processes.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct a Security Impact Analysis (SIA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"/learn/security-impact-analysis-sia\"\u003eSecurity Impact Analysis\u003c/a\u003e\u0026nbsp;is the process that you will use initially for your new system and \u003cstrong\u003eevery time\u003c/strong\u003e a new change to the system is proposed. When you have completed this process, you will be able to provide substantive recommendations to your Business Owner on the impact of any proposed change(s). The impact may be small, or it may rise to the level of a new ATO process.\u003c/p\u003e\u003cp\u003eNote:\u0026nbsp; SIAs are frequently thought of as documents.\u0026nbsp; Remember that \u003cstrong\u003eSIA is a process\u003c/strong\u003e.\u0026nbsp; Based on the complexity and extent of the process, a completed form may help better describe the security impact, as well as necessary actions to take.\u0026nbsp; The actual CMS/FISMA requirement noted in ARS 5.1 Control CM-4 requires “Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) to conduct security impact analyses.”\u0026nbsp; It is up to you and your Business Owner/organization to determine the level to which you document your analysis.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-impact-analysis-sia\"\u003eLearn about Security Impact Assessment (SIA)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCategorize your FISMA system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour FISMA system has different security controls based on the sensitivity of the information contained in or processed by your system. Categorization takes place within CFACTS.\u0026nbsp; You enter the appropriate area and select the type of information that will be processed.\u0026nbsp; The system categorization will be suggested automatically and noted as “Low”, “Moderate”, or “High”.\u0026nbsp; If necessary, the categorization may be manually overridden; your CRA will have to help with this.\u0026nbsp; In practice this seldom happens.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis system categorization will have a variety of uses.\u0026nbsp; Most importantly, you will need to have this information to determine which controls to allocate for your system.\u003c/p\u003e\u003cp\u003eNote: Although this process sounds like it will only be done once for your FISMA system, \u003cstrong\u003eyou may have to repeat it\u003c/strong\u003e if a proposed change includes access or storage of different types of data. \u0026nbsp; Your completed SIA will guide your actions.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eLearn more about system categorization here\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/posts/watch-and-learn-system-categorization-cfacts\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eSee how to categorize your system in CFACTS\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDetermine the Authorization Boundary\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAnother major initial task is to determine the systems \u003cstrong\u003eAuthorization Boundary\u003c/strong\u003e. The NIST definition of authorization boundary is: “All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected”.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eOne practical way of determining the systems authorization boundary is to ask whether a particular component can be changed by ones system team, or if another team has to make updates or changes.\u0026nbsp; If your team can make the change or configuration, chances are that the component falls within your authorization boundary. As with system categorization, the authorization boundary is usually determined at the outset of system development. It may expand or contract based on changes to the system over its lifecycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBe aware of High Value Assets (HVAs)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe HHS HVA Program Policy defines HVAs as: “Assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people.”\u003c/p\u003e\u003cp\u003eThe practical impact of this program is that, if your FISMA system is defined as an HVA, it will face additional security requirements from DHS and HHS, which may impact the continuity operations and assessments of the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAllocate controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce a system has been categorized, the ISSO has the information necessary to select controls, or allocate them.\u0026nbsp; The process is largely automatic, and is well-described in the CMS Risk Management Handbook (RMH) Chapter 12: Security and Privacy Planning. Selected controls are allocated for Low, Moderate, or High systems based on system categorization. The mechanics are described very well in the CFACTS User Manual, so that should be your primary reference point on allocating controls. Some general control types include:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSystem-specific controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThese are controls that your system “owns”.\u0026nbsp; If you are running on hardware that you are responsible for, there are system-specific controls for it.\u0026nbsp; If your system is an application, or Major Application, the system-specific controls are those controls that your developers and administrators configure and maintain.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInherited controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn many cases your system uses components provided by other FISMA systems. In the above example about hardware, what if your system is housed on hardware administered by others? This is not just a possibility in most cases major applications run within a separate data center. Certainly this is the case for systems housed in the AWS Cloud. In these instances, the data center (or other entity) that houses your system will most likely take care of some of the controls for your system in which case your system will be able to “inherit” controls.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf the providing system completely takes care of a control, it is called a \u003cstrong\u003ecommon, or fully inherited\u003c/strong\u003e control. If the providing system takes care of part of a control, and relies on your system to take care of the rest of the control, it is called a \u003cstrong\u003ehybrid\u003c/strong\u003e control. (The CFACTS User Manual has additional information on how to inherit a control.)\u003c/p\u003e\u003cp\u003eUnderstanding which controls your team must address and which controls are available through full or partial inheritance will help you understand how to document your security control compliance (which is the next step in the cycle).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSupplemental controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSupplemental controls (previously referred to as non-mandatory controls in ARS 3.1) can be added to a system as necessary, and are not included in baseline control allocation. They should be reviewed and added as appropriate for your system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eImplement security controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIt is your responsibility as your systems security and privacy Subject Matter Expert to make sure that your Business Owner, system developers, and system administrators understand the controls that must be in place for your system to be “secure” to CMS standards.\u0026nbsp; Once these controls have been implemented, \u003cstrong\u003ethey need to be documented within CFACTS\u003c/strong\u003e.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote:\u0026nbsp; All security controls that have been allocated for your system \u003cstrong\u003emust have some comment\u003c/strong\u003e. \u0026nbsp; Even fully inherited controls should have a notation that the control is fully inherited.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDevelop system documentation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eProminent documents are important to understanding the security posture of your FISMA system.\u0026nbsp; CFACTS can help with this process by automatically generating some of the documents, such as the System Security Plan. Other documents are found within CFACTS, such as System Categorization. Others, such as the Information System Risk Assessment (ISRA) must be completed using CMS-approved templates. Finally, others may either use a CMS template or a locally generated document such as the Security Impact Assessment (SIA).\u003c/p\u003e\u003cp\u003eNote:\u003cstrong\u003e Make sure that all CFACTS entries, including all security controls, are accurate and complete at all times.\u0026nbsp;\u003c/strong\u003e This will ensure that CFACTS-generated documents are accurate.\u003c/p\u003e\u003cp\u003eItems for the system documentation include:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSystem Security and Privacy Plan (SSPP)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSSPP\u003c/a\u003e is the key document associated with the FISMA system security. It should provide an accurate, detailed description of the FISMA system itself, security requirements, and those controls that are actually in place to protect the system. This document is generated by CFACTS.\u003c/p\u003e\u003cp\u003eTip: It is a best practice to maintain older copies of SSPPs as new versions are generated. Do not overwrite old SSPPs; you never can tell when you might need to refer to an older version.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eLearn more about System Security and Privacy Plan (SSPP)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Risk Assessment (ISRA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eISRA\u003c/a\u003e details the business and technical risks associated with a FISMA system.\u0026nbsp; It shares high-level information from CFACTS, as well as specific risks noted and how critical they are.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eLearn more about Information System Risk Assessment (ISRA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Impact Assessment (PIA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePIA\u003c/a\u003e is not simply a compliance step it guides the full analysis of a system for privacy risks and controls. A PIA is a process for assessing whether appropriate privacy policies, procedures, business practices, and security controls are implemented to ensure compliance with federal privacy regulations. PIAs are published on HHS.gov and go through a three-year review process.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003eLearn more about Privacy Impact Assessment (PIA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eThird-Party Websites and Applications\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"https://www.osec.doc.gov/opog/privacy/Memorandums/OMB_M-10-23.pdf\"\u003eOffice of Management and Budget Memorandum 10-23\u003c/a\u003e, Guidance for Agency Use of Third-Party Websites and Applications, requires that agencies assess their uses of third-party websites and applications to ensure that the use protects privacy. The mechanism by which agencies perform this assessment is a privacy impact assessment (PIA).\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn accordance with HHS policy, operating divisions (OPDIVs) are responsible for completing and maintaining PIAs for all third-party websites and applications in use. Upon completion of each assessment, agencies are required to make the PIAs publicly available. The CMS Third-Party Websites and Applications (TPWA) Privacy Impact Assessments for each individual OPDIV system can be \u003ca href=\"https://www.hhs.gov/pia/index.html#Third-Party\"\u003eaccessed here on the HHS website\u003c/a\u003e. CMS implementation specifications are included in the CMS Acceptable Risk Safeguards (ARS 5.1).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Threshold Analysis\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA Privacy Threshold Analysis (PTA) is a PIA for a system that does not contain PII or only contains HHS employee information. PTAs remain internal to HHS and do not have to go through the three-year review process. A PTA may be updated based on a major change to the system. It is also possible that change to a system could result in a PTA then meeting the threshold to be a PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct Contingency Planning (CP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://dkanreserve.prod.acquia-sites.com/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp;provides instructions, disaster declaration criteria, and procedures to recover information systems and associated services after a disruption. It involves cooperation with your Business Owner, your data center or hosting facility, and senior CMS leadership. (See CMS Risk Management Handbook Chapter 6: Contingency Planning).\u003c/p\u003e\u003cp\u003eAs the ISSO, you will coordinate efforts with your Business Owner to determine the business criticality of key processes. This effort will result in a Business Impact Analysis (BIA) which, in turn, serves as the primary requirement document for determining key recovery metrics including the Recovery Point Objective (RPO), Recovery Time Objective (RTO), Maximum Tolerable Downtime (MTD), and Work Recovery Time (WRT).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe goal is to ensure that there are plans in place to restore business functionality within the Maximum Tolerable Downtime.\u0026nbsp; Note that this may involve restoring the system as originally constructed, moving to alternate processing facilities, or even moving to alternate processing methods.\u0026nbsp;\u003c/p\u003e\u003cp\u003eHere are the key steps and documents involved in Contingency Planning:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCreate Contingency Plan (CP) document\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CP Plan is a single document that contains:\u003c/p\u003e\u003cul\u003e\u003cli\u003eKey recovery metrics for your FISMA system\u003c/li\u003e\u003cli\u003ePre-defined descriptions of conditions that constitute a need for action\u003c/li\u003e\u003cli\u003ePre-defined actions based on the severity of an identified incident\u003c/li\u003e\u003cli\u003eKey staff, contact information, and specific duties for each person\u003c/li\u003e\u003cli\u003eItem-level understanding of all of the hardware and software components of the FISMA system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIts important to keep in mind:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe CP must be attested to (signed) by the FISMA System Owner annually.\u003c/li\u003e\u003cli\u003eAll of the information necessary for the conducting of a contingency plan must be in the CP.\u0026nbsp; There should be no references to offline personnel lists, contact information, system information, etc.\u0026nbsp;\u003c/li\u003e\u003cli\u003eAll identified Key Personnel must have access to their own copy of the CP in a secure location that is accessible in the event that the FISMA system is unavailable.\u003c/li\u003e\u003cli\u003eThe Contingency Plan, above all FISMA system documentation, must remain current.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eConduct Contingency Plan (CP) Exercise\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CP must be exercised (tested) at least once every 365 days. This is commonly referred to as the “Tabletop Exercise”, but a tabletop exercise is only one (the easiest) way to test the CP. An exercise plan must be prepared and followed during the execution of the test. All staff who participate in an actual CP event must be available for the exercise.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: \u003cstrong\u003eKey staff members must be trained annually in their contingency responsibilities.\u003c/strong\u003e It is best to perform this training immediately prior to the exercise. Training in this way refreshes individuals memories and ensures their availability for the test.\u003c/p\u003e\u003cp\u003e\u003cem\u003eTip: If your FISMA system is involved in an outage that causes you to exercise the CP Plan, you should consider documenting this event as an exercise of your CP Plan.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/contingency-plan\"\u003eLearn more about Contingency Plan testing\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGet after action report\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAfter the exercise is conducted, an after action report must be generated to describe the test and highlight specific deficiencies that must be corrected.\u0026nbsp; These deficiencies may be easily correctable, or may result in POA\u0026amp;Ms.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAchieve Contingency Plan (CP) re-certification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAfter any corrections have been made, the updated Contingency Plan must be re-certified by the System Owner. Make sure that all key staff members receive updated CP documents that they have access to (\u003cstrong\u003eeven away from the office or after hours\u003c/strong\u003e). Destroy (or return) older copies.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssess security controls for your system(s)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS systems are required to undergo assessments of risk and security/privacy control compliance before they are given Authorization to Operate (ATO). The assessment and authorization process protects the security and privacy posture of CMS systems throughout the system development lifecycle.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAssessments of risk and/or control compliance are conducted:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWhen a new system is ready to be placed into an operational state\u003c/li\u003e\u003cli\u003eWhen a significant change has been made to an existing system\u003c/li\u003e\u003cli\u003eAnnually, if a system follows a FISMA 1/3 assessment schedule\u003c/li\u003e\u003cli\u003eAd hoc when requested or otherwise required\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCurrently there are two main types of controls assessments SCA and ACT.\u0026nbsp; Your component will dictate which type of assessment your system undergoes.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: Whichever one your system uses, make sure to schedule your assessment \u003cstrong\u003eas soon as possible\u003c/strong\u003e. When the assessment is complete, make sure all documentation is complete and housed in CFACTS appropriately.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Controls Assessment (SCA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis is a detailed evaluation of the controls protecting an information system.\u0026nbsp; The security controls assessment determines the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-controls-assessment-sca\"\u003eLearn more about Security Controls Assessment (SCA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCybersecurity and Risk Assessment Program (CSRAP) (Formally Adaptive Capabilities Testing (ACT))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system's security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePenetration testing\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePenetration testing is performed on information systems or individual system components to identify vulnerabilities that could be exploited by bad actors. It is used to validate vulnerabilities or determine the degree of resistance that organizational information systems have to risk within a set of specified constraints (e.g., time, resources, and/or skills).\u0026nbsp;\u003c/p\u003e\u003cp\u003ePenetration testing attempts to duplicate the actions of internal and external bad actors in carrying out hostile cyber-attacks against the organization and allows a more in-depth analysis. It can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePenetration testing is performed on all High Value Assets (HVA) information systems within CMS at a frequency of every 365 days or when there has been a significant change to the system.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIt is considered to be part of the group of assessments required for CMS systems, and its results are recorded in CFACTS similarly to the controls assessments (SCA and/or ACT).\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/penetration-testing\"\u003eLearn more about penetration testing\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Assessment Report (SAR) and CAAT file\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eFor all assessments, a final Security Assessment Report (SAR) chronicles the results of the assessment. The \u003ca href=\"/policy-guidance/risk-management-handbook-chapter-4-security-assessment-authorization-ca\"\u003eRisk Management Handbook (RMH) Chapter 4: Security Assessment and Authorization\u003c/a\u003e states:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eAt the completion of a security controls assessment, the independent assessor completes a CMS Assessment and Audit Tracking (CAAT) spreadsheet. The CAAT spreadsheet is utilized for all CMS audits, assessments and penetration testing vulnerabilities. The completed CAAT spreadsheet is emailed to the CMS CISO mailbox at \u003c/em\u003e\u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003e\u003cem\u003eCISO@cms.hhs.gov\u003c/em\u003e\u003c/a\u003e\u003cem\u003e for upload into the CFACTS tool. Once uploaded into CFACTS, the weaknesses are automatically generated for all items with a status of “other than satisfied”. The ISSO for the associated information system receives an automated email notification from the CFACTS tool identifying a new weakness. The ISSO has 30 days to create a POA\u0026amp;M within CFACTS.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eManage Plan of Action and Milestones (POA\u0026amp;M)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe POA\u0026amp;M is a remedial action plan (the process of accepting or resolving a risk) which helps the agency to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify and assess information system security and privacy weaknesses\u003c/li\u003e\u003cli\u003eSet priorities about how to mitigate weaknesses using available resources\u003c/li\u003e\u003cli\u003eMonitor and report progress toward mitigating the weaknesses\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou as the ISSO are responsible for opening, maintaining / updating, and closing POA\u0026amp;Ms on a continual basis to ensure the maximum level of information security for system(s) entrusted to your care.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003eLearn more about Plan of Action \u0026amp; Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAuthorize the system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSystem authorization is the formal decision by senior officials to allow a CMS information system to operate. Commonly known as Authorization to Operate (ATO), this is the culmination of all the tests, assessments, remediation, documentation, and other activities that the ISSO and others on the portfolio team have done to ensure information security for the system.\u003c/p\u003e\u003cp\u003eIn formal terms, authorization is described in the CMS Risk Management Handbook Chapter 4: Security Assessment and Authorization:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSecurity authorizations are official management decisions that are conveyed through authorization decision documents by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. The CIO serves as the authorizing official for CMS. The CIO is responsible for making an overall determination of risk and authorizing CMS information systems for operation, if it is determined that the associated risks are acceptable. An ATO memo is signed by the CIO giving the System Owner/BO formal authority to operate a CMS information system.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThere are three NIST document requirements for an ATO “package” and six more that are specific to CMS.\u0026nbsp; The documents include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem Security and Privacy Plan (SSPP)\u003c/li\u003e\u003cli\u003eSecurity Assessment (Final) Report (SAR)\u003c/li\u003e\u003cli\u003ePlans of Action and Milestones (POA\u0026amp;M)\u003c/li\u003e\u003cli\u003eContingency Plan (CP)\u003c/li\u003e\u003cli\u003eCP Testing Plan\u003c/li\u003e\u003cli\u003eCP Test After Action Report\u003c/li\u003e\u003cli\u003eInformation System Risk Assessment (ISRA)\u003c/li\u003e\u003cli\u003ePrivacy Impact Assessment (PIA)\u003c/li\u003e\u003cli\u003eInterconnection Security Agreement (ISA) as applicable\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eGetting these documents together and conducting all necessary steps can be a long process so \u003cstrong\u003eyou should start working on your ATO as early as possible\u003c/strong\u003e to ensure timely completion.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/authorization-operate-ato\"\u003eLearn more about System Authorization\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContinuous monitoring\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eContinuous monitoring is the practice of using modern tools and technology to continuously check systems for vulnerabilities and risks. Rather than thinking of getting an ATO as having “achieved” compliance, continuous monitoring allows us to observe and track evolving risks over time. Security is never “done”.\u003c/p\u003e\u003cp\u003eContinuous monitoring is a growing program at CMS. As an ISSO, you will work closely with the CMS Cybersecurity Integration Center (CCIC) to ensure that your system is appropriately monitored.\u0026nbsp; CCIC ensures oversight of information security and privacy, including Security Information Event Management, for each FISMA system operating by or on behalf of CMS.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CCIC delivers various agency-wide security services.\u0026nbsp; These services include \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e as well as security engineering, incident management, forensics and malware analysis, information sharing, cyber threat intelligence, penetration testing, and software assurance.\u003c/p\u003e\u003cp\u003eMore information about continuous monitoring can be found in the \u003ca href=\"/policy-guidance/risk-management-handbook-chapter-4-security-assessment-authorization-ca\"\u003eCMS Risk Management Handbook (RMH) Chapter 4: Security Assessment and Authorization\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eManage security incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAlong the way, a system entrusted to your care might have a security or privacy incident or breach. Anytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an\u003cstrong\u003e incident\u003c/strong\u003e. If an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a \u003cstrong\u003ebreach\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eKnown or suspected security or privacy incidents involving CMS information or information systems \u003cstrong\u003emust be reported immediately\u003c/strong\u003e to the CMS IT Service Desk:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 1-800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou as the ISSO should be apprised of the situation as soon as possible (if youre not the one who initially reported the incident). You will work with the Incident Management Team (IMT) and others involved with your system to manage and report the incident and mitigate any resulting harm. More details can be found in the CMS Risk Management Handbook (RMH) Chapter 8: Incident Response.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eISSO toolkit\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis section contains links to documents you will access often in your daily activities, and resources to support your work as an ISSO. You should become familiar with the purpose and usage of each.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDocuments\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Acceptable Risk Safeguards (ARS 5.1)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Information Security Acceptable Risk Safeguards (ARS 5.1) defines information security and privacy control requirements and includes additional, detailed policy traceability statements within each control description. The ARS 5.1 provides guidance on customizing (tailoring) controls and enhancements for specific types of missions/business functions, technologies, or environments of operation. Users of the ARS 5.1 may tailor specific mandatory controls as well as most of the non-mandatory and unselected controls.\u003c/p\u003e\u003cp\u003eThe goal of the ARS 5.1 is to define a baseline of minimum information security and privacy assurance controls. The controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS. Protecting and ensuring the confidentiality, integrity, and availability for all of CMS information and information systems is the primary purpose of the information security and privacy assurance program. The ARS 5.1 complies with the CMS IS2P2 by providing a defense-in-depth security structure along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cybergeek.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eLearn more about ARS 5.1\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information Security and Privacy Policy (IS2P2)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis policy defines the framework under which CMS protects and controls access to CMS information and information systems. It provides direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information to assure the confidentiality, integrity, and availability of CMS information and systems.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eAlong with the Acceptable Risk Safeguards (ARS 5.1), the IS2P2 stands as one of the core reference sources for cybersecurity policies and practices at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eGo to the IS2P2\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Risk Management Handbooks\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis series of handbooks is designed to help ISSOs understand and address the many CMS security and privacy requirements developed to protect their system(s). The RMH chapters are generally aligned to provide specific guidance and recommendations for specific ARS 5.1 Control Families. (For example, \u003cstrong\u003eRMH Chapter 6: Contingency Planning\u003c/strong\u003e addresses the ARS 5.1 controls in the \u003cstrong\u003eCP Family\u003c/strong\u003e.) As you work through your ARS 5.1 controls, you should have the appropriate RMH handy.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\"\u003eLearn more about the CMS Risk Management Handbook (RMH)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTools and resources\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCFACTS\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS FISMA Controls Tracking System (CFACTS) is the system used by CMS as a repository for managing the security and privacy requirements of its information systems. It provides a common foundation to manage policies, controls, risks, assessments, and deficiencies across the CMS enterprise. You will use it for tracking your tasks associated with system authorization, risk remediation, and more.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cfacts3.cms.cmsnet/apps/ArcherApp/Home.aspx#home\"\u003eGo to CFACTS\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003cp\u003eA user manual is produced by the team that administers CFACTS and gives a guided tour through all activities in CFACTS. Although it is not a primer in risk management, many activities and concepts can be understood implicitly through their description in the User Manual and implementation in CFACTS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cfacts3.cms.cmsnet/apps/ArcherApp/Home.aspx\"\u003eGo to CFACTS user manual\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISPG website (CyberGeek)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Information Security and Privacy Group (ISPG) provides the “CyberGeek” website as a one-stop shop for all security and privacy related information at CMS including dedicated resource pages for ISSOs and other roles. This is a new site, and more information will become available as it grows.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/\"\u003eGo to ISPG website (CyberGeek)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Slack\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSlack is an application that allows for fast and easy communication among all CMS employees and contractors. Spaces called channels allow for focused communication which will keep you organized and informed during your daily routine. Below is a list of Slack channels that will help you on your journey to becoming a fully independent ISSO:\u003c/p\u003e\u003cul\u003e\u003cli\u003e#ars-feedback\u003c/li\u003e\u003cli\u003e#cfacts_community\u003c/li\u003e\u003cli\u003e#cisab\u003c/li\u003e\u003cli\u003e#cms-isso\u003c/li\u003e\u003cli\u003e#cyber-risk-management\u003c/li\u003e\u003cli\u003e#ispg-all\u003c/li\u003e\u003cli\u003e#isso-as-a-service\u003c/li\u003e\u003cli\u003e#security_community\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eAcronyms\u003c/h4\u003e\u003cp\u003eLike most other parts of government, the security and privacy world at CMS is full of acronyms. ISPG maintains a list of acronyms so you can easily look up unfamiliar terms.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/acronyms\"\u003eSee the acronym list here\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Framework\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs an ISSO, your daily tasks support CMS in applying the NIST Cybersecurity Framework (CSF), guidance created by the National Institute of Standards and Technology to help organizations effectively manage cybersecurity risk. (Executive Order 13800, \u003ca href=\"https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure\"\u003eStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure\u003c/a\u003e, made the Framework mandatory for U.S. federal government agencies.)\u003c/p\u003e\u003cp\u003eWe have created the \u003cstrong\u003eISSO Framework\u003c/strong\u003e to show how ISSO responsibilities align with specific functions and categories of the NIST Cybersecurity Framework, and how the ISSO works with other people within the organization to complete tasks. You can refer to this Framework whenever you have questions about documentation or activities related to your job.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://share.cms.gov/Office/OIT/ISPG/DSPC/ISPG%20DSPC%20Documents%20%20Internal/ISSO%20Engagement%20and%20Outreach%20Initiative/ISSO%20Framework\"\u003eGo to the ISSO Framework\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity and Privacy Language for IT Procurements\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS provides templated language to use in IT procurements to ensure the security and privacy of information and information systems that CMS uses. This includes systems provided or managed by contractors or subcontractors on behalf of CMS. The ISSO may provide support to this process.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-and-privacy-requirements-it-procurements\"\u003eLearn more about Security and Privacy Language for IT Procurements\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTarget Life Cycle (TLC)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS requires all new IT systems to follow the Target Life Cycle (TLC), a common framework for governing system development across the enterprise. The TLC accommodates various IT development methodologies while ensuring that systems meet all applicable legislative and policy requirements.\u0026nbsp;\u003c/p\u003e\u003cp\u003e(The TLC has replaced the former Expedited Life Cycle (XLC) as the official IT governance framework at CMS. If your current projects or contracts specify the use of XLC-related tools, templates, or reviews, you may continue using them.\u0026nbsp; You may also use fewer or alternative tools and templates, as long as you meet the minimum requirements outlined within the TLC.)\u003c/p\u003e\u003cp\u003eAs an ISSO, you will enter the TLC by filling out an intake form when:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInitiate a new IT project\u003c/li\u003e\u003cli\u003eConduct an acquisition to support a new IT project\u003c/li\u003e\u003cli\u003eRequest new/increased funding to support an IT project\u0026nbsp;\u003c/li\u003e\u003cli\u003ePlan significant changes to an existing IT project\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter submitting your form, the CMS IT Governance Team will help you meet TLC requirements. You can also contact the governance team via email: \u003ca href=\"mailto:IT_Governance@cms.hhs.gov\"\u003eIT_Governance@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/TLC\"\u003eLearn more about the TLC\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://share.cms.gov/Office/OIT/CIOCorner/Lists/Intake/NewForm.aspx\"\u003eFill out an intake form\u003c/a\u003e (requires CMS login)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eResources external to CMS\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Department of Health and Human Services (HHS) is the parent organization for CMS. All of our policies and guidance are based on HHS-level documentation. The IS2P comprises HHS policies and procedures that ensure the secure collection, use, sharing, and storage of information that is both terrorism-related information and “protected information (PI)”.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhere possible, this document identifies existing HHS policies and procedures that meet the privacy requirements. Where necessary, however, this document also creates policies specific to the activities and resources that HHS requires.\u0026nbsp; The IS2P is one of the base documents from which CMS requirements are created. You can request a copy of this policy from the CISO team: \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHHS Cybersecurity Library\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSometimes CMS borrows policies and standards directly from HHS, our parent organization. You will sometimes need to access the HHS library of cybersecurity documents for your work.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://intranet.hhs.gov/security/index.html\"\u003eGo to the HHS library\u003c/a\u003e (requires login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNIST Special Publications\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eNIST Special Publications in the 800 series are of general interest to the computer security community, and these documents serve as the foundation for CMS security and privacy practices. Specifically helpful to ISSOs are the publications that contain detailed explanations of information security controls and the test cases used to assess them.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53: Recommended Security Controls for Federal Information Systems\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final\"\u003eNIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-800-series-of-special-publications\"\u003eLearn more about NIST SP 800 series\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNIST Computer Security Resource Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe National Institute of Standards and Technology (NIST) publishes helpful resources on computer, cyber, and information security and privacy. Explore publications, news, programs, and events that will help you expand your cybersecurity knowledge.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/\"\u003eVisit the NIST Resource Center\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eOMB Memoranda and Circulars\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEvery year, the Office of Management and Budget (OMB) publishes a Memo with reporting instructions and guidance for FISMA, which can be useful to people with cybersecurity responsibilities at CMS. \u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/memoranda/\"\u003eExplore OMB memos here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThere are a number of OMB Circulars that provide general guidance on information security. Three of the most relevant are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/omb/circulars_a130_a130appendix_iii\"\u003eA-130 - Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.osec.doc.gov/opog/privacy/Memorandums/OMB_Circular_A-123.pdf\"\u003eA-123 - Management's Responsibility for Internal Control\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/omb/circulars_a127/\"\u003eA-127 - Financial Management Systems\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOMB A-130 applies to all IT systems while A-123 and A-127 apply primarily to financial systems. ISSOs should be aware of these foundation documents and have a general understanding of their content. \u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars/\"\u003eExplore all OMB Circulars here\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho to contact\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen you have a question or challenge, we are here to help! Here are key points of contact for situations you may face as an ISSO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or privacy incident\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eReport known or suspected security or privacy incidents involving CMS data to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or privacy questions\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDo you have a question or concern related to CMS information security or privacy, and need a place to start? Send an email to the CISO Team at \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e regarding information security, or an email to \u003ca href=\"mailto:Privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e for questions regarding information privacy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eISSO questions\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf you have questions about the ISSO role or other activities such as the ISSO Forum —or if you just want to hear from an ISSO — send an email to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOversight and guidance\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Cyber Risk Advisor (CRA) and Privacy Advisor are your ISPG support representatives. They help improve accountability and risk management by providing hands-on oversight to system cybersecurity and privacy risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO community\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Cybersecurity Community Forum (C3F)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis monthly meeting is held for the benefit of the CMS security community, covering timely and relevant topics from ISPG speakers. Its open to all CMS and contractor security professionals. Meeting details (location, time, video conferencing link) will be in the email invitation, which is sent monthly to everyone at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eSee past Forum videos and materials\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Journal\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRead the ISSO Journal to stay updated on cybersecurity trends, learn about current events, and hear from other ISSOs. The Journal is distributed widely among CMS staff, and all cybersecurity professionals both CMS and contractor staff are invited to contribute! Contact us by email (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e) if you would like to write a post.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Journal\"\u003eRead the ISSO Journal\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Mentorship Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe mentorship program allows experienced ISSOs to support those who are newer to the role. For mentors, this is an opportunity to build leadership skills and strengthen the future of cybersecurity at CMS. For mentees, this allows you to build your knowledge faster and get hands-on support. The structure of the program is flexible — both ISSOs will decide what cadence and duration for meetings works for them.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA mentorship usually lasts 6 months to a year. Your supervisor will need to approve your participation in the program.\u0026nbsp; Note that although the program is generally used by newer ISSOs, it is also available for existing ISSOs who want additional bootstrap help for example, if they are dealing with an issue or project that is new to them. Mentorship is for these ISSOs, too!\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/isso-mentorship-program\"\u003eLearn about the ISSO Mentorship Program\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTraining\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePeople come to the ISSO role from many backgrounds, with differing experiences, so each may start at a different place. Broadly, ISSOs need to have both general cybersecurity knowledge and specific knowledge of how things operate at CMS. For new ISSOs, see the “Getting Started” section of this Handbook for tips on beginning your training journey.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNICE code for ISSOs\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere is a Federal initiative to help train cybersecurity professionals. The \u003ca href=\"https://www.nist.gov/itl/applied-cybersecurity/nice\"\u003eNational Initiative for Cybersecurity Education\u003c/a\u003e (NICE) seeks to link appropriate training to cybersecurity roles by associating NICE “codes” with training opportunities. \u003cstrong\u003eAs an ISSO, your NICE code is OVMGT001\u003c/strong\u003e. Knowing this will help you find appropriate training for particular tasks or knowledge areas.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTraining sources\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere are many external sources such as professional associations and training organizations that can help you expand your cybersecurity knowledge and skills, but you can also get excellent free training that is provided by CMS and HHS. They are offered via the following platforms:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"http://www.cms.gov/cbt\"\u003eCMS Computer Based Training\u003c/a\u003e (CBT) - Free online training courses provided by CMS\u003c/li\u003e\u003cli\u003eCMS Cybersecurity Training Catalog - List of current training offerings and events (such as webinars) from CMS\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://confluenceent.cms.gov/display/IIP/ISSO+Training\"\u003eISSO Training Page\u003c/a\u003e - Collection of training resources in the ISPG Confluence environment that helps you navigate the training options available to you\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://ams.hhs.gov/amsLogin/SimpleLogin.jsp\"\u003eHHS Learning Management System\u003c/a\u003e\u0026nbsp; (LMS) - Free courses for federal employees (not contractors) provided through HHS to advance your core cybersecurity knowledge or prepare you for certifications\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://fedvte.usalearning.gov/\"\u003eFederal Virtual Training Environment\u003c/a\u003e (FedVTE) - Another source of free training courses available to federal employees and contractors (similar to the LMS above).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo help ISSOs focus on the most relevant training, below is a list of Basic, Intermediate, and Advanced courses that will help you grow in the specific skills needed for your role.\u003c/p\u003e\u003ch4\u003eBasic ISSO training\u003c/h4\u003e\u003cp\u003eThe courses recommended below provide both an introduction to cybersecurity in general and guidance on how these concepts are implemented at CMS. The courses listed in bold are the most important. You should consider some or all of the rest of the courses as your time permits. If possible, try to complete the bolded courses within your first two months as an ISSO. There is no cost to take these courses. Note: HHS LMS is only available to federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eISSO Fundamentals\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWorking With CFACTS\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eClassroom / Remote\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAll About the CMS Acceptable Risk Safeguards (ARS 5.1)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePrivacy and Awareness Training\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eExecutives Guide to Security: Protecting Your Information\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Awareness: Getting Started with Security Foundations, Information Security Fundamentals, and Key Security Terms\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompliance Expert: IT Security - Phishing, Safeguarding Mobile Devices, and Privacy \u0026amp; Information Security (The Basics)\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity 101: Auditing \u0026amp; Incident Response and Session \u0026amp; Risk Management\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003eIntermediate ISSO training\u003c/h4\u003e\u003cp\u003eThe courses recommended below will build on your initial knowledge. As before, you should start with the courses listed in bold, or on topics that have immediate importance to you. There is no cost to take these courses. Note: HHS LMS is only available for federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eNavigating New Cybersecurity and Privacy Policies and Procedures\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHow Hackers Hack and How to Protect Yourself\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIncident Response at CMS\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCMS Privacy Incident Response: Quick Guide for Business Owners\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Race\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eFundamentals of Cyber Risk Management\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFoundations of Incident Management\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompliance Expert: IT Security - Phishing\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Audits\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eImplementation of Security Controls\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003eAdvanced ISSO training\u003c/h4\u003e\u003cp\u003eThe advanced courses recommended below will help you gain a deeper understanding of the cybersecurity issues that you have been working with. They may also be appropriate to take earlier if you entered the ISSO role with a good basic understanding of both CMS operations and cybersecurity in general. There is no cost to take these courses.\u0026nbsp; Note: HHS LMS is only available for federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eEmerging Cyber Security Threats\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecuring Infrastructure Devices\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecuring the Network Perimeter\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Computing Fundamentals: Cloud Security\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Architecture\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Security\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Platforms\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCloud Security Fundamentals\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA A+: Security Fundamentals\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eEncryption and Malware\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA Server+: Network Security Protocols\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA Cloud+\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1b:T12321,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook gives practical guidance to Information System Security Officers (ISSO)s at CMS when performing their necessary tasks.\u0026nbsp; It helps new ISSOs get started and explains the responsibilities, resources, and organizational relationships needed for an ISSO to be successful.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis guide is for CMS (Federal) ISSOs, Contractor ISSOs, and contract security support individuals.\u0026nbsp; Business Owners and their staff may also find parts of this handbook useful, particularly when appointing new ISSOs or gaining a better understanding of ISSO tasks.\u003c/p\u003e\u003cp\u003eThe ISSO role is critical to the safe and authorized use of sensitive information in support of CMS commitment to improving healthcare for millions of Americans. As an ISSO,\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat do ISSOs do?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEvery CMS system must formally designate an ISSO who serves as the primary point of contact responsible for the systems security and privacy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISSOs at CMS are responsible for overseeing the security and privacy posture of the system(s) entrusted to their care, coordinating all information system risk management and information privacy activities, and acting as the Business Owners “go-to person” for security questions and needs. Together, the ISSOs make up a supportive community working to ensure the success of the cybersecurity program at CMS.\u003c/p\u003e\u003cp\u003eFor more details, see the section on role and responsibilities.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho do ISSOs work with?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO is part of the\u003cstrong\u003e portfolio team\u003c/strong\u003e the group of people who work together to make sure that any given CMS information system complies with federal security requirements and is managed in a way that protects the personal and health information of those who depend on CMS for benefits. The portfolio team has the following roles:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProgram Executive, Information System Owner (ISO), Business Owner (BO), and Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThese people work together to take full responsibility for implementing the required security and privacy controls and managing the cybersecurity and privacy risk posture for each system. All of these roles must be an agency official (federal government employee) except the ISSO, which may be a federal employee or a contractor.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCRAs are the “go-to” experts in all areas of risk management, and as such they evaluate and communicate the risk posture of each FISMA system to executive leadership and make risk-based recommendations to the Authorizing Official. CRAs also help to identify the types of information processed by a system, assign the appropriate security categorizations, determine the privacy impacts, and manage information security and privacy risk. They facilitate the completion of all federal cybersecurity and privacy requirements and this means that CRAs and ISSOs often work closely together.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Data Guardian coordinates CMS Program activities involving beneficiary and other types of consumer information that require privacy protections.\u0026nbsp; The Data Guardian must be an agency official (federal government employee) and must fulfill shared responsibilities with the CMS Business Owner.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Privacy Advisor is a member of ISPG who provides privacy-related expertise to help the team identify and manage privacy risk.\u0026nbsp; The Privacy Advisor is an agency official (federal government employee) and serves as a point of contact for issues related to the Privacy Act. They also support the completion of privacy-related artifacts such as Systems of Records Notice (SORN), Privacy Act reviews, and FISMA and Privacy Management Report.\u003c/p\u003e\u003cp\u003eDetailed information about all of these roles can be found in the CMS Information Security and Privacy Policy (IS2P2) and the HHS Policy for Information Security and Privacy Protection (IS2P).\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat should an ISSO know?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of every ISSO should be to support the BO to securely provide the service intended by the system. To help accomplish this goal, an ISSO should ideally know and understand their components business processes and how the system supports that business. This knowledge is critically applied during the construction of the System Security and Privacy Plan (SSPP).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation security is a means to an end and not the end in itself\u003c/strong\u003e. In the public sector, information security is secondary to the agency's services provided to its constituency. We, as security professionals, must not lose sight of these goals and objectives.\u003c/p\u003e\u003cp\u003eIn order to help the BO provide a CMS service in a manner that is demonstrably secure and safeguards any sensitive beneficiary information, the ISSO must know (at a minimum):\u003c/p\u003e\u003cul\u003e\u003cli\u003eMission and business functions of their component\u003c/li\u003e\u003cli\u003eHow the system supports the components mission\u003c/li\u003e\u003cli\u003eSystem details, including:\u003cul\u003e\u003cli\u003eArchitecture\u003c/li\u003e\u003cli\u003eSystem components (hardware, software, peripherals, etc.)\u003c/li\u003e\u003cli\u003eLocation of each system component\u003c/li\u003e\u003cli\u003eData flow\u003c/li\u003e\u003cli\u003eInterconnections (internal and external)\u003c/li\u003e\u003cli\u003eSecurity categorization\u0026nbsp;\u003c/li\u003e\u003cli\u003eSecurity requirements\u003c/li\u003e\u003cli\u003eConfiguration management processes and procedures\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eUsers (how many, location, role, etc.)\u003c/li\u003e\u003cli\u003eKey personnel by name\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eHow are ISSOs appointed?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Program Executive in coordination with the Data Guardian, ISO, and Business Owner, is responsible for nominating appropriately qualified ISSO appointees, as defined under FISMA, to the CISO for approval.\u003c/p\u003e\u003cp\u003eThe nominated ISSO, by signing the appointment letter, agrees to maintain the appropriate operational security posture of the information system by fulfilling all of the responsibilities identified in the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Security and Privacy Policy (IS2P2)\u003c/a\u003e and the HHS Policy for Information Security and Privacy Protection (IS2P).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eA subset of the ISSOs duties and responsibilities is contained in the \u003ca href=\"/learn/isso-appointment-letter\"\u003eappointment letter\u003c/a\u003e. ISSO letters must be updated whenever a change occurs. The designated ISSO should be consistently identified in three sources: the ISSO letter, the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e, and in \u003ca href=\"/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe signed appointment letter should be given to the appropriate CRA for further action.\u0026nbsp;\u003cstrong\u003e It is the responsibility of the CRA to upload the letter to CFACTS\u003c/strong\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eGetting started (for new ISSOs)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCongratulations on your new assignment as an Information System Security Officer (ISSO) at CMS! Because you are charged with protecting the sensitive information contained in systems that support healthcare delivery for millions of people, your role is vital to the success of CMS mission. You will learn how to identify and protect information that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eIndividually Identifiable Information (IIF)\u003c/li\u003e\u003cli\u003eProtected Health Information (PHI)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis means that security must become a vital part of your daily routine and always top-of-mind. Your training as an ISSO will ensure that you know and understand the requirements for protecting government assets like classified information, property, and personnel.\u003c/p\u003e\u003cp\u003eMost importantly, you will learn to work as part of a team that is dedicated to making sure CMS information systems can operate securely. While CMS has established a security program to protect assets and keep sensitive information safe, the key ingredient is always \u003cstrong\u003epeople\u003c/strong\u003e. No matter how comprehensive a program may be, you and your coworkers will ultimately determine the success of our established procedures.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAnd we are here to help you along the way! This Handbook is your primary resource for initial information about your role, and will direct you to other sources of help and support.\u003c/p\u003e\u003cp\u003eHere are the steps you should take to get started:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the paperwork\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf you have not already, make sure that your \u003ca href=\"/learn/isso-appointment-letter\"\u003e\u003cstrong\u003eISSO Appointment Letter\u003c/strong\u003e\u003c/a\u003e is completed and submitted to your Cyber Risk Advisor (CRA) by your Business Owner (BO). The Appointment Letter is intended to formally nominate you as an ISSO. It also gives you a wealth of information about your duties and responsibilities. It also contains the qualifications and training to which you should aspire. This document may be your first communication with your CRA — the first of many conversations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf you need a copy of the ISSO Appointment Letter template, contact the ISSO Support Team: \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete ISSO onboarding\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO Support team in ISPG can help get you started. You should ask for an initial meeting with the team to orient you to your new role and next steps. \u0026nbsp; You should also reach out to your CRA, who may wish to meet on a regular basis initially, especially if your system has an important near-term milestone. If your BO did not set this up for you, you can do it yourself by sending a note to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e. It is helpful to put the word “Onboarding” in the subject line.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKnow your systems\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMake sure that in your conversation with your Business Owner, you understand whether you are going to be the primary ISSO (or the only ISSO), or if you are going to be an assistant. Do you know where your system is located? When does the Authority to Operate (ATO) expire? Are you working on a new system? The more you know at the beginning, the easier it will be to prioritize and to work with your integrated team. If you have questions about any of this, reach out to the ISSO Support Team (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMeet your team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIn addition to your BO and your CRA, there are others that you should get to know. We recommend that you reach out to them. We also recommend face to face meetings, at least initially. Some others you should get to know include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOther ISSOs in your component, if applicable\u003c/li\u003e\u003cli\u003eYour systems Technical Lead\u003c/li\u003e\u003cli\u003eWhen appropriate, your systems contractor security support\u003c/li\u003e\u003cli\u003eThe ISSO Support Team (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssess your skills with the ISSO Score Card\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOs come from many backgrounds, both technical and non-technical. Even new ISSOs with a technical background may not be familiar with the “CMS way” of operating. While you will be busy with your new role, you should take some initial time to get a better awareness of your capabilities to be a CMS ISSO through some focused initial training.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWeve made it easy to figure out what training you should prioritize using a self-assessment tool: the \u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eISSO Score Card.\u003c/a\u003e Every ISSO is encouraged to take this assessment regularly as their knowledge expands. The ISSO Score Card is:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eConfidential\u003c/strong\u003e - only you will see the results\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eQuick\u003c/strong\u003e - only taking 10-15 minutes to complete\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eGeared to ISSO duties\u003c/strong\u003e - taken directly from CMS policies and requirements\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePersonalized\u003c/strong\u003e - youll get a customized report to help you make a training plan\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEasy\u003c/strong\u003e - using a simple online web interface\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eGo to the ISSO Score Card\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSign up for training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs an ISSO, it is vital that you understand security and privacy fundamentals and how they are applied at CMS. Regardless of your prior level of experience, you will need to know the CMS-specific workflows and governance. There is a wealth of training available to you, both for getting started and deepening your knowledge.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWondering where to start\u003c/strong\u003e? Heres a simple checklist to make sure you complete the essential training that will start you on the road to success:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFigure out what you need to know (or brush up on) using the \u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eISSO Score Card\u003c/a\u003e. Use the results to sign up for training that is customized to your level.\u003c/li\u003e\u003cli\u003eLearn about 6 key job functions of ISSOs using the \u003ca href=\"https://www.cms.gov/cbt/login/default.aspx\"\u003evideo training series from CMS\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eSign up for CFACTS training its worth the 2-day time investment to get a solid grasp on this essential tool for the ISSOs daily work. (This is available in the CMS Computer Based Training platform).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFinally, to build upon the checklist above, we have provided a list of Basic, Intermediate, and Advanced ISSO training courses that are free for you to take. See the Training section of this Handbook for details.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGet a mentor\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOptionally, you can join the \u003ca href=\"/learn/isso-mentorship-program\"\u003e\u003cstrong\u003eISSO Mentorship Program\u003c/strong\u003e\u003c/a\u003e to be paired with an experienced ISSO. Once paired, you should work together to develop a cadence for meeting and knowledge sharing. This allows you to gain confidence faster and get hands-on support. Learn more about the ISSO Mentorship Program here.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eJoin the community\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe cybersecurity community at CMS is alive and growing. There are all kinds of ways that you can get involved, get an idea of whats going on at CMS, and learn how it affects you. Attend the CMS Cybersecurity Community Forum, read the ISSO Journal, and look for ISPG-sponsored security and privacy activities.\u003c/p\u003e\u003cp\u003eFinally, if you have any questions along the way, just ask. Your job is very important to the success of CMS programs, and everyone at ISPG is here to support you!\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGoals for your first year\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBy the end of your first year as an ISSO, it should be your goal to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLearn the security planning and administrative security procedures for systems that process sensitive information such as PHI, PII, FTI, and classified and national intelligence data\u003c/li\u003e\u003cli\u003eUnderstand the implementation and enforcement of CMS Information System Security and Privacy policies and practices\u0026nbsp;\u003c/li\u003e\u003cli\u003eKnow the concerns and requirements that determine the administration and management of physical, system, and data access controls based on the sensitivity of the data processed and the corresponding authorization requirements\u003c/li\u003e\u003cli\u003eLearn the identification, analysis, assessment and evaluation of information system threats and vulnerabilities and their impact on their components critical information infrastructures\u003c/li\u003e\u003cli\u003eBe able to identify management, technical, personnel, operational and physical security controls\u003c/li\u003e\u003cli\u003eUnderstand any additional critical areas of knowledge related to your system\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eRole and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISSOs maintain a strong security and privacy posture for their assigned system(s) in the following high-level ways:\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eServe as principal advisor\u003c/strong\u003e to the System Owner (SO), Business Owner (BO), and the Chief Information Security Officer (CISO) on all system security and privacy matters\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMaintain system authorization \u003c/strong\u003eby following the \u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eNIST Risk Management Framework\u003c/a\u003e to select, implement, document, test, and maintain the security and privacy controls required to authorize and operate information systems within CMSs risk tolerance throughout the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle\u003c/a\u003e (TLC)\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMaintain security and privacy operations\u003c/strong\u003e capabilities sufficient to identify, detect, protect, respond, and recover from security incidents (as per the \u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-cybersecurity-framework-csf\"\u003eNIST Cybersecurity Framework\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMeet federal reporting requirements\u003c/strong\u003e for information security and privacy, including documenting and mitigating weaknesses and reporting incidents and breaches\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eManage privacy requirements\u003c/strong\u003e by working collaboratively with Data Guardians and Privacy Advisors\u003c/p\u003e\u003cp\u003eThe official role and specific responsibilities for ISSOs are outlined in detail by the CMS Information Security and Privacy Policy (IS2P2), which is based upon the related policy document from HHS (IS2P). The following list is based on those policy documents and includes some key duties for ISSOs:\u003c/p\u003e\u003cul\u003e\u003cli\u003eComplete the security categorization for the FISMA system using the CFACTS tool\u003c/li\u003e\u003cli\u003eComplete and maintain the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e using the CFACTS tool\u003c/li\u003e\u003cli\u003eEnsure \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e and \u003ca href=\"/learn/penetration-testing\"\u003ePenetration Tests\u003c/a\u003e have been scheduled and completed in a timely manner\u003c/li\u003e\u003cli\u003eDevelop, document and maintain an inventory of hardware and software components within the FISMA systems authorization boundary\u003c/li\u003e\u003cli\u003eCoordinate the development of a \u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan\u003c/a\u003e and ensure the plan is tested and maintained accordingly\u003c/li\u003e\u003cli\u003eMaintain primary responsibility for the actions and activities associated with the FISMA system receiving and maintaining an \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the ISO, BO, and CRA to manage information security and privacy risk\u003c/li\u003e\u003cli\u003eMonitor and update all POA\u0026amp;Ms in accordance with current requirements and instruction\u003c/li\u003e\u003cli\u003eSubmit recommendations to the CRA for system configuration deviations from the required baseline\u003c/li\u003e\u003cli\u003eIdentify the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems;\u003c/li\u003e\u003cli\u003eCoordinate with the ISO, BO, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for sensitive information in accordance with the Privacy Act, E-Government Act, and all other applicable guidance\u003c/li\u003e\u003cli\u003eCoordinate with the BO, Contracting Officer, ISO, and CISO to ensure that all requirements specified by the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS 5.1\u003c/a\u003e and the \u003ca href=\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\"\u003eRMH\u003c/a\u003e are implemented and enforced for applicable information and information systems\u003c/li\u003e\u003cli\u003eReport and manage IT Security and Privacy Incidents in accordance to the RMH and other applicable federal guidance\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTypes of ISSO roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe specific type of ISSO role assigned to a system will depend on the needs of the system and the available personnel. The descriptions below are taken from the CMS Information Security and Privacy Policy (IS2P2).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrimary Information System Security Officer (P-ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS P-ISSO may be either a federal government employee or a contractor and must fulfill all of the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.24, System Security and System Privacy Officers. ISSO must ensure the duties of the Security Control Assessor and Contingency Planning Coordinator are completed as described in the IS2P Sections 7.26 and 7.30.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecondary Information System Security Officer (S-ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS S-ISSO may be either a federal government employee or a contractor identified in the IS2P Section 7.25, ISSO Designated Representative / Security Steward and must assist the P-ISSO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Security Officer Contractor Support (ISSOCS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe ISSOCS is a contractor-only role that assists and supports the P-ISSO and S-ISSO roles in fulfillment of their CMS cybersecurity duties.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity or Privacy Control Assessor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Security or Privacy Control Assessor role may be performed by an ISSO. The CMS Security or Privacy Control Assessor must fulfill all the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.23.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eContingency Planning Coordinator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Contingency Planning Coordinator may either be a federal government employee or a contractor. The role may also be performed by an ISSO. The CMS Contingency Planning Coordinator must fulfill all the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.30.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO checklist\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis section provides a list of specific tasks an ISSO should perform periodically. The timelines listed for each task are general guidelines, which may vary depending on the Component guidance or system circumstances. This list isnt comprehensive, but serves as a quick reference to help you plan your work. You may choose to make a spreadsheet for yourself to keep track of recurring tasks and due dates.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWeekly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview audit logs\u003c/li\u003e\u003cli\u003eRoutinely evaluate risk posture based upon change requests\u003c/li\u003e\u003cli\u003eEnsure data is backed up\u003c/li\u003e\u003cli\u003eCheck status of any \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eMonthly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview / deactivate unused accounts\u003c/li\u003e\u003cli\u003eEnsure all POA\u0026amp;Ms with Open or Delay status are annotated with current status\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eQuarterly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that all data in CFACTS is current and accurate one week before the end of the quarter (CMS submits a quarterly FISMA report to OMB based on this data)\u003c/li\u003e\u003cli\u003eEnsure the completion of internal vulnerability scans\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAnnually\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview and update all \u003cstrong\u003eSecurity Authorization Process documentation\u003c/strong\u003e, such as those listed below. Remember that most of these require months of effort to complete, so you must be working on them well in advance.\u003cul\u003e\u003cli\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eInformation System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessment (PIA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e Note: Updating security control implementation is a necessary first step to updating the SSPP. When updating any documents, ensure the old copy is retained.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure that all system users and people with significant security responsibilities (e.g., ISSOs) receive their required annual awareness training\u003c/li\u003e\u003cli\u003eConduct a Contingency Plan Test with associated training, after-action, and updated POA\u0026amp;Ms as necessary. Ensure that the Business Owner certifies (signs) any updated CP document.\u003c/li\u003e\u003cli\u003eReview the Privacy Impact Assessment (PIA) for your system(s) and update as appropriate\u003c/li\u003e\u003cli\u003eEnsure vulnerability assessments are completed at least annually, or when significant changes are made to the system\u003c/li\u003e\u003cli\u003eReview and validate user access rights\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOngoing\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eContinual security control assessment to ensure no risks are present\u003c/li\u003e\u003cli\u003eContinual work on tests and assessments (as needed) such as:\u003cul\u003e\u003cli\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/li\u003e\u003cli\u003ePenetration Testing\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eContinual updating of the \u003cstrong\u003eSecurity Authorization Process documentation\u003c/strong\u003e (see list in the section above). All of these should be updated as changes occur, and all require an annual review and update.\u003c/li\u003e\u003cli\u003eComplete incident response reports (as required)\u003c/li\u003e\u003cli\u003eATO updates (as required)\u003c/li\u003e\u003cli\u003eRespond to any CCIC monitoring alerts (as required)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eISSO activities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eUse this section to learn in-depth about the activities you must understand and perform as an ISSO from the very beginning of your systems development. These activities support the CMS \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle\u003c/a\u003e (TLC), which is the framework that standardizes how IT systems are built, maintained, and retired at CMS. The ISSO activities also support the Risk Management Framework (RMF) from NIST, which helps organizations integrate security considerations into their software development processes.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct a Security Impact Analysis (SIA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"/learn/security-impact-analysis-sia\"\u003eSecurity Impact Analysis\u003c/a\u003e\u0026nbsp;is the process that you will use initially for your new system and \u003cstrong\u003eevery time\u003c/strong\u003e a new change to the system is proposed. When you have completed this process, you will be able to provide substantive recommendations to your Business Owner on the impact of any proposed change(s). The impact may be small, or it may rise to the level of a new ATO process.\u003c/p\u003e\u003cp\u003eNote:\u0026nbsp; SIAs are frequently thought of as documents.\u0026nbsp; Remember that \u003cstrong\u003eSIA is a process\u003c/strong\u003e.\u0026nbsp; Based on the complexity and extent of the process, a completed form may help better describe the security impact, as well as necessary actions to take.\u0026nbsp; The actual CMS/FISMA requirement noted in ARS 5.1 Control CM-4 requires “Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) to conduct security impact analyses.”\u0026nbsp; It is up to you and your Business Owner/organization to determine the level to which you document your analysis.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-impact-analysis-sia\"\u003eLearn about Security Impact Assessment (SIA)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCategorize your FISMA system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour FISMA system has different security controls based on the sensitivity of the information contained in or processed by your system. Categorization takes place within CFACTS.\u0026nbsp; You enter the appropriate area and select the type of information that will be processed.\u0026nbsp; The system categorization will be suggested automatically and noted as “Low”, “Moderate”, or “High”.\u0026nbsp; If necessary, the categorization may be manually overridden; your CRA will have to help with this.\u0026nbsp; In practice this seldom happens.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis system categorization will have a variety of uses.\u0026nbsp; Most importantly, you will need to have this information to determine which controls to allocate for your system.\u003c/p\u003e\u003cp\u003eNote: Although this process sounds like it will only be done once for your FISMA system, \u003cstrong\u003eyou may have to repeat it\u003c/strong\u003e if a proposed change includes access or storage of different types of data. \u0026nbsp; Your completed SIA will guide your actions.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eLearn more about system categorization here\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/posts/watch-and-learn-system-categorization-cfacts\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eSee how to categorize your system in CFACTS\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDetermine the Authorization Boundary\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAnother major initial task is to determine the systems \u003cstrong\u003eAuthorization Boundary\u003c/strong\u003e. The NIST definition of authorization boundary is: “All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected”.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eOne practical way of determining the systems authorization boundary is to ask whether a particular component can be changed by ones system team, or if another team has to make updates or changes.\u0026nbsp; If your team can make the change or configuration, chances are that the component falls within your authorization boundary. As with system categorization, the authorization boundary is usually determined at the outset of system development. It may expand or contract based on changes to the system over its lifecycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBe aware of High Value Assets (HVAs)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe HHS HVA Program Policy defines HVAs as: “Assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people.”\u003c/p\u003e\u003cp\u003eThe practical impact of this program is that, if your FISMA system is defined as an HVA, it will face additional security requirements from DHS and HHS, which may impact the continuity operations and assessments of the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAllocate controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce a system has been categorized, the ISSO has the information necessary to select controls, or allocate them.\u0026nbsp; The process is largely automatic, and is well-described in the CMS Risk Management Handbook (RMH) Chapter 12: Security and Privacy Planning. Selected controls are allocated for Low, Moderate, or High systems based on system categorization. The mechanics are described very well in the CFACTS User Manual, so that should be your primary reference point on allocating controls. Some general control types include:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSystem-specific controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThese are controls that your system “owns”.\u0026nbsp; If you are running on hardware that you are responsible for, there are system-specific controls for it.\u0026nbsp; If your system is an application, or Major Application, the system-specific controls are those controls that your developers and administrators configure and maintain.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInherited controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn many cases your system uses components provided by other FISMA systems. In the above example about hardware, what if your system is housed on hardware administered by others? This is not just a possibility in most cases major applications run within a separate data center. Certainly this is the case for systems housed in the AWS Cloud. In these instances, the data center (or other entity) that houses your system will most likely take care of some of the controls for your system in which case your system will be able to “inherit” controls.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf the providing system completely takes care of a control, it is called a \u003cstrong\u003ecommon, or fully inherited\u003c/strong\u003e control. If the providing system takes care of part of a control, and relies on your system to take care of the rest of the control, it is called a \u003cstrong\u003ehybrid\u003c/strong\u003e control. (The CFACTS User Manual has additional information on how to inherit a control.)\u003c/p\u003e\u003cp\u003eUnderstanding which controls your team must address and which controls are available through full or partial inheritance will help you understand how to document your security control compliance (which is the next step in the cycle).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSupplemental controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSupplemental controls (previously referred to as non-mandatory controls in ARS 3.1) can be added to a system as necessary, and are not included in baseline control allocation. They should be reviewed and added as appropriate for your system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eImplement security controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIt is your responsibility as your systems security and privacy Subject Matter Expert to make sure that your Business Owner, system developers, and system administrators understand the controls that must be in place for your system to be “secure” to CMS standards.\u0026nbsp; Once these controls have been implemented, \u003cstrong\u003ethey need to be documented within CFACTS\u003c/strong\u003e.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote:\u0026nbsp; All security controls that have been allocated for your system \u003cstrong\u003emust have some comment\u003c/strong\u003e. \u0026nbsp; Even fully inherited controls should have a notation that the control is fully inherited.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDevelop system documentation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eProminent documents are important to understanding the security posture of your FISMA system.\u0026nbsp; CFACTS can help with this process by automatically generating some of the documents, such as the System Security Plan. Other documents are found within CFACTS, such as System Categorization. Others, such as the Information System Risk Assessment (ISRA) must be completed using CMS-approved templates. Finally, others may either use a CMS template or a locally generated document such as the Security Impact Assessment (SIA).\u003c/p\u003e\u003cp\u003eNote:\u003cstrong\u003e Make sure that all CFACTS entries, including all security controls, are accurate and complete at all times.\u0026nbsp;\u003c/strong\u003e This will ensure that CFACTS-generated documents are accurate.\u003c/p\u003e\u003cp\u003eItems for the system documentation include:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSystem Security and Privacy Plan (SSPP)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSSPP\u003c/a\u003e is the key document associated with the FISMA system security. It should provide an accurate, detailed description of the FISMA system itself, security requirements, and those controls that are actually in place to protect the system. This document is generated by CFACTS.\u003c/p\u003e\u003cp\u003eTip: It is a best practice to maintain older copies of SSPPs as new versions are generated. Do not overwrite old SSPPs; you never can tell when you might need to refer to an older version.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eLearn more about System Security and Privacy Plan (SSPP)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Risk Assessment (ISRA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eISRA\u003c/a\u003e details the business and technical risks associated with a FISMA system.\u0026nbsp; It shares high-level information from CFACTS, as well as specific risks noted and how critical they are.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eLearn more about Information System Risk Assessment (ISRA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Impact Assessment (PIA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePIA\u003c/a\u003e is not simply a compliance step it guides the full analysis of a system for privacy risks and controls. A PIA is a process for assessing whether appropriate privacy policies, procedures, business practices, and security controls are implemented to ensure compliance with federal privacy regulations. PIAs are published on HHS.gov and go through a three-year review process.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003eLearn more about Privacy Impact Assessment (PIA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eThird-Party Websites and Applications\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"https://www.osec.doc.gov/opog/privacy/Memorandums/OMB_M-10-23.pdf\"\u003eOffice of Management and Budget Memorandum 10-23\u003c/a\u003e, Guidance for Agency Use of Third-Party Websites and Applications, requires that agencies assess their uses of third-party websites and applications to ensure that the use protects privacy. The mechanism by which agencies perform this assessment is a privacy impact assessment (PIA).\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn accordance with HHS policy, operating divisions (OPDIVs) are responsible for completing and maintaining PIAs for all third-party websites and applications in use. Upon completion of each assessment, agencies are required to make the PIAs publicly available. The CMS Third-Party Websites and Applications (TPWA) Privacy Impact Assessments for each individual OPDIV system can be \u003ca href=\"https://www.hhs.gov/pia/index.html#Third-Party\"\u003eaccessed here on the HHS website\u003c/a\u003e. CMS implementation specifications are included in the CMS Acceptable Risk Safeguards (ARS 5.1).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Threshold Analysis\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA Privacy Threshold Analysis (PTA) is a PIA for a system that does not contain PII or only contains HHS employee information. PTAs remain internal to HHS and do not have to go through the three-year review process. A PTA may be updated based on a major change to the system. It is also possible that change to a system could result in a PTA then meeting the threshold to be a PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct Contingency Planning (CP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://dkanreserve.prod.acquia-sites.com/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp;provides instructions, disaster declaration criteria, and procedures to recover information systems and associated services after a disruption. It involves cooperation with your Business Owner, your data center or hosting facility, and senior CMS leadership. (See CMS Risk Management Handbook Chapter 6: Contingency Planning).\u003c/p\u003e\u003cp\u003eAs the ISSO, you will coordinate efforts with your Business Owner to determine the business criticality of key processes. This effort will result in a Business Impact Analysis (BIA) which, in turn, serves as the primary requirement document for determining key recovery metrics including the Recovery Point Objective (RPO), Recovery Time Objective (RTO), Maximum Tolerable Downtime (MTD), and Work Recovery Time (WRT).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe goal is to ensure that there are plans in place to restore business functionality within the Maximum Tolerable Downtime.\u0026nbsp; Note that this may involve restoring the system as originally constructed, moving to alternate processing facilities, or even moving to alternate processing methods.\u0026nbsp;\u003c/p\u003e\u003cp\u003eHere are the key steps and documents involved in Contingency Planning:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCreate Contingency Plan (CP) document\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CP Plan is a single document that contains:\u003c/p\u003e\u003cul\u003e\u003cli\u003eKey recovery metrics for your FISMA system\u003c/li\u003e\u003cli\u003ePre-defined descriptions of conditions that constitute a need for action\u003c/li\u003e\u003cli\u003ePre-defined actions based on the severity of an identified incident\u003c/li\u003e\u003cli\u003eKey staff, contact information, and specific duties for each person\u003c/li\u003e\u003cli\u003eItem-level understanding of all of the hardware and software components of the FISMA system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIts important to keep in mind:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe CP must be attested to (signed) by the FISMA System Owner annually.\u003c/li\u003e\u003cli\u003eAll of the information necessary for the conducting of a contingency plan must be in the CP.\u0026nbsp; There should be no references to offline personnel lists, contact information, system information, etc.\u0026nbsp;\u003c/li\u003e\u003cli\u003eAll identified Key Personnel must have access to their own copy of the CP in a secure location that is accessible in the event that the FISMA system is unavailable.\u003c/li\u003e\u003cli\u003eThe Contingency Plan, above all FISMA system documentation, must remain current.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eConduct Contingency Plan (CP) Exercise\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CP must be exercised (tested) at least once every 365 days. This is commonly referred to as the “Tabletop Exercise”, but a tabletop exercise is only one (the easiest) way to test the CP. An exercise plan must be prepared and followed during the execution of the test. All staff who participate in an actual CP event must be available for the exercise.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: \u003cstrong\u003eKey staff members must be trained annually in their contingency responsibilities.\u003c/strong\u003e It is best to perform this training immediately prior to the exercise. Training in this way refreshes individuals memories and ensures their availability for the test.\u003c/p\u003e\u003cp\u003e\u003cem\u003eTip: If your FISMA system is involved in an outage that causes you to exercise the CP Plan, you should consider documenting this event as an exercise of your CP Plan.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/contingency-plan\"\u003eLearn more about Contingency Plan testing\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGet after action report\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAfter the exercise is conducted, an after action report must be generated to describe the test and highlight specific deficiencies that must be corrected.\u0026nbsp; These deficiencies may be easily correctable, or may result in POA\u0026amp;Ms.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAchieve Contingency Plan (CP) re-certification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAfter any corrections have been made, the updated Contingency Plan must be re-certified by the System Owner. Make sure that all key staff members receive updated CP documents that they have access to (\u003cstrong\u003eeven away from the office or after hours\u003c/strong\u003e). Destroy (or return) older copies.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssess security controls for your system(s)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS systems are required to undergo assessments of risk and security/privacy control compliance before they are given Authorization to Operate (ATO). The assessment and authorization process protects the security and privacy posture of CMS systems throughout the system development lifecycle.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAssessments of risk and/or control compliance are conducted:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWhen a new system is ready to be placed into an operational state\u003c/li\u003e\u003cli\u003eWhen a significant change has been made to an existing system\u003c/li\u003e\u003cli\u003eAnnually, if a system follows a FISMA 1/3 assessment schedule\u003c/li\u003e\u003cli\u003eAd hoc when requested or otherwise required\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCurrently there are two main types of controls assessments SCA and ACT.\u0026nbsp; Your component will dictate which type of assessment your system undergoes.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: Whichever one your system uses, make sure to schedule your assessment \u003cstrong\u003eas soon as possible\u003c/strong\u003e. When the assessment is complete, make sure all documentation is complete and housed in CFACTS appropriately.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Controls Assessment (SCA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis is a detailed evaluation of the controls protecting an information system.\u0026nbsp; The security controls assessment determines the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-controls-assessment-sca\"\u003eLearn more about Security Controls Assessment (SCA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCybersecurity and Risk Assessment Program (CSRAP) (Formally Adaptive Capabilities Testing (ACT))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system's security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePenetration testing\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePenetration testing is performed on information systems or individual system components to identify vulnerabilities that could be exploited by bad actors. It is used to validate vulnerabilities or determine the degree of resistance that organizational information systems have to risk within a set of specified constraints (e.g., time, resources, and/or skills).\u0026nbsp;\u003c/p\u003e\u003cp\u003ePenetration testing attempts to duplicate the actions of internal and external bad actors in carrying out hostile cyber-attacks against the organization and allows a more in-depth analysis. It can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePenetration testing is performed on all High Value Assets (HVA) information systems within CMS at a frequency of every 365 days or when there has been a significant change to the system.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIt is considered to be part of the group of assessments required for CMS systems, and its results are recorded in CFACTS similarly to the controls assessments (SCA and/or ACT).\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/penetration-testing\"\u003eLearn more about penetration testing\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Assessment Report (SAR) and CAAT file\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eFor all assessments, a final Security Assessment Report (SAR) chronicles the results of the assessment. The \u003ca href=\"/policy-guidance/risk-management-handbook-chapter-4-security-assessment-authorization-ca\"\u003eRisk Management Handbook (RMH) Chapter 4: Security Assessment and Authorization\u003c/a\u003e states:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eAt the completion of a security controls assessment, the independent assessor completes a CMS Assessment and Audit Tracking (CAAT) spreadsheet. The CAAT spreadsheet is utilized for all CMS audits, assessments and penetration testing vulnerabilities. The completed CAAT spreadsheet is emailed to the CMS CISO mailbox at \u003c/em\u003e\u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003e\u003cem\u003eCISO@cms.hhs.gov\u003c/em\u003e\u003c/a\u003e\u003cem\u003e for upload into the CFACTS tool. Once uploaded into CFACTS, the weaknesses are automatically generated for all items with a status of “other than satisfied”. The ISSO for the associated information system receives an automated email notification from the CFACTS tool identifying a new weakness. The ISSO has 30 days to create a POA\u0026amp;M within CFACTS.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eManage Plan of Action and Milestones (POA\u0026amp;M)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe POA\u0026amp;M is a remedial action plan (the process of accepting or resolving a risk) which helps the agency to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify and assess information system security and privacy weaknesses\u003c/li\u003e\u003cli\u003eSet priorities about how to mitigate weaknesses using available resources\u003c/li\u003e\u003cli\u003eMonitor and report progress toward mitigating the weaknesses\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou as the ISSO are responsible for opening, maintaining / updating, and closing POA\u0026amp;Ms on a continual basis to ensure the maximum level of information security for system(s) entrusted to your care.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003eLearn more about Plan of Action \u0026amp; Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAuthorize the system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSystem authorization is the formal decision by senior officials to allow a CMS information system to operate. Commonly known as Authorization to Operate (ATO), this is the culmination of all the tests, assessments, remediation, documentation, and other activities that the ISSO and others on the portfolio team have done to ensure information security for the system.\u003c/p\u003e\u003cp\u003eIn formal terms, authorization is described in the CMS Risk Management Handbook Chapter 4: Security Assessment and Authorization:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSecurity authorizations are official management decisions that are conveyed through authorization decision documents by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. The CIO serves as the authorizing official for CMS. The CIO is responsible for making an overall determination of risk and authorizing CMS information systems for operation, if it is determined that the associated risks are acceptable. An ATO memo is signed by the CIO giving the System Owner/BO formal authority to operate a CMS information system.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThere are three NIST document requirements for an ATO “package” and six more that are specific to CMS.\u0026nbsp; The documents include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem Security and Privacy Plan (SSPP)\u003c/li\u003e\u003cli\u003eSecurity Assessment (Final) Report (SAR)\u003c/li\u003e\u003cli\u003ePlans of Action and Milestones (POA\u0026amp;M)\u003c/li\u003e\u003cli\u003eContingency Plan (CP)\u003c/li\u003e\u003cli\u003eCP Testing Plan\u003c/li\u003e\u003cli\u003eCP Test After Action Report\u003c/li\u003e\u003cli\u003eInformation System Risk Assessment (ISRA)\u003c/li\u003e\u003cli\u003ePrivacy Impact Assessment (PIA)\u003c/li\u003e\u003cli\u003eInterconnection Security Agreement (ISA) as applicable\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eGetting these documents together and conducting all necessary steps can be a long process so \u003cstrong\u003eyou should start working on your ATO as early as possible\u003c/strong\u003e to ensure timely completion.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/authorization-operate-ato\"\u003eLearn more about System Authorization\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContinuous monitoring\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eContinuous monitoring is the practice of using modern tools and technology to continuously check systems for vulnerabilities and risks. Rather than thinking of getting an ATO as having “achieved” compliance, continuous monitoring allows us to observe and track evolving risks over time. Security is never “done”.\u003c/p\u003e\u003cp\u003eContinuous monitoring is a growing program at CMS. As an ISSO, you will work closely with the CMS Cybersecurity Integration Center (CCIC) to ensure that your system is appropriately monitored.\u0026nbsp; CCIC ensures oversight of information security and privacy, including Security Information Event Management, for each FISMA system operating by or on behalf of CMS.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CCIC delivers various agency-wide security services.\u0026nbsp; These services include \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e as well as security engineering, incident management, forensics and malware analysis, information sharing, cyber threat intelligence, penetration testing, and software assurance.\u003c/p\u003e\u003cp\u003eMore information about continuous monitoring can be found in the \u003ca href=\"/policy-guidance/risk-management-handbook-chapter-4-security-assessment-authorization-ca\"\u003eCMS Risk Management Handbook (RMH) Chapter 4: Security Assessment and Authorization\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eManage security incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAlong the way, a system entrusted to your care might have a security or privacy incident or breach. Anytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an\u003cstrong\u003e incident\u003c/strong\u003e. If an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a \u003cstrong\u003ebreach\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eKnown or suspected security or privacy incidents involving CMS information or information systems \u003cstrong\u003emust be reported immediately\u003c/strong\u003e to the CMS IT Service Desk:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 1-800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou as the ISSO should be apprised of the situation as soon as possible (if youre not the one who initially reported the incident). You will work with the Incident Management Team (IMT) and others involved with your system to manage and report the incident and mitigate any resulting harm. More details can be found in the CMS Risk Management Handbook (RMH) Chapter 8: Incident Response.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eISSO toolkit\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis section contains links to documents you will access often in your daily activities, and resources to support your work as an ISSO. You should become familiar with the purpose and usage of each.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDocuments\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Acceptable Risk Safeguards (ARS 5.1)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Information Security Acceptable Risk Safeguards (ARS 5.1) defines information security and privacy control requirements and includes additional, detailed policy traceability statements within each control description. The ARS 5.1 provides guidance on customizing (tailoring) controls and enhancements for specific types of missions/business functions, technologies, or environments of operation. Users of the ARS 5.1 may tailor specific mandatory controls as well as most of the non-mandatory and unselected controls.\u003c/p\u003e\u003cp\u003eThe goal of the ARS 5.1 is to define a baseline of minimum information security and privacy assurance controls. The controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS. Protecting and ensuring the confidentiality, integrity, and availability for all of CMS information and information systems is the primary purpose of the information security and privacy assurance program. The ARS 5.1 complies with the CMS IS2P2 by providing a defense-in-depth security structure along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cybergeek.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eLearn more about ARS 5.1\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information Security and Privacy Policy (IS2P2)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis policy defines the framework under which CMS protects and controls access to CMS information and information systems. It provides direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information to assure the confidentiality, integrity, and availability of CMS information and systems.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eAlong with the Acceptable Risk Safeguards (ARS 5.1), the IS2P2 stands as one of the core reference sources for cybersecurity policies and practices at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eGo to the IS2P2\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Risk Management Handbooks\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis series of handbooks is designed to help ISSOs understand and address the many CMS security and privacy requirements developed to protect their system(s). The RMH chapters are generally aligned to provide specific guidance and recommendations for specific ARS 5.1 Control Families. (For example, \u003cstrong\u003eRMH Chapter 6: Contingency Planning\u003c/strong\u003e addresses the ARS 5.1 controls in the \u003cstrong\u003eCP Family\u003c/strong\u003e.) As you work through your ARS 5.1 controls, you should have the appropriate RMH handy.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\"\u003eLearn more about the CMS Risk Management Handbook (RMH)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTools and resources\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCFACTS\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS FISMA Controls Tracking System (CFACTS) is the system used by CMS as a repository for managing the security and privacy requirements of its information systems. It provides a common foundation to manage policies, controls, risks, assessments, and deficiencies across the CMS enterprise. You will use it for tracking your tasks associated with system authorization, risk remediation, and more.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cfacts3.cms.cmsnet/apps/ArcherApp/Home.aspx#home\"\u003eGo to CFACTS\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003cp\u003eA user manual is produced by the team that administers CFACTS and gives a guided tour through all activities in CFACTS. Although it is not a primer in risk management, many activities and concepts can be understood implicitly through their description in the User Manual and implementation in CFACTS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cfacts3.cms.cmsnet/apps/ArcherApp/Home.aspx\"\u003eGo to CFACTS user manual\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISPG website (CyberGeek)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Information Security and Privacy Group (ISPG) provides the “CyberGeek” website as a one-stop shop for all security and privacy related information at CMS including dedicated resource pages for ISSOs and other roles. This is a new site, and more information will become available as it grows.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/\"\u003eGo to ISPG website (CyberGeek)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Slack\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSlack is an application that allows for fast and easy communication among all CMS employees and contractors. Spaces called channels allow for focused communication which will keep you organized and informed during your daily routine. Below is a list of Slack channels that will help you on your journey to becoming a fully independent ISSO:\u003c/p\u003e\u003cul\u003e\u003cli\u003e#ars-feedback\u003c/li\u003e\u003cli\u003e#cfacts_community\u003c/li\u003e\u003cli\u003e#cisab\u003c/li\u003e\u003cli\u003e#cms-isso\u003c/li\u003e\u003cli\u003e#cyber-risk-management\u003c/li\u003e\u003cli\u003e#ispg-all\u003c/li\u003e\u003cli\u003e#isso-as-a-service\u003c/li\u003e\u003cli\u003e#security_community\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eAcronyms\u003c/h4\u003e\u003cp\u003eLike most other parts of government, the security and privacy world at CMS is full of acronyms. ISPG maintains a list of acronyms so you can easily look up unfamiliar terms.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/acronyms\"\u003eSee the acronym list here\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Framework\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs an ISSO, your daily tasks support CMS in applying the NIST Cybersecurity Framework (CSF), guidance created by the National Institute of Standards and Technology to help organizations effectively manage cybersecurity risk. (Executive Order 13800, \u003ca href=\"https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure\"\u003eStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure\u003c/a\u003e, made the Framework mandatory for U.S. federal government agencies.)\u003c/p\u003e\u003cp\u003eWe have created the \u003cstrong\u003eISSO Framework\u003c/strong\u003e to show how ISSO responsibilities align with specific functions and categories of the NIST Cybersecurity Framework, and how the ISSO works with other people within the organization to complete tasks. You can refer to this Framework whenever you have questions about documentation or activities related to your job.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://share.cms.gov/Office/OIT/ISPG/DSPC/ISPG%20DSPC%20Documents%20%20Internal/ISSO%20Engagement%20and%20Outreach%20Initiative/ISSO%20Framework\"\u003eGo to the ISSO Framework\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity and Privacy Language for IT Procurements\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS provides templated language to use in IT procurements to ensure the security and privacy of information and information systems that CMS uses. This includes systems provided or managed by contractors or subcontractors on behalf of CMS. The ISSO may provide support to this process.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-and-privacy-requirements-it-procurements\"\u003eLearn more about Security and Privacy Language for IT Procurements\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTarget Life Cycle (TLC)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS requires all new IT systems to follow the Target Life Cycle (TLC), a common framework for governing system development across the enterprise. The TLC accommodates various IT development methodologies while ensuring that systems meet all applicable legislative and policy requirements.\u0026nbsp;\u003c/p\u003e\u003cp\u003e(The TLC has replaced the former Expedited Life Cycle (XLC) as the official IT governance framework at CMS. If your current projects or contracts specify the use of XLC-related tools, templates, or reviews, you may continue using them.\u0026nbsp; You may also use fewer or alternative tools and templates, as long as you meet the minimum requirements outlined within the TLC.)\u003c/p\u003e\u003cp\u003eAs an ISSO, you will enter the TLC by filling out an intake form when:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInitiate a new IT project\u003c/li\u003e\u003cli\u003eConduct an acquisition to support a new IT project\u003c/li\u003e\u003cli\u003eRequest new/increased funding to support an IT project\u0026nbsp;\u003c/li\u003e\u003cli\u003ePlan significant changes to an existing IT project\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter submitting your form, the CMS IT Governance Team will help you meet TLC requirements. You can also contact the governance team via email: \u003ca href=\"mailto:IT_Governance@cms.hhs.gov\"\u003eIT_Governance@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/TLC\"\u003eLearn more about the TLC\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://share.cms.gov/Office/OIT/CIOCorner/Lists/Intake/NewForm.aspx\"\u003eFill out an intake form\u003c/a\u003e (requires CMS login)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eResources external to CMS\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Department of Health and Human Services (HHS) is the parent organization for CMS. All of our policies and guidance are based on HHS-level documentation. The IS2P comprises HHS policies and procedures that ensure the secure collection, use, sharing, and storage of information that is both terrorism-related information and “protected information (PI)”.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhere possible, this document identifies existing HHS policies and procedures that meet the privacy requirements. Where necessary, however, this document also creates policies specific to the activities and resources that HHS requires.\u0026nbsp; The IS2P is one of the base documents from which CMS requirements are created. You can request a copy of this policy from the CISO team: \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHHS Cybersecurity Library\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSometimes CMS borrows policies and standards directly from HHS, our parent organization. You will sometimes need to access the HHS library of cybersecurity documents for your work.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://intranet.hhs.gov/security/index.html\"\u003eGo to the HHS library\u003c/a\u003e (requires login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNIST Special Publications\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eNIST Special Publications in the 800 series are of general interest to the computer security community, and these documents serve as the foundation for CMS security and privacy practices. Specifically helpful to ISSOs are the publications that contain detailed explanations of information security controls and the test cases used to assess them.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53: Recommended Security Controls for Federal Information Systems\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final\"\u003eNIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-800-series-of-special-publications\"\u003eLearn more about NIST SP 800 series\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNIST Computer Security Resource Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe National Institute of Standards and Technology (NIST) publishes helpful resources on computer, cyber, and information security and privacy. Explore publications, news, programs, and events that will help you expand your cybersecurity knowledge.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/\"\u003eVisit the NIST Resource Center\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eOMB Memoranda and Circulars\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEvery year, the Office of Management and Budget (OMB) publishes a Memo with reporting instructions and guidance for FISMA, which can be useful to people with cybersecurity responsibilities at CMS. \u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/memoranda/\"\u003eExplore OMB memos here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThere are a number of OMB Circulars that provide general guidance on information security. Three of the most relevant are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/omb/circulars_a130_a130appendix_iii\"\u003eA-130 - Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.osec.doc.gov/opog/privacy/Memorandums/OMB_Circular_A-123.pdf\"\u003eA-123 - Management's Responsibility for Internal Control\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/omb/circulars_a127/\"\u003eA-127 - Financial Management Systems\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOMB A-130 applies to all IT systems while A-123 and A-127 apply primarily to financial systems. ISSOs should be aware of these foundation documents and have a general understanding of their content. \u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars/\"\u003eExplore all OMB Circulars here\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho to contact\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen you have a question or challenge, we are here to help! Here are key points of contact for situations you may face as an ISSO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or privacy incident\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eReport known or suspected security or privacy incidents involving CMS data to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or privacy questions\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDo you have a question or concern related to CMS information security or privacy, and need a place to start? Send an email to the CISO Team at \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e regarding information security, or an email to \u003ca href=\"mailto:Privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e for questions regarding information privacy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eISSO questions\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf you have questions about the ISSO role or other activities such as the ISSO Forum —or if you just want to hear from an ISSO — send an email to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOversight and guidance\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Cyber Risk Advisor (CRA) and Privacy Advisor are your ISPG support representatives. They help improve accountability and risk management by providing hands-on oversight to system cybersecurity and privacy risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO community\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Cybersecurity Community Forum (C3F)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis monthly meeting is held for the benefit of the CMS security community, covering timely and relevant topics from ISPG speakers. Its open to all CMS and contractor security professionals. Meeting details (location, time, video conferencing link) will be in the email invitation, which is sent monthly to everyone at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eSee past Forum videos and materials\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Journal\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRead the ISSO Journal to stay updated on cybersecurity trends, learn about current events, and hear from other ISSOs. The Journal is distributed widely among CMS staff, and all cybersecurity professionals both CMS and contractor staff are invited to contribute! Contact us by email (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e) if you would like to write a post.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Journal\"\u003eRead the ISSO Journal\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Mentorship Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe mentorship program allows experienced ISSOs to support those who are newer to the role. For mentors, this is an opportunity to build leadership skills and strengthen the future of cybersecurity at CMS. For mentees, this allows you to build your knowledge faster and get hands-on support. The structure of the program is flexible — both ISSOs will decide what cadence and duration for meetings works for them.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA mentorship usually lasts 6 months to a year. Your supervisor will need to approve your participation in the program.\u0026nbsp; Note that although the program is generally used by newer ISSOs, it is also available for existing ISSOs who want additional bootstrap help for example, if they are dealing with an issue or project that is new to them. Mentorship is for these ISSOs, too!\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/isso-mentorship-program\"\u003eLearn about the ISSO Mentorship Program\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTraining\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePeople come to the ISSO role from many backgrounds, with differing experiences, so each may start at a different place. Broadly, ISSOs need to have both general cybersecurity knowledge and specific knowledge of how things operate at CMS. For new ISSOs, see the “Getting Started” section of this Handbook for tips on beginning your training journey.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNICE code for ISSOs\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere is a Federal initiative to help train cybersecurity professionals. The \u003ca href=\"https://www.nist.gov/itl/applied-cybersecurity/nice\"\u003eNational Initiative for Cybersecurity Education\u003c/a\u003e (NICE) seeks to link appropriate training to cybersecurity roles by associating NICE “codes” with training opportunities. \u003cstrong\u003eAs an ISSO, your NICE code is OVMGT001\u003c/strong\u003e. Knowing this will help you find appropriate training for particular tasks or knowledge areas.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTraining sources\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere are many external sources such as professional associations and training organizations that can help you expand your cybersecurity knowledge and skills, but you can also get excellent free training that is provided by CMS and HHS. They are offered via the following platforms:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"http://www.cms.gov/cbt\"\u003eCMS Computer Based Training\u003c/a\u003e (CBT) - Free online training courses provided by CMS\u003c/li\u003e\u003cli\u003eCMS Cybersecurity Training Catalog - List of current training offerings and events (such as webinars) from CMS\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://confluenceent.cms.gov/display/IIP/ISSO+Training\"\u003eISSO Training Page\u003c/a\u003e - Collection of training resources in the ISPG Confluence environment that helps you navigate the training options available to you\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://ams.hhs.gov/amsLogin/SimpleLogin.jsp\"\u003eHHS Learning Management System\u003c/a\u003e\u0026nbsp; (LMS) - Free courses for federal employees (not contractors) provided through HHS to advance your core cybersecurity knowledge or prepare you for certifications\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://fedvte.usalearning.gov/\"\u003eFederal Virtual Training Environment\u003c/a\u003e (FedVTE) - Another source of free training courses available to federal employees and contractors (similar to the LMS above).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo help ISSOs focus on the most relevant training, below is a list of Basic, Intermediate, and Advanced courses that will help you grow in the specific skills needed for your role.\u003c/p\u003e\u003ch4\u003eBasic ISSO training\u003c/h4\u003e\u003cp\u003eThe courses recommended below provide both an introduction to cybersecurity in general and guidance on how these concepts are implemented at CMS. The courses listed in bold are the most important. You should consider some or all of the rest of the courses as your time permits. If possible, try to complete the bolded courses within your first two months as an ISSO. There is no cost to take these courses. Note: HHS LMS is only available to federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eISSO Fundamentals\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWorking With CFACTS\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eClassroom / Remote\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAll About the CMS Acceptable Risk Safeguards (ARS 5.1)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePrivacy and Awareness Training\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eExecutives Guide to Security: Protecting Your Information\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Awareness: Getting Started with Security Foundations, Information Security Fundamentals, and Key Security Terms\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompliance Expert: IT Security - Phishing, Safeguarding Mobile Devices, and Privacy \u0026amp; Information Security (The Basics)\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity 101: Auditing \u0026amp; Incident Response and Session \u0026amp; Risk Management\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003eIntermediate ISSO training\u003c/h4\u003e\u003cp\u003eThe courses recommended below will build on your initial knowledge. As before, you should start with the courses listed in bold, or on topics that have immediate importance to you. There is no cost to take these courses. Note: HHS LMS is only available for federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eNavigating New Cybersecurity and Privacy Policies and Procedures\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHow Hackers Hack and How to Protect Yourself\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIncident Response at CMS\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCMS Privacy Incident Response: Quick Guide for Business Owners\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Race\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eFundamentals of Cyber Risk Management\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFoundations of Incident Management\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompliance Expert: IT Security - Phishing\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Audits\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eImplementation of Security Controls\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003eAdvanced ISSO training\u003c/h4\u003e\u003cp\u003eThe advanced courses recommended below will help you gain a deeper understanding of the cybersecurity issues that you have been working with. They may also be appropriate to take earlier if you entered the ISSO role with a good basic understanding of both CMS operations and cybersecurity in general. There is no cost to take these courses.\u0026nbsp; Note: HHS LMS is only available for federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eEmerging Cyber Security Threats\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecuring Infrastructure Devices\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecuring the Network Perimeter\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Computing Fundamentals: Cloud Security\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Architecture\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Security\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Platforms\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCloud Security Fundamentals\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA A+: Security Fundamentals\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eEncryption and Malware\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA Server+: Network Security Protocols\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA Cloud+\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1d:{\"self\":\"$1e\"}\n21:[\"menu_ui\",\"scheduler\"]\n20:{\"module\":\"$21\"}\n24:[]\n23:{\"available_menus\":\"$24\",\"parent\":\"\"}\n25:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n22:{\"menu_ui\":\"$23\",\"scheduler\":\"$25\"}\n1f:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$20\",\"third_party_settings\":\"$22\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1d\",\"attributes\":\"$1f\"}\n28:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n27:{\"self\":\"$28\"}\n29:{\"display_name\":\"jcallan - retired\"}\n26:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$27\",\"attributes\":\"$29\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"mburgess\"}\n2a:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n2f:{\"self\":\"$30\"}\n32:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n31:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+0"])</script><script>self.__next_f.push([1,"0:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$32\"}\n36:{\"drupal_internal__target_id\":\"resource_type\"}\n35:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$36\"}\n38:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n39:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n37:{\"related\":\"$38\",\"self\":\"$39\"}\n34:{\"data\":\"$35\",\"links\":\"$37\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n3a:{\"data\":null,\"links\":\"$3b\"}\n44:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n43:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$44\"}\n42:{\"help\":\"$43\"}\n41:{\"links\":\"$42\"}\n40:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$41\"}\n3f:[\"$40\"]\n46:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n47:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n45:{\"related\":\"$46\",\"self\":\"$47\"}\n3e:{\"data\":\"$3f\",\"links\":\"$45\"}\n33:{\"vid\":\"$34\",\"revision_user\":\"$3a\",\"parent\":\"$3e\"}\n2e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$2f\",\"attributes\":\"$31\",\"relationships\":\"$33\"}\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n49:{\"self\":\"$4a\"}\n4c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4b:{\"drupal_in"])</script><script>self.__next_f.push([1,"ternal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4c\"}\n50:{\"drupal_internal__target_id\":\"roles\"}\n4f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$50\"}\n52:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n53:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n51:{\"related\":\"$52\",\"self\":\"$53\"}\n4e:{\"data\":\"$4f\",\"links\":\"$51\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n54:{\"data\":null,\"links\":\"$55\"}\n5e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5e\"}\n5c:{\"help\":\"$5d\"}\n5b:{\"links\":\"$5c\"}\n5a:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5b\"}\n59:[\"$5a\"]\n60:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n61:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5f:{\"related\":\"$60\",\"self\":\"$61\"}\n58:{\"data\":\"$59\",\"links\":\"$5f\"}\n4d:{\"vid\":\"$4e\",\"revision_user\":\"$54\",\"parent\":\"$58\"}\n48:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$49\",\"attributes\":\"$4b\",\"relationships\":\"$4d\"}\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/r"])</script><script>self.__next_f.push([1,"oles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n63:{\"self\":\"$64\"}\n66:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n65:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$66\"}\n6a:{\"drupal_internal__target_id\":\"roles\"}\n69:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6a\"}\n6c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6b:{\"related\":\"$6c\",\"self\":\"$6d\"}\n68:{\"data\":\"$69\",\"links\":\"$6b\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6e:{\"data\":null,\"links\":\"$6f\"}\n78:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n77:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$78\"}\n76:{\"help\":\"$77\"}\n75:{\"links\":\"$76\"}\n74:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$75\"}\n73:[\"$74\"]\n7a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n79:{\"related\":\"$7a\",\"self\":\"$7b\"}\n72:{\"data\":\"$73\",\"links\":\"$79\"}\n67:{\"vid\":\"$68\",\"revision_user\":\"$6e\",\"parent\":\"$72\"}\n62:{\"type\":\"taxonomy_term--roles"])</script><script>self.__next_f.push([1,"\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$63\",\"attributes\":\"$65\",\"relationships\":\"$67\"}\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7d:{\"self\":\"$7e\"}\n80:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7f:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$80\"}\n84:{\"drupal_internal__target_id\":\"roles\"}\n83:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$84\"}\n86:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n87:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n85:{\"related\":\"$86\",\"self\":\"$87\"}\n82:{\"data\":\"$83\",\"links\":\"$85\"}\n8a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n89:{\"related\":\"$8a\",\"self\":\"$8b\"}\n88:{\"data\":null,\"links\":\"$89\"}\n92:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n91:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$92\"}\n90:{\"help\":\"$91\"}\n8f:{\"links\":\"$90\"}\n8e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8f\"}\n8d:[\"$8e\"]\n94:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n95:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n93:{\"rel"])</script><script>self.__next_f.push([1,"ated\":\"$94\",\"self\":\"$95\"}\n8c:{\"data\":\"$8d\",\"links\":\"$93\"}\n81:{\"vid\":\"$82\",\"revision_user\":\"$88\",\"parent\":\"$8c\"}\n7c:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7d\",\"attributes\":\"$7f\",\"relationships\":\"$81\"}\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n97:{\"self\":\"$98\"}\n9a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n99:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9a\"}\n9e:{\"drupal_internal__target_id\":\"roles\"}\n9d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9e\"}\na0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\na1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\n9f:{\"related\":\"$a0\",\"self\":\"$a1\"}\n9c:{\"data\":\"$9d\",\"links\":\"$9f\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\na3:{\"related\":\"$a4\",\"self\":\"$a5\"}\na2:{\"data\":null,\"links\":\"$a3\"}\nac:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nab:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ac\"}\naa:{\"help\":\"$ab\"}\na9:{\"links\":\"$aa\"}\na8:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a9\"}\na7:[\"$a8\"]\nae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\naf:{\"href\":\"https://cyber"])</script><script>self.__next_f.push([1,"geek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nad:{\"related\":\"$ae\",\"self\":\"$af\"}\na6:{\"data\":\"$a7\",\"links\":\"$ad\"}\n9b:{\"vid\":\"$9c\",\"revision_user\":\"$a2\",\"parent\":\"$a6\"}\n96:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$97\",\"attributes\":\"$99\",\"relationships\":\"$9b\"}\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\nb1:{\"self\":\"$b2\"}\nb4:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb3:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b4\"}\nb8:{\"drupal_internal__target_id\":\"topics\"}\nb7:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$b8\"}\nba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\nbb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\nb9:{\"related\":\"$ba\",\"self\":\"$bb\"}\nb6:{\"data\":\"$b7\",\"links\":\"$b9\"}\nbe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nbf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nbd:{\"related\":\"$be\",\"self\":\"$bf\"}\nbc:{\"data\":null,\"links\":\"$bd\"}\nc6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c6\"}\nc4:{\"help\":\"$c5\"}\nc3:{\"links\":\"$c4\"}\nc2:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c3\"}\nc1:[\"$c2\"]\nc8:{\"href\":\""])</script><script>self.__next_f.push([1,"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\nc9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\nc7:{\"related\":\"$c8\",\"self\":\"$c9\"}\nc0:{\"data\":\"$c1\",\"links\":\"$c7\"}\nb5:{\"vid\":\"$b6\",\"revision_user\":\"$bc\",\"parent\":\"$c0\"}\nb0:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$b1\",\"attributes\":\"$b3\",\"relationships\":\"$b5\"}\ncc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\ncb:{\"self\":\"$cc\"}\nce:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncd:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$ce\"}\nd2:{\"drupal_internal__target_id\":\"topics\"}\nd1:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d2\"}\nd4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\nd5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\nd3:{\"related\":\"$d4\",\"self\":\"$d5\"}\nd0:{\"data\":\"$d1\",\"links\":\"$d3\"}\nd8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nd7:{\"related\":\"$d8\",\"self\":\"$d9\"}\nd6:{\"data\":null,\"links\":\"$d7\"}\ne0:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ndf:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/cor"])</script><script>self.__next_f.push([1,"e-concepts#virtual\",\"meta\":\"$e0\"}\nde:{\"help\":\"$df\"}\ndd:{\"links\":\"$de\"}\ndc:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$dd\"}\ndb:[\"$dc\"]\ne2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\ne1:{\"related\":\"$e2\",\"self\":\"$e3\"}\nda:{\"data\":\"$db\",\"links\":\"$e1\"}\ncf:{\"vid\":\"$d0\",\"revision_user\":\"$d6\",\"parent\":\"$da\"}\nca:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$cb\",\"attributes\":\"$cd\",\"relationships\":\"$cf\"}\ne6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3?resourceVersion=id%3A19674\"}\ne5:{\"self\":\"$e6\"}\ne8:[]\nea:T1c95,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is the Risk Management Framework (RMF)?\u003c/h2\u003e\u003cp\u003eThe \u003ca href=\"https://csrc.nist.gov/projects/risk-management/about-rmf\"\u003eRisk Management Framework (RMF)\u003c/a\u003e from NIST provides a structured yet flexible process for managing risk throughout a systems life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe.\u003c/p\u003e\u003ch2\u003eRMF at CMS\u003c/h2\u003e\u003cp\u003eCMS looks to NIST as an authoritative source of best practices for information system security. We tailor the guidance from NIST (and other organizations such as HHS) to the specific needs of the CMS environment and systems.\u003c/p\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Risk Management Framework\u003c/strong\u003e refers to any application of the NIST RMF within the CMS environment. Everyone who is responsible for information security and privacy at any point in the system life cycle should be familiar with the RMF and its application at CMS.\u003c/p\u003e\u003cp\u003eThe CMS Risk Management Framework (based on the NIST RMF):\u003c/p\u003e\u003cul\u003e\u003cli\u003eIntegrates information security and privacy protections into the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/EnterpriseArchitecture\"\u003eEnterprise Architecture\u003c/a\u003e, \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e, and \u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eProvides guidance on the selection, implementation, assessment, and monitoring of controls and the authorization of CMS information systems\u003c/li\u003e\u003cli\u003eLinks risk management processes at the information system level to risk management processes at the organization level through a risk executive (function)\u003c/li\u003e\u003cli\u003eEstablishes responsibility and accountability for security and privacy controls deployed within CMS information systems and inherited by those systems (i.e., common controls)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eRMF steps\u003c/h2\u003e\u003cp\u003eThe steps of the Risk Management Framework are used by Security and Privacy Officers and other security professionals at CMS during the system authorization process and during the ongoing activities that ensure the security of information throughout a systems life cycle. Each step is defined by its outcomes, which provide a clear roadmap to an effective risk management strategy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe steps of the RMF are summarized below, along with links to handbooks that will help you follow each step as implemented at CMS.\u003c/p\u003e\u003ch3\u003ePrepare\u003c/h3\u003e\u003cp\u003eCarry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. Outcomes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eKey risk management roles identified\u003c/li\u003e\u003cli\u003eOrganizational risk management strategy established, risk tolerance determined\u003c/li\u003e\u003cli\u003eOrganization-wide risk assessment\u003c/li\u003e\u003cli\u003eOrganization-wide strategy for continuous monitoring developed and implemented\u003c/li\u003e\u003cli\u003eCommon controls identified\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step\"\u003e\u003cstrong\u003eRead the handbook for the Prepare step\u003c/strong\u003e\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003eCategorize\u003c/h3\u003e\u003cp\u003eInform organizational risk management processes and tasks by determining the adverse impact\u0026nbsp; with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. Outcomes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem characteristics documented\u003c/li\u003e\u003cli\u003eSecurity categorization of the system and information completed\u003c/li\u003e\u003cli\u003eCategorization decision reviewed/approved by authorizing official\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step\"\u003e\u003cstrong\u003eRead the handbook for the Categorize step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eSelect\u003c/h3\u003e\u003cp\u003eSelect, tailor, and document the controls necessary to protect the system and organization commensurate with risk. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl baselines selected and tailored\u003c/li\u003e\u003cli\u003eControls designated as system-specific, hybrid, or common\u003c/li\u003e\u003cli\u003eControls allocated to specific system components\u003c/li\u003e\u003cli\u003eSystem-level continuous monitoring strategy developed\u003c/li\u003e\u003cli\u003eSecurity and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step\"\u003e\u003cstrong\u003eRead the handbook for the Select step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eImplement\u003c/h3\u003e\u003cp\u003eImplement the controls in the security and privacy plans for the system and organization. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eControls specified in security and privacy plans implemented\u003c/li\u003e\u003cli\u003eSecurity and privacy plans updated to reflect controls as implemented\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step\"\u003e\u003cstrong\u003eRead the handbook for the Implement step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAssess\u003c/h3\u003e\u003cp\u003eDetermine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssessment team selected\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment plans developed\u003c/li\u003e\u003cli\u003eAssessment plans are reviewed and approved\u003c/li\u003e\u003cli\u003eControl assessments conducted in accordance with assessment plans\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment reports developed\u003c/li\u003e\u003cli\u003eRemediation actions to address deficiencies in controls are taken\u003c/li\u003e\u003cli\u003eSecurity and privacy plans are updated to reflect control implemented\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step\"\u003e\u003cstrong\u003eRead the handbook for the Assess step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAuthorize\u003c/h3\u003e\u003cp\u003eProvide\u0026nbsp; accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAuthorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)\u003c/li\u003e\u003cli\u003eRisk determination rendered\u003c/li\u003e\u003cli\u003eRisk responses provided\u003c/li\u003e\u003cli\u003eAuthorization for the system or common controls is approved or denied\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step\"\u003e\u003cstrong\u003eRead the handbook for the Authorize step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eMonitor\u003c/h3\u003e\u003cp\u003eMaintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem and environment of operation monitored in accordance with continuous monitoring strategy\u003c/li\u003e\u003cli\u003eOngoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy\u003c/li\u003e\u003cli\u003eOutput of continuous monitoring activities analyzed and responded to\u003c/li\u003e\u003cli\u003eProcess in place to report security and privacy posture to management\u003c/li\u003e\u003cli\u003eOngoing authorizations conducted using results of continuous monitoring activities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step\"\u003e\u003cstrong\u003eRead the handbook for the Monitor step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"eb:T1c95,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is the Risk Management Framework (RMF)?\u003c/h2\u003e\u003cp\u003eThe \u003ca href=\"https://csrc.nist.gov/projects/risk-management/about-rmf\"\u003eRisk Management Framework (RMF)\u003c/a\u003e from NIST provides a structured yet flexible process for managing risk throughout a systems life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe.\u003c/p\u003e\u003ch2\u003eRMF at CMS\u003c/h2\u003e\u003cp\u003eCMS looks to NIST as an authoritative source of best practices for information system security. We tailor the guidance from NIST (and other organizations such as HHS) to the specific needs of the CMS environment and systems.\u003c/p\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Risk Management Framework\u003c/strong\u003e refers to any application of the NIST RMF within the CMS environment. Everyone who is responsible for information security and privacy at any point in the system life cycle should be familiar with the RMF and its application at CMS.\u003c/p\u003e\u003cp\u003eThe CMS Risk Management Framework (based on the NIST RMF):\u003c/p\u003e\u003cul\u003e\u003cli\u003eIntegrates information security and privacy protections into the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/EnterpriseArchitecture\"\u003eEnterprise Architecture\u003c/a\u003e, \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e, and \u003ca href=\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eProvides guidance on the selection, implementation, assessment, and monitoring of controls and the authorization of CMS information systems\u003c/li\u003e\u003cli\u003eLinks risk management processes at the information system level to risk management processes at the organization level through a risk executive (function)\u003c/li\u003e\u003cli\u003eEstablishes responsibility and accountability for security and privacy controls deployed within CMS information systems and inherited by those systems (i.e., common controls)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eRMF steps\u003c/h2\u003e\u003cp\u003eThe steps of the Risk Management Framework are used by Security and Privacy Officers and other security professionals at CMS during the system authorization process and during the ongoing activities that ensure the security of information throughout a systems life cycle. Each step is defined by its outcomes, which provide a clear roadmap to an effective risk management strategy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe steps of the RMF are summarized below, along with links to handbooks that will help you follow each step as implemented at CMS.\u003c/p\u003e\u003ch3\u003ePrepare\u003c/h3\u003e\u003cp\u003eCarry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. Outcomes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eKey risk management roles identified\u003c/li\u003e\u003cli\u003eOrganizational risk management strategy established, risk tolerance determined\u003c/li\u003e\u003cli\u003eOrganization-wide risk assessment\u003c/li\u003e\u003cli\u003eOrganization-wide strategy for continuous monitoring developed and implemented\u003c/li\u003e\u003cli\u003eCommon controls identified\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-prepare-step\"\u003e\u003cstrong\u003eRead the handbook for the Prepare step\u003c/strong\u003e\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003eCategorize\u003c/h3\u003e\u003cp\u003eInform organizational risk management processes and tasks by determining the adverse impact\u0026nbsp; with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. Outcomes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem characteristics documented\u003c/li\u003e\u003cli\u003eSecurity categorization of the system and information completed\u003c/li\u003e\u003cli\u003eCategorization decision reviewed/approved by authorizing official\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-categorize-step\"\u003e\u003cstrong\u003eRead the handbook for the Categorize step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eSelect\u003c/h3\u003e\u003cp\u003eSelect, tailor, and document the controls necessary to protect the system and organization commensurate with risk. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl baselines selected and tailored\u003c/li\u003e\u003cli\u003eControls designated as system-specific, hybrid, or common\u003c/li\u003e\u003cli\u003eControls allocated to specific system components\u003c/li\u003e\u003cli\u003eSystem-level continuous monitoring strategy developed\u003c/li\u003e\u003cli\u003eSecurity and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-select-step\"\u003e\u003cstrong\u003eRead the handbook for the Select step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eImplement\u003c/h3\u003e\u003cp\u003eImplement the controls in the security and privacy plans for the system and organization. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eControls specified in security and privacy plans implemented\u003c/li\u003e\u003cli\u003eSecurity and privacy plans updated to reflect controls as implemented\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-implement-step\"\u003e\u003cstrong\u003eRead the handbook for the Implement step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAssess\u003c/h3\u003e\u003cp\u003eDetermine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAssessment team selected\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment plans developed\u003c/li\u003e\u003cli\u003eAssessment plans are reviewed and approved\u003c/li\u003e\u003cli\u003eControl assessments conducted in accordance with assessment plans\u003c/li\u003e\u003cli\u003eSecurity and privacy assessment reports developed\u003c/li\u003e\u003cli\u003eRemediation actions to address deficiencies in controls are taken\u003c/li\u003e\u003cli\u003eSecurity and privacy plans are updated to reflect control implemented\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-assess-step\"\u003e\u003cstrong\u003eRead the handbook for the Assess step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eAuthorize\u003c/h3\u003e\u003cp\u003eProvide\u0026nbsp; accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAuthorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)\u003c/li\u003e\u003cli\u003eRisk determination rendered\u003c/li\u003e\u003cli\u003eRisk responses provided\u003c/li\u003e\u003cli\u003eAuthorization for the system or common controls is approved or denied\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-authorize-step\"\u003e\u003cstrong\u003eRead the handbook for the Authorize step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e\u003ch3\u003eMonitor\u003c/h3\u003e\u003cp\u003eMaintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. Outcomes:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem and environment of operation monitored in accordance with continuous monitoring strategy\u003c/li\u003e\u003cli\u003eOngoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy\u003c/li\u003e\u003cli\u003eOutput of continuous monitoring activities analyzed and responded to\u003c/li\u003e\u003cli\u003eProcess in place to report security and privacy posture to management\u003c/li\u003e\u003cli\u003eOngoing authorizations conducted using results of continuous monitoring activities\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-risk-management-framework-rmf-monitor-step\"\u003e\u003cstrong\u003eRead the handbook for the Monitor step\u003c/strong\u003e\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"e9:{\"value\":\"$ea\",\"format\":\"body_text\",\"processed\":\"$eb\"}\ne7:{\"drupal_internal__id\":3534,\"drupal_internal__revision_id\":19674,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-11-20T20:08:53+00:00\",\"parent_id\":\"1221\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$e8\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e9\"}\nef:{\"drupal_internal__target_id\":\"page_section\"}\nee:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ef\"}\nf1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3/paragraph_type?resourceVersion=id%3A19674\"}\nf2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3/relationships/paragraph_type?resourceVersion=id%3A19674\"}\nf0:{\"related\":\"$f1\",\"self\":\"$f2\"}\ned:{\"data\":\"$ee\",\"links\":\"$f0\"}\nf5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3/field_specialty_item?resourceVersion=id%3A19674\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3/relationships/field_specialty_item?resourceVersion=id%3A19674\"}\nf4:{\"related\":\"$f5\",\"self\":\"$f6\"}\nf3:{\"data\":null,\"links\":\"$f4\"}\nec:{\"paragraph_type\":\"$ed\",\"field_specialty_item\":\"$f3\"}\ne4:{\"type\":\"paragraph--page_section\",\"id\":\"5080ba6c-234b-44bb-8e0f-e980ef7f54c3\",\"links\":\"$e5\",\"attributes\":\"$e7\",\"relationships\":\"$ec\"}\nf9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c?resourceVersion=id%3A19675\"}\nf8:{\"self\":\"$f9\"}\nfb:[]\nfa:{\"drupal_internal__id\":3535,\"drupal_internal__revision_id\":19675,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-11-20T20:08:53+00:00\",\"parent_id\":\"1221\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$fb\",\"default_langcode\":true,\"revision_translation_affected\":true}\nff:{\"drupal_internal__target_id\":\"internal_link\"}\nfe:{\"type\":\"paragraph"])</script><script>self.__next_f.push([1,"s_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$ff\"}\n101:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c/paragraph_type?resourceVersion=id%3A19675\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c/relationships/paragraph_type?resourceVersion=id%3A19675\"}\n100:{\"related\":\"$101\",\"self\":\"$102\"}\nfd:{\"data\":\"$fe\",\"links\":\"$100\"}\n105:{\"drupal_internal__target_id\":381}\n104:{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"meta\":\"$105\"}\n107:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c/field_link?resourceVersion=id%3A19675\"}\n108:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c/relationships/field_link?resourceVersion=id%3A19675\"}\n106:{\"related\":\"$107\",\"self\":\"$108\"}\n103:{\"data\":\"$104\",\"links\":\"$106\"}\nfc:{\"paragraph_type\":\"$fd\",\"field_link\":\"$103\"}\nf7:{\"type\":\"paragraph--internal_link\",\"id\":\"67c48af9-ef58-4f4d-818b-732fcaeef05c\",\"links\":\"$f8\",\"attributes\":\"$fa\",\"relationships\":\"$fc\"}\n10b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7?resourceVersion=id%3A19676\"}\n10a:{\"self\":\"$10b\"}\n10d:[]\n10c:{\"drupal_internal__id\":3536,\"drupal_internal__revision_id\":19676,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-11-20T20:09:02+00:00\",\"parent_id\":\"1221\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$10d\",\"default_langcode\":true,\"revision_translation_affected\":true}\n111:{\"drupal_internal__target_id\":\"internal_link\"}\n110:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$111\"}\n113:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7/paragraph_type?resourceVersion=id%3A19676\"}\n114:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-"])</script><script>self.__next_f.push([1,"ec43d64f07a7/relationships/paragraph_type?resourceVersion=id%3A19676\"}\n112:{\"related\":\"$113\",\"self\":\"$114\"}\n10f:{\"data\":\"$110\",\"links\":\"$112\"}\n117:{\"drupal_internal__target_id\":366}\n116:{\"type\":\"node--library\",\"id\":\"fa2107f3-5c24-458b-b589-6c85321f2015\",\"meta\":\"$117\"}\n119:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7/field_link?resourceVersion=id%3A19676\"}\n11a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7/relationships/field_link?resourceVersion=id%3A19676\"}\n118:{\"related\":\"$119\",\"self\":\"$11a\"}\n115:{\"data\":\"$116\",\"links\":\"$118\"}\n10e:{\"paragraph_type\":\"$10f\",\"field_link\":\"$115\"}\n109:{\"type\":\"paragraph--internal_link\",\"id\":\"dbaa5ea6-fc41-4077-aad9-ec43d64f07a7\",\"links\":\"$10a\",\"attributes\":\"$10c\",\"relationships\":\"$10e\"}\n11d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd?resourceVersion=id%3A19677\"}\n11c:{\"self\":\"$11d\"}\n11f:[]\n11e:{\"drupal_internal__id\":3537,\"drupal_internal__revision_id\":19677,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-11-20T20:09:33+00:00\",\"parent_id\":\"1221\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$11f\",\"default_langcode\":true,\"revision_translation_affected\":true}\n123:{\"drupal_internal__target_id\":\"internal_link\"}\n122:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$123\"}\n125:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd/paragraph_type?resourceVersion=id%3A19677\"}\n126:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd/relationships/paragraph_type?resourceVersion=id%3A19677\"}\n124:{\"related\":\"$125\",\"self\":\"$126\"}\n121:{\"data\":\"$122\",\"links\":\"$124\"}\n129:{\"drupal_internal__target_id\":261}\n128:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":\"$129\"}\n12b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragr"])</script><script>self.__next_f.push([1,"aph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd/field_link?resourceVersion=id%3A19677\"}\n12c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd/relationships/field_link?resourceVersion=id%3A19677\"}\n12a:{\"related\":\"$12b\",\"self\":\"$12c\"}\n127:{\"data\":\"$128\",\"links\":\"$12a\"}\n120:{\"paragraph_type\":\"$121\",\"field_link\":\"$127\"}\n11b:{\"type\":\"paragraph--internal_link\",\"id\":\"a527afbb-16a5-4376-83fb-72f8d48388fd\",\"links\":\"$11c\",\"attributes\":\"$11e\",\"relationships\":\"$120\"}\n12f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e?resourceVersion=id%3A5993\"}\n12e:{\"self\":\"$12f\"}\n131:{\"alias\":\"/learn/national-institute-standards-and-technology-nist\",\"pid\":371,\"langcode\":\"en\"}\n132:{\"value\":\"Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation about NIST and how the agency\u0026#039;s policies and guidance relate to security and privacy at CMS\u003c/p\u003e\\n\"}\n133:[\"#security_community\"]\n130:{\"drupal_internal__nid\":381,\"drupal_internal__vid\":5993,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-03T14:43:06+00:00\",\"status\":true,\"title\":\"National Institute of Standards and Technology (NIST)\",\"created\":\"2022-08-29T16:46:36+00:00\",\"changed\":\"2024-12-03T14:43:06+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$131\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$132\",\"field_slack_channel\":\"$133\"}\n137:{\"drupal_internal__target_id\":\"explainer\"}\n136:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$137\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/node_type?resourceVersion=id%3A"])</script><script>self.__next_f.push([1,"5993\"}\n13a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/node_type?resourceVersion=id%3A5993\"}\n138:{\"related\":\"$139\",\"self\":\"$13a\"}\n135:{\"data\":\"$136\",\"links\":\"$138\"}\n13d:{\"drupal_internal__target_id\":6}\n13c:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$13d\"}\n13f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/revision_uid?resourceVersion=id%3A5993\"}\n140:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/revision_uid?resourceVersion=id%3A5993\"}\n13e:{\"related\":\"$13f\",\"self\":\"$140\"}\n13b:{\"data\":\"$13c\",\"links\":\"$13e\"}\n143:{\"drupal_internal__target_id\":26}\n142:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$143\"}\n145:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/uid?resourceVersion=id%3A5993\"}\n146:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/uid?resourceVersion=id%3A5993\"}\n144:{\"related\":\"$145\",\"self\":\"$146\"}\n141:{\"data\":\"$142\",\"links\":\"$144\"}\n14a:{\"target_revision_id\":19645,\"drupal_internal__target_id\":496}\n149:{\"type\":\"paragraph--page_section\",\"id\":\"65807e01-7389-4561-8818-b4453d59c7ac\",\"meta\":\"$14a\"}\n148:[\"$149\"]\n14c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_page_section?resourceVersion=id%3A5993\"}\n14d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_page_section?resourceVersion=id%3A5993\"}\n14b:{\"related\":\"$14c\",\"self\":\"$14d\"}\n147:{\"data\":\"$148\",\"links\":\"$14b\"}\n151:{\"target_revision_id\":19646,\"drupal_internal__target_id\":2001}\n150:{\"type\":\"paragraph--internal_link\",\"id\":\"858b57e7-3499-42a6-9fd4-b045a2aa9c42\",\"meta\":\"$151\"}\n153:{\"target_revision_id\":19647,\"drupal_internal__target_id\":2011}\n152:{\"type\":\"paragraph--internal_link\",\"id\":\"d171c5fe-3bb3-47be-bd3e-c53cc7"])</script><script>self.__next_f.push([1,"5c4f9e\",\"meta\":\"$153\"}\n155:{\"target_revision_id\":19648,\"drupal_internal__target_id\":2286}\n154:{\"type\":\"paragraph--internal_link\",\"id\":\"26c9c7a0-fcc3-4d04-ab8c-21924a868e28\",\"meta\":\"$155\"}\n157:{\"target_revision_id\":19649,\"drupal_internal__target_id\":2281}\n156:{\"type\":\"paragraph--internal_link\",\"id\":\"4e888450-31b6-43e1-95a0-9ac56298fcc9\",\"meta\":\"$157\"}\n159:{\"target_revision_id\":19650,\"drupal_internal__target_id\":2291}\n158:{\"type\":\"paragraph--internal_link\",\"id\":\"f43c4cb2-4d4e-4020-a165-aab378f6254d\",\"meta\":\"$159\"}\n14f:[\"$150\",\"$152\",\"$154\",\"$156\",\"$158\"]\n15b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_related_collection?resourceVersion=id%3A5993\"}\n15c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_related_collection?resourceVersion=id%3A5993\"}\n15a:{\"related\":\"$15b\",\"self\":\"$15c\"}\n14e:{\"data\":\"$14f\",\"links\":\"$15a\"}\n15f:{\"drupal_internal__target_id\":131}\n15e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$15f\"}\n161:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_resource_type?resourceVersion=id%3A5993\"}\n162:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_resource_type?resourceVersion=id%3A5993\"}\n160:{\"related\":\"$161\",\"self\":\"$162\"}\n15d:{\"data\":\"$15e\",\"links\":\"$160\"}\n164:[]\n166:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_roles?resourceVersion=id%3A5993\"}\n167:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_roles?resourceVersion=id%3A5993\"}\n165:{\"related\":\"$166\",\"self\":\"$167\"}\n163:{\"data\":\"$164\",\"links\":\"$165\"}\n16b:{\"drupal_internal__target_id\":21}\n16a:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$16b\"}\n169:[\"$16a\"]\n16d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer"])</script><script>self.__next_f.push([1,"/af385f5f-f61b-47af-a235-7dc48efd251e/field_topics?resourceVersion=id%3A5993\"}\n16e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_topics?resourceVersion=id%3A5993\"}\n16c:{\"related\":\"$16d\",\"self\":\"$16e\"}\n168:{\"data\":\"$169\",\"links\":\"$16c\"}\n134:{\"node_type\":\"$135\",\"revision_uid\":\"$13b\",\"uid\":\"$141\",\"field_page_section\":\"$147\",\"field_related_collection\":\"$14e\",\"field_resource_type\":\"$15d\",\"field_roles\":\"$163\",\"field_topics\":\"$168\"}\n12d:{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"links\":\"$12e\",\"attributes\":\"$130\",\"relationships\":\"$134\"}\n171:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015?resourceVersion=id%3A5712\"}\n170:{\"self\":\"$171\"}\n173:{\"alias\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"pid\":356,\"langcode\":\"en\"}\n175:T12321,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook gives practical guidance to Information System Security Officers (ISSO)s at CMS when performing their necessary tasks.\u0026nbsp; It helps new ISSOs get started and explains the responsibilities, resources, and organizational relationships needed for an ISSO to be successful.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis guide is for CMS (Federal) ISSOs, Contractor ISSOs, and contract security support individuals.\u0026nbsp; Business Owners and their staff may also find parts of this handbook useful, particularly when appointing new ISSOs or gaining a better understanding of ISSO tasks.\u003c/p\u003e\u003cp\u003eThe ISSO role is critical to the safe and authorized use of sensitive information in support of CMS commitment to improving healthcare for millions of Americans. As an ISSO,\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat do ISSOs do?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEvery CMS system must formally designate an ISSO who serves as the primary point of contact responsible for the systems security and privacy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISSOs at CMS are responsible for overseeing the security and privacy posture of the system(s) entrusted to their care, coordinating all information system risk management and information privacy activities, and acting as the Business Owners “go-to person” for security questions and needs. Together, the ISSOs make up a supportive community working to ensure the success of the cybersecurity program at CMS.\u003c/p\u003e\u003cp\u003eFor more details, see the section on role and responsibilities.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho do ISSOs work with?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO is part of the\u003cstrong\u003e portfolio team\u003c/strong\u003e the group of people who work together to make sure that any given CMS information system complies with federal security requirements and is managed in a way that protects the personal and health information of those who depend on CMS for benefits. The portfolio team has the following roles:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProgram Executive, Information System Owner (ISO), Business Owner (BO), and Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThese people work together to take full responsibility for implementing the required security and privacy controls and managing the cybersecurity and privacy risk posture for each system. All of these roles must be an agency official (federal government employee) except the ISSO, which may be a federal employee or a contractor.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCRAs are the “go-to” experts in all areas of risk management, and as such they evaluate and communicate the risk posture of each FISMA system to executive leadership and make risk-based recommendations to the Authorizing Official. CRAs also help to identify the types of information processed by a system, assign the appropriate security categorizations, determine the privacy impacts, and manage information security and privacy risk. They facilitate the completion of all federal cybersecurity and privacy requirements and this means that CRAs and ISSOs often work closely together.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Data Guardian coordinates CMS Program activities involving beneficiary and other types of consumer information that require privacy protections.\u0026nbsp; The Data Guardian must be an agency official (federal government employee) and must fulfill shared responsibilities with the CMS Business Owner.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Privacy Advisor is a member of ISPG who provides privacy-related expertise to help the team identify and manage privacy risk.\u0026nbsp; The Privacy Advisor is an agency official (federal government employee) and serves as a point of contact for issues related to the Privacy Act. They also support the completion of privacy-related artifacts such as Systems of Records Notice (SORN), Privacy Act reviews, and FISMA and Privacy Management Report.\u003c/p\u003e\u003cp\u003eDetailed information about all of these roles can be found in the CMS Information Security and Privacy Policy (IS2P2) and the HHS Policy for Information Security and Privacy Protection (IS2P).\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat should an ISSO know?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of every ISSO should be to support the BO to securely provide the service intended by the system. To help accomplish this goal, an ISSO should ideally know and understand their components business processes and how the system supports that business. This knowledge is critically applied during the construction of the System Security and Privacy Plan (SSPP).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation security is a means to an end and not the end in itself\u003c/strong\u003e. In the public sector, information security is secondary to the agency's services provided to its constituency. We, as security professionals, must not lose sight of these goals and objectives.\u003c/p\u003e\u003cp\u003eIn order to help the BO provide a CMS service in a manner that is demonstrably secure and safeguards any sensitive beneficiary information, the ISSO must know (at a minimum):\u003c/p\u003e\u003cul\u003e\u003cli\u003eMission and business functions of their component\u003c/li\u003e\u003cli\u003eHow the system supports the components mission\u003c/li\u003e\u003cli\u003eSystem details, including:\u003cul\u003e\u003cli\u003eArchitecture\u003c/li\u003e\u003cli\u003eSystem components (hardware, software, peripherals, etc.)\u003c/li\u003e\u003cli\u003eLocation of each system component\u003c/li\u003e\u003cli\u003eData flow\u003c/li\u003e\u003cli\u003eInterconnections (internal and external)\u003c/li\u003e\u003cli\u003eSecurity categorization\u0026nbsp;\u003c/li\u003e\u003cli\u003eSecurity requirements\u003c/li\u003e\u003cli\u003eConfiguration management processes and procedures\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eUsers (how many, location, role, etc.)\u003c/li\u003e\u003cli\u003eKey personnel by name\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eHow are ISSOs appointed?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Program Executive in coordination with the Data Guardian, ISO, and Business Owner, is responsible for nominating appropriately qualified ISSO appointees, as defined under FISMA, to the CISO for approval.\u003c/p\u003e\u003cp\u003eThe nominated ISSO, by signing the appointment letter, agrees to maintain the appropriate operational security posture of the information system by fulfilling all of the responsibilities identified in the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Security and Privacy Policy (IS2P2)\u003c/a\u003e and the HHS Policy for Information Security and Privacy Protection (IS2P).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eA subset of the ISSOs duties and responsibilities is contained in the \u003ca href=\"/learn/isso-appointment-letter\"\u003eappointment letter\u003c/a\u003e. ISSO letters must be updated whenever a change occurs. The designated ISSO should be consistently identified in three sources: the ISSO letter, the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e, and in \u003ca href=\"/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe signed appointment letter should be given to the appropriate CRA for further action.\u0026nbsp;\u003cstrong\u003e It is the responsibility of the CRA to upload the letter to CFACTS\u003c/strong\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eGetting started (for new ISSOs)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCongratulations on your new assignment as an Information System Security Officer (ISSO) at CMS! Because you are charged with protecting the sensitive information contained in systems that support healthcare delivery for millions of people, your role is vital to the success of CMS mission. You will learn how to identify and protect information that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eIndividually Identifiable Information (IIF)\u003c/li\u003e\u003cli\u003eProtected Health Information (PHI)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis means that security must become a vital part of your daily routine and always top-of-mind. Your training as an ISSO will ensure that you know and understand the requirements for protecting government assets like classified information, property, and personnel.\u003c/p\u003e\u003cp\u003eMost importantly, you will learn to work as part of a team that is dedicated to making sure CMS information systems can operate securely. While CMS has established a security program to protect assets and keep sensitive information safe, the key ingredient is always \u003cstrong\u003epeople\u003c/strong\u003e. No matter how comprehensive a program may be, you and your coworkers will ultimately determine the success of our established procedures.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAnd we are here to help you along the way! This Handbook is your primary resource for initial information about your role, and will direct you to other sources of help and support.\u003c/p\u003e\u003cp\u003eHere are the steps you should take to get started:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the paperwork\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf you have not already, make sure that your \u003ca href=\"/learn/isso-appointment-letter\"\u003e\u003cstrong\u003eISSO Appointment Letter\u003c/strong\u003e\u003c/a\u003e is completed and submitted to your Cyber Risk Advisor (CRA) by your Business Owner (BO). The Appointment Letter is intended to formally nominate you as an ISSO. It also gives you a wealth of information about your duties and responsibilities. It also contains the qualifications and training to which you should aspire. This document may be your first communication with your CRA — the first of many conversations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf you need a copy of the ISSO Appointment Letter template, contact the ISSO Support Team: \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete ISSO onboarding\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO Support team in ISPG can help get you started. You should ask for an initial meeting with the team to orient you to your new role and next steps. \u0026nbsp; You should also reach out to your CRA, who may wish to meet on a regular basis initially, especially if your system has an important near-term milestone. If your BO did not set this up for you, you can do it yourself by sending a note to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e. It is helpful to put the word “Onboarding” in the subject line.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKnow your systems\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMake sure that in your conversation with your Business Owner, you understand whether you are going to be the primary ISSO (or the only ISSO), or if you are going to be an assistant. Do you know where your system is located? When does the Authority to Operate (ATO) expire? Are you working on a new system? The more you know at the beginning, the easier it will be to prioritize and to work with your integrated team. If you have questions about any of this, reach out to the ISSO Support Team (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMeet your team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIn addition to your BO and your CRA, there are others that you should get to know. We recommend that you reach out to them. We also recommend face to face meetings, at least initially. Some others you should get to know include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOther ISSOs in your component, if applicable\u003c/li\u003e\u003cli\u003eYour systems Technical Lead\u003c/li\u003e\u003cli\u003eWhen appropriate, your systems contractor security support\u003c/li\u003e\u003cli\u003eThe ISSO Support Team (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssess your skills with the ISSO Score Card\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOs come from many backgrounds, both technical and non-technical. Even new ISSOs with a technical background may not be familiar with the “CMS way” of operating. While you will be busy with your new role, you should take some initial time to get a better awareness of your capabilities to be a CMS ISSO through some focused initial training.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWeve made it easy to figure out what training you should prioritize using a self-assessment tool: the \u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eISSO Score Card.\u003c/a\u003e Every ISSO is encouraged to take this assessment regularly as their knowledge expands. The ISSO Score Card is:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eConfidential\u003c/strong\u003e - only you will see the results\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eQuick\u003c/strong\u003e - only taking 10-15 minutes to complete\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eGeared to ISSO duties\u003c/strong\u003e - taken directly from CMS policies and requirements\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePersonalized\u003c/strong\u003e - youll get a customized report to help you make a training plan\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEasy\u003c/strong\u003e - using a simple online web interface\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eGo to the ISSO Score Card\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSign up for training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs an ISSO, it is vital that you understand security and privacy fundamentals and how they are applied at CMS. Regardless of your prior level of experience, you will need to know the CMS-specific workflows and governance. There is a wealth of training available to you, both for getting started and deepening your knowledge.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWondering where to start\u003c/strong\u003e? Heres a simple checklist to make sure you complete the essential training that will start you on the road to success:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFigure out what you need to know (or brush up on) using the \u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eISSO Score Card\u003c/a\u003e. Use the results to sign up for training that is customized to your level.\u003c/li\u003e\u003cli\u003eLearn about 6 key job functions of ISSOs using the \u003ca href=\"https://www.cms.gov/cbt/login/default.aspx\"\u003evideo training series from CMS\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eSign up for CFACTS training its worth the 2-day time investment to get a solid grasp on this essential tool for the ISSOs daily work. (This is available in the CMS Computer Based Training platform).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFinally, to build upon the checklist above, we have provided a list of Basic, Intermediate, and Advanced ISSO training courses that are free for you to take. See the Training section of this Handbook for details.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGet a mentor\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOptionally, you can join the \u003ca href=\"/learn/isso-mentorship-program\"\u003e\u003cstrong\u003eISSO Mentorship Program\u003c/strong\u003e\u003c/a\u003e to be paired with an experienced ISSO. Once paired, you should work together to develop a cadence for meeting and knowledge sharing. This allows you to gain confidence faster and get hands-on support. Learn more about the ISSO Mentorship Program here.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eJoin the community\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe cybersecurity community at CMS is alive and growing. There are all kinds of ways that you can get involved, get an idea of whats going on at CMS, and learn how it affects you. Attend the CMS Cybersecurity Community Forum, read the ISSO Journal, and look for ISPG-sponsored security and privacy activities.\u003c/p\u003e\u003cp\u003eFinally, if you have any questions along the way, just ask. Your job is very important to the success of CMS programs, and everyone at ISPG is here to support you!\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGoals for your first year\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBy the end of your first year as an ISSO, it should be your goal to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLearn the security planning and administrative security procedures for systems that process sensitive information such as PHI, PII, FTI, and classified and national intelligence data\u003c/li\u003e\u003cli\u003eUnderstand the implementation and enforcement of CMS Information System Security and Privacy policies and practices\u0026nbsp;\u003c/li\u003e\u003cli\u003eKnow the concerns and requirements that determine the administration and management of physical, system, and data access controls based on the sensitivity of the data processed and the corresponding authorization requirements\u003c/li\u003e\u003cli\u003eLearn the identification, analysis, assessment and evaluation of information system threats and vulnerabilities and their impact on their components critical information infrastructures\u003c/li\u003e\u003cli\u003eBe able to identify management, technical, personnel, operational and physical security controls\u003c/li\u003e\u003cli\u003eUnderstand any additional critical areas of knowledge related to your system\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eRole and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISSOs maintain a strong security and privacy posture for their assigned system(s) in the following high-level ways:\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eServe as principal advisor\u003c/strong\u003e to the System Owner (SO), Business Owner (BO), and the Chief Information Security Officer (CISO) on all system security and privacy matters\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMaintain system authorization \u003c/strong\u003eby following the \u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eNIST Risk Management Framework\u003c/a\u003e to select, implement, document, test, and maintain the security and privacy controls required to authorize and operate information systems within CMSs risk tolerance throughout the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle\u003c/a\u003e (TLC)\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMaintain security and privacy operations\u003c/strong\u003e capabilities sufficient to identify, detect, protect, respond, and recover from security incidents (as per the \u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-cybersecurity-framework-csf\"\u003eNIST Cybersecurity Framework\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMeet federal reporting requirements\u003c/strong\u003e for information security and privacy, including documenting and mitigating weaknesses and reporting incidents and breaches\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eManage privacy requirements\u003c/strong\u003e by working collaboratively with Data Guardians and Privacy Advisors\u003c/p\u003e\u003cp\u003eThe official role and specific responsibilities for ISSOs are outlined in detail by the CMS Information Security and Privacy Policy (IS2P2), which is based upon the related policy document from HHS (IS2P). The following list is based on those policy documents and includes some key duties for ISSOs:\u003c/p\u003e\u003cul\u003e\u003cli\u003eComplete the security categorization for the FISMA system using the CFACTS tool\u003c/li\u003e\u003cli\u003eComplete and maintain the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e using the CFACTS tool\u003c/li\u003e\u003cli\u003eEnsure \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e and \u003ca href=\"/learn/penetration-testing\"\u003ePenetration Tests\u003c/a\u003e have been scheduled and completed in a timely manner\u003c/li\u003e\u003cli\u003eDevelop, document and maintain an inventory of hardware and software components within the FISMA systems authorization boundary\u003c/li\u003e\u003cli\u003eCoordinate the development of a \u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan\u003c/a\u003e and ensure the plan is tested and maintained accordingly\u003c/li\u003e\u003cli\u003eMaintain primary responsibility for the actions and activities associated with the FISMA system receiving and maintaining an \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the ISO, BO, and CRA to manage information security and privacy risk\u003c/li\u003e\u003cli\u003eMonitor and update all POA\u0026amp;Ms in accordance with current requirements and instruction\u003c/li\u003e\u003cli\u003eSubmit recommendations to the CRA for system configuration deviations from the required baseline\u003c/li\u003e\u003cli\u003eIdentify the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems;\u003c/li\u003e\u003cli\u003eCoordinate with the ISO, BO, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for sensitive information in accordance with the Privacy Act, E-Government Act, and all other applicable guidance\u003c/li\u003e\u003cli\u003eCoordinate with the BO, Contracting Officer, ISO, and CISO to ensure that all requirements specified by the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS 5.1\u003c/a\u003e and the \u003ca href=\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\"\u003eRMH\u003c/a\u003e are implemented and enforced for applicable information and information systems\u003c/li\u003e\u003cli\u003eReport and manage IT Security and Privacy Incidents in accordance to the RMH and other applicable federal guidance\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTypes of ISSO roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe specific type of ISSO role assigned to a system will depend on the needs of the system and the available personnel. The descriptions below are taken from the CMS Information Security and Privacy Policy (IS2P2).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrimary Information System Security Officer (P-ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS P-ISSO may be either a federal government employee or a contractor and must fulfill all of the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.24, System Security and System Privacy Officers. ISSO must ensure the duties of the Security Control Assessor and Contingency Planning Coordinator are completed as described in the IS2P Sections 7.26 and 7.30.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecondary Information System Security Officer (S-ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS S-ISSO may be either a federal government employee or a contractor identified in the IS2P Section 7.25, ISSO Designated Representative / Security Steward and must assist the P-ISSO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Security Officer Contractor Support (ISSOCS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe ISSOCS is a contractor-only role that assists and supports the P-ISSO and S-ISSO roles in fulfillment of their CMS cybersecurity duties.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity or Privacy Control Assessor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Security or Privacy Control Assessor role may be performed by an ISSO. The CMS Security or Privacy Control Assessor must fulfill all the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.23.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eContingency Planning Coordinator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Contingency Planning Coordinator may either be a federal government employee or a contractor. The role may also be performed by an ISSO. The CMS Contingency Planning Coordinator must fulfill all the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.30.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO checklist\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis section provides a list of specific tasks an ISSO should perform periodically. The timelines listed for each task are general guidelines, which may vary depending on the Component guidance or system circumstances. This list isnt comprehensive, but serves as a quick reference to help you plan your work. You may choose to make a spreadsheet for yourself to keep track of recurring tasks and due dates.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWeekly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview audit logs\u003c/li\u003e\u003cli\u003eRoutinely evaluate risk posture based upon change requests\u003c/li\u003e\u003cli\u003eEnsure data is backed up\u003c/li\u003e\u003cli\u003eCheck status of any \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eMonthly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview / deactivate unused accounts\u003c/li\u003e\u003cli\u003eEnsure all POA\u0026amp;Ms with Open or Delay status are annotated with current status\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eQuarterly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that all data in CFACTS is current and accurate one week before the end of the quarter (CMS submits a quarterly FISMA report to OMB based on this data)\u003c/li\u003e\u003cli\u003eEnsure the completion of internal vulnerability scans\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAnnually\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview and update all \u003cstrong\u003eSecurity Authorization Process documentation\u003c/strong\u003e, such as those listed below. Remember that most of these require months of effort to complete, so you must be working on them well in advance.\u003cul\u003e\u003cli\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eInformation System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessment (PIA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e Note: Updating security control implementation is a necessary first step to updating the SSPP. When updating any documents, ensure the old copy is retained.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure that all system users and people with significant security responsibilities (e.g., ISSOs) receive their required annual awareness training\u003c/li\u003e\u003cli\u003eConduct a Contingency Plan Test with associated training, after-action, and updated POA\u0026amp;Ms as necessary. Ensure that the Business Owner certifies (signs) any updated CP document.\u003c/li\u003e\u003cli\u003eReview the Privacy Impact Assessment (PIA) for your system(s) and update as appropriate\u003c/li\u003e\u003cli\u003eEnsure vulnerability assessments are completed at least annually, or when significant changes are made to the system\u003c/li\u003e\u003cli\u003eReview and validate user access rights\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOngoing\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eContinual security control assessment to ensure no risks are present\u003c/li\u003e\u003cli\u003eContinual work on tests and assessments (as needed) such as:\u003cul\u003e\u003cli\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/li\u003e\u003cli\u003ePenetration Testing\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eContinual updating of the \u003cstrong\u003eSecurity Authorization Process documentation\u003c/strong\u003e (see list in the section above). All of these should be updated as changes occur, and all require an annual review and update.\u003c/li\u003e\u003cli\u003eComplete incident response reports (as required)\u003c/li\u003e\u003cli\u003eATO updates (as required)\u003c/li\u003e\u003cli\u003eRespond to any CCIC monitoring alerts (as required)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eISSO activities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eUse this section to learn in-depth about the activities you must understand and perform as an ISSO from the very beginning of your systems development. These activities support the CMS \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle\u003c/a\u003e (TLC), which is the framework that standardizes how IT systems are built, maintained, and retired at CMS. The ISSO activities also support the Risk Management Framework (RMF) from NIST, which helps organizations integrate security considerations into their software development processes.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct a Security Impact Analysis (SIA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"/learn/security-impact-analysis-sia\"\u003eSecurity Impact Analysis\u003c/a\u003e\u0026nbsp;is the process that you will use initially for your new system and \u003cstrong\u003eevery time\u003c/strong\u003e a new change to the system is proposed. When you have completed this process, you will be able to provide substantive recommendations to your Business Owner on the impact of any proposed change(s). The impact may be small, or it may rise to the level of a new ATO process.\u003c/p\u003e\u003cp\u003eNote:\u0026nbsp; SIAs are frequently thought of as documents.\u0026nbsp; Remember that \u003cstrong\u003eSIA is a process\u003c/strong\u003e.\u0026nbsp; Based on the complexity and extent of the process, a completed form may help better describe the security impact, as well as necessary actions to take.\u0026nbsp; The actual CMS/FISMA requirement noted in ARS 5.1 Control CM-4 requires “Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) to conduct security impact analyses.”\u0026nbsp; It is up to you and your Business Owner/organization to determine the level to which you document your analysis.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-impact-analysis-sia\"\u003eLearn about Security Impact Assessment (SIA)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCategorize your FISMA system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour FISMA system has different security controls based on the sensitivity of the information contained in or processed by your system. Categorization takes place within CFACTS.\u0026nbsp; You enter the appropriate area and select the type of information that will be processed.\u0026nbsp; The system categorization will be suggested automatically and noted as “Low”, “Moderate”, or “High”.\u0026nbsp; If necessary, the categorization may be manually overridden; your CRA will have to help with this.\u0026nbsp; In practice this seldom happens.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis system categorization will have a variety of uses.\u0026nbsp; Most importantly, you will need to have this information to determine which controls to allocate for your system.\u003c/p\u003e\u003cp\u003eNote: Although this process sounds like it will only be done once for your FISMA system, \u003cstrong\u003eyou may have to repeat it\u003c/strong\u003e if a proposed change includes access or storage of different types of data. \u0026nbsp; Your completed SIA will guide your actions.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eLearn more about system categorization here\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/posts/watch-and-learn-system-categorization-cfacts\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eSee how to categorize your system in CFACTS\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDetermine the Authorization Boundary\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAnother major initial task is to determine the systems \u003cstrong\u003eAuthorization Boundary\u003c/strong\u003e. The NIST definition of authorization boundary is: “All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected”.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eOne practical way of determining the systems authorization boundary is to ask whether a particular component can be changed by ones system team, or if another team has to make updates or changes.\u0026nbsp; If your team can make the change or configuration, chances are that the component falls within your authorization boundary. As with system categorization, the authorization boundary is usually determined at the outset of system development. It may expand or contract based on changes to the system over its lifecycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBe aware of High Value Assets (HVAs)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe HHS HVA Program Policy defines HVAs as: “Assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people.”\u003c/p\u003e\u003cp\u003eThe practical impact of this program is that, if your FISMA system is defined as an HVA, it will face additional security requirements from DHS and HHS, which may impact the continuity operations and assessments of the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAllocate controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce a system has been categorized, the ISSO has the information necessary to select controls, or allocate them.\u0026nbsp; The process is largely automatic, and is well-described in the CMS Risk Management Handbook (RMH) Chapter 12: Security and Privacy Planning. Selected controls are allocated for Low, Moderate, or High systems based on system categorization. The mechanics are described very well in the CFACTS User Manual, so that should be your primary reference point on allocating controls. Some general control types include:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSystem-specific controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThese are controls that your system “owns”.\u0026nbsp; If you are running on hardware that you are responsible for, there are system-specific controls for it.\u0026nbsp; If your system is an application, or Major Application, the system-specific controls are those controls that your developers and administrators configure and maintain.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInherited controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn many cases your system uses components provided by other FISMA systems. In the above example about hardware, what if your system is housed on hardware administered by others? This is not just a possibility in most cases major applications run within a separate data center. Certainly this is the case for systems housed in the AWS Cloud. In these instances, the data center (or other entity) that houses your system will most likely take care of some of the controls for your system in which case your system will be able to “inherit” controls.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf the providing system completely takes care of a control, it is called a \u003cstrong\u003ecommon, or fully inherited\u003c/strong\u003e control. If the providing system takes care of part of a control, and relies on your system to take care of the rest of the control, it is called a \u003cstrong\u003ehybrid\u003c/strong\u003e control. (The CFACTS User Manual has additional information on how to inherit a control.)\u003c/p\u003e\u003cp\u003eUnderstanding which controls your team must address and which controls are available through full or partial inheritance will help you understand how to document your security control compliance (which is the next step in the cycle).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSupplemental controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSupplemental controls (previously referred to as non-mandatory controls in ARS 3.1) can be added to a system as necessary, and are not included in baseline control allocation. They should be reviewed and added as appropriate for your system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eImplement security controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIt is your responsibility as your systems security and privacy Subject Matter Expert to make sure that your Business Owner, system developers, and system administrators understand the controls that must be in place for your system to be “secure” to CMS standards.\u0026nbsp; Once these controls have been implemented, \u003cstrong\u003ethey need to be documented within CFACTS\u003c/strong\u003e.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote:\u0026nbsp; All security controls that have been allocated for your system \u003cstrong\u003emust have some comment\u003c/strong\u003e. \u0026nbsp; Even fully inherited controls should have a notation that the control is fully inherited.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDevelop system documentation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eProminent documents are important to understanding the security posture of your FISMA system.\u0026nbsp; CFACTS can help with this process by automatically generating some of the documents, such as the System Security Plan. Other documents are found within CFACTS, such as System Categorization. Others, such as the Information System Risk Assessment (ISRA) must be completed using CMS-approved templates. Finally, others may either use a CMS template or a locally generated document such as the Security Impact Assessment (SIA).\u003c/p\u003e\u003cp\u003eNote:\u003cstrong\u003e Make sure that all CFACTS entries, including all security controls, are accurate and complete at all times.\u0026nbsp;\u003c/strong\u003e This will ensure that CFACTS-generated documents are accurate.\u003c/p\u003e\u003cp\u003eItems for the system documentation include:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSystem Security and Privacy Plan (SSPP)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSSPP\u003c/a\u003e is the key document associated with the FISMA system security. It should provide an accurate, detailed description of the FISMA system itself, security requirements, and those controls that are actually in place to protect the system. This document is generated by CFACTS.\u003c/p\u003e\u003cp\u003eTip: It is a best practice to maintain older copies of SSPPs as new versions are generated. Do not overwrite old SSPPs; you never can tell when you might need to refer to an older version.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eLearn more about System Security and Privacy Plan (SSPP)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Risk Assessment (ISRA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eISRA\u003c/a\u003e details the business and technical risks associated with a FISMA system.\u0026nbsp; It shares high-level information from CFACTS, as well as specific risks noted and how critical they are.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eLearn more about Information System Risk Assessment (ISRA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Impact Assessment (PIA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePIA\u003c/a\u003e is not simply a compliance step it guides the full analysis of a system for privacy risks and controls. A PIA is a process for assessing whether appropriate privacy policies, procedures, business practices, and security controls are implemented to ensure compliance with federal privacy regulations. PIAs are published on HHS.gov and go through a three-year review process.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003eLearn more about Privacy Impact Assessment (PIA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eThird-Party Websites and Applications\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"https://www.osec.doc.gov/opog/privacy/Memorandums/OMB_M-10-23.pdf\"\u003eOffice of Management and Budget Memorandum 10-23\u003c/a\u003e, Guidance for Agency Use of Third-Party Websites and Applications, requires that agencies assess their uses of third-party websites and applications to ensure that the use protects privacy. The mechanism by which agencies perform this assessment is a privacy impact assessment (PIA).\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn accordance with HHS policy, operating divisions (OPDIVs) are responsible for completing and maintaining PIAs for all third-party websites and applications in use. Upon completion of each assessment, agencies are required to make the PIAs publicly available. The CMS Third-Party Websites and Applications (TPWA) Privacy Impact Assessments for each individual OPDIV system can be \u003ca href=\"https://www.hhs.gov/pia/index.html#Third-Party\"\u003eaccessed here on the HHS website\u003c/a\u003e. CMS implementation specifications are included in the CMS Acceptable Risk Safeguards (ARS 5.1).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Threshold Analysis\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA Privacy Threshold Analysis (PTA) is a PIA for a system that does not contain PII or only contains HHS employee information. PTAs remain internal to HHS and do not have to go through the three-year review process. A PTA may be updated based on a major change to the system. It is also possible that change to a system could result in a PTA then meeting the threshold to be a PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct Contingency Planning (CP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://dkanreserve.prod.acquia-sites.com/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp;provides instructions, disaster declaration criteria, and procedures to recover information systems and associated services after a disruption. It involves cooperation with your Business Owner, your data center or hosting facility, and senior CMS leadership. (See CMS Risk Management Handbook Chapter 6: Contingency Planning).\u003c/p\u003e\u003cp\u003eAs the ISSO, you will coordinate efforts with your Business Owner to determine the business criticality of key processes. This effort will result in a Business Impact Analysis (BIA) which, in turn, serves as the primary requirement document for determining key recovery metrics including the Recovery Point Objective (RPO), Recovery Time Objective (RTO), Maximum Tolerable Downtime (MTD), and Work Recovery Time (WRT).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe goal is to ensure that there are plans in place to restore business functionality within the Maximum Tolerable Downtime.\u0026nbsp; Note that this may involve restoring the system as originally constructed, moving to alternate processing facilities, or even moving to alternate processing methods.\u0026nbsp;\u003c/p\u003e\u003cp\u003eHere are the key steps and documents involved in Contingency Planning:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCreate Contingency Plan (CP) document\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CP Plan is a single document that contains:\u003c/p\u003e\u003cul\u003e\u003cli\u003eKey recovery metrics for your FISMA system\u003c/li\u003e\u003cli\u003ePre-defined descriptions of conditions that constitute a need for action\u003c/li\u003e\u003cli\u003ePre-defined actions based on the severity of an identified incident\u003c/li\u003e\u003cli\u003eKey staff, contact information, and specific duties for each person\u003c/li\u003e\u003cli\u003eItem-level understanding of all of the hardware and software components of the FISMA system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIts important to keep in mind:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe CP must be attested to (signed) by the FISMA System Owner annually.\u003c/li\u003e\u003cli\u003eAll of the information necessary for the conducting of a contingency plan must be in the CP.\u0026nbsp; There should be no references to offline personnel lists, contact information, system information, etc.\u0026nbsp;\u003c/li\u003e\u003cli\u003eAll identified Key Personnel must have access to their own copy of the CP in a secure location that is accessible in the event that the FISMA system is unavailable.\u003c/li\u003e\u003cli\u003eThe Contingency Plan, above all FISMA system documentation, must remain current.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eConduct Contingency Plan (CP) Exercise\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CP must be exercised (tested) at least once every 365 days. This is commonly referred to as the “Tabletop Exercise”, but a tabletop exercise is only one (the easiest) way to test the CP. An exercise plan must be prepared and followed during the execution of the test. All staff who participate in an actual CP event must be available for the exercise.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: \u003cstrong\u003eKey staff members must be trained annually in their contingency responsibilities.\u003c/strong\u003e It is best to perform this training immediately prior to the exercise. Training in this way refreshes individuals memories and ensures their availability for the test.\u003c/p\u003e\u003cp\u003e\u003cem\u003eTip: If your FISMA system is involved in an outage that causes you to exercise the CP Plan, you should consider documenting this event as an exercise of your CP Plan.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/contingency-plan\"\u003eLearn more about Contingency Plan testing\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGet after action report\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAfter the exercise is conducted, an after action report must be generated to describe the test and highlight specific deficiencies that must be corrected.\u0026nbsp; These deficiencies may be easily correctable, or may result in POA\u0026amp;Ms.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAchieve Contingency Plan (CP) re-certification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAfter any corrections have been made, the updated Contingency Plan must be re-certified by the System Owner. Make sure that all key staff members receive updated CP documents that they have access to (\u003cstrong\u003eeven away from the office or after hours\u003c/strong\u003e). Destroy (or return) older copies.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssess security controls for your system(s)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS systems are required to undergo assessments of risk and security/privacy control compliance before they are given Authorization to Operate (ATO). The assessment and authorization process protects the security and privacy posture of CMS systems throughout the system development lifecycle.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAssessments of risk and/or control compliance are conducted:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWhen a new system is ready to be placed into an operational state\u003c/li\u003e\u003cli\u003eWhen a significant change has been made to an existing system\u003c/li\u003e\u003cli\u003eAnnually, if a system follows a FISMA 1/3 assessment schedule\u003c/li\u003e\u003cli\u003eAd hoc when requested or otherwise required\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCurrently there are two main types of controls assessments SCA and ACT.\u0026nbsp; Your component will dictate which type of assessment your system undergoes.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: Whichever one your system uses, make sure to schedule your assessment \u003cstrong\u003eas soon as possible\u003c/strong\u003e. When the assessment is complete, make sure all documentation is complete and housed in CFACTS appropriately.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Controls Assessment (SCA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis is a detailed evaluation of the controls protecting an information system.\u0026nbsp; The security controls assessment determines the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-controls-assessment-sca\"\u003eLearn more about Security Controls Assessment (SCA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCybersecurity and Risk Assessment Program (CSRAP) (Formally Adaptive Capabilities Testing (ACT))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system's security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePenetration testing\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePenetration testing is performed on information systems or individual system components to identify vulnerabilities that could be exploited by bad actors. It is used to validate vulnerabilities or determine the degree of resistance that organizational information systems have to risk within a set of specified constraints (e.g., time, resources, and/or skills).\u0026nbsp;\u003c/p\u003e\u003cp\u003ePenetration testing attempts to duplicate the actions of internal and external bad actors in carrying out hostile cyber-attacks against the organization and allows a more in-depth analysis. It can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePenetration testing is performed on all High Value Assets (HVA) information systems within CMS at a frequency of every 365 days or when there has been a significant change to the system.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIt is considered to be part of the group of assessments required for CMS systems, and its results are recorded in CFACTS similarly to the controls assessments (SCA and/or ACT).\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/penetration-testing\"\u003eLearn more about penetration testing\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Assessment Report (SAR) and CAAT file\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eFor all assessments, a final Security Assessment Report (SAR) chronicles the results of the assessment. The \u003ca href=\"/policy-guidance/risk-management-handbook-chapter-4-security-assessment-authorization-ca\"\u003eRisk Management Handbook (RMH) Chapter 4: Security Assessment and Authorization\u003c/a\u003e states:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eAt the completion of a security controls assessment, the independent assessor completes a CMS Assessment and Audit Tracking (CAAT) spreadsheet. The CAAT spreadsheet is utilized for all CMS audits, assessments and penetration testing vulnerabilities. The completed CAAT spreadsheet is emailed to the CMS CISO mailbox at \u003c/em\u003e\u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003e\u003cem\u003eCISO@cms.hhs.gov\u003c/em\u003e\u003c/a\u003e\u003cem\u003e for upload into the CFACTS tool. Once uploaded into CFACTS, the weaknesses are automatically generated for all items with a status of “other than satisfied”. The ISSO for the associated information system receives an automated email notification from the CFACTS tool identifying a new weakness. The ISSO has 30 days to create a POA\u0026amp;M within CFACTS.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eManage Plan of Action and Milestones (POA\u0026amp;M)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe POA\u0026amp;M is a remedial action plan (the process of accepting or resolving a risk) which helps the agency to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify and assess information system security and privacy weaknesses\u003c/li\u003e\u003cli\u003eSet priorities about how to mitigate weaknesses using available resources\u003c/li\u003e\u003cli\u003eMonitor and report progress toward mitigating the weaknesses\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou as the ISSO are responsible for opening, maintaining / updating, and closing POA\u0026amp;Ms on a continual basis to ensure the maximum level of information security for system(s) entrusted to your care.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003eLearn more about Plan of Action \u0026amp; Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAuthorize the system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSystem authorization is the formal decision by senior officials to allow a CMS information system to operate. Commonly known as Authorization to Operate (ATO), this is the culmination of all the tests, assessments, remediation, documentation, and other activities that the ISSO and others on the portfolio team have done to ensure information security for the system.\u003c/p\u003e\u003cp\u003eIn formal terms, authorization is described in the CMS Risk Management Handbook Chapter 4: Security Assessment and Authorization:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSecurity authorizations are official management decisions that are conveyed through authorization decision documents by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. The CIO serves as the authorizing official for CMS. The CIO is responsible for making an overall determination of risk and authorizing CMS information systems for operation, if it is determined that the associated risks are acceptable. An ATO memo is signed by the CIO giving the System Owner/BO formal authority to operate a CMS information system.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThere are three NIST document requirements for an ATO “package” and six more that are specific to CMS.\u0026nbsp; The documents include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem Security and Privacy Plan (SSPP)\u003c/li\u003e\u003cli\u003eSecurity Assessment (Final) Report (SAR)\u003c/li\u003e\u003cli\u003ePlans of Action and Milestones (POA\u0026amp;M)\u003c/li\u003e\u003cli\u003eContingency Plan (CP)\u003c/li\u003e\u003cli\u003eCP Testing Plan\u003c/li\u003e\u003cli\u003eCP Test After Action Report\u003c/li\u003e\u003cli\u003eInformation System Risk Assessment (ISRA)\u003c/li\u003e\u003cli\u003ePrivacy Impact Assessment (PIA)\u003c/li\u003e\u003cli\u003eInterconnection Security Agreement (ISA) as applicable\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eGetting these documents together and conducting all necessary steps can be a long process so \u003cstrong\u003eyou should start working on your ATO as early as possible\u003c/strong\u003e to ensure timely completion.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/authorization-operate-ato\"\u003eLearn more about System Authorization\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContinuous monitoring\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eContinuous monitoring is the practice of using modern tools and technology to continuously check systems for vulnerabilities and risks. Rather than thinking of getting an ATO as having “achieved” compliance, continuous monitoring allows us to observe and track evolving risks over time. Security is never “done”.\u003c/p\u003e\u003cp\u003eContinuous monitoring is a growing program at CMS. As an ISSO, you will work closely with the CMS Cybersecurity Integration Center (CCIC) to ensure that your system is appropriately monitored.\u0026nbsp; CCIC ensures oversight of information security and privacy, including Security Information Event Management, for each FISMA system operating by or on behalf of CMS.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CCIC delivers various agency-wide security services.\u0026nbsp; These services include \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e as well as security engineering, incident management, forensics and malware analysis, information sharing, cyber threat intelligence, penetration testing, and software assurance.\u003c/p\u003e\u003cp\u003eMore information about continuous monitoring can be found in the \u003ca href=\"/policy-guidance/risk-management-handbook-chapter-4-security-assessment-authorization-ca\"\u003eCMS Risk Management Handbook (RMH) Chapter 4: Security Assessment and Authorization\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eManage security incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAlong the way, a system entrusted to your care might have a security or privacy incident or breach. Anytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an\u003cstrong\u003e incident\u003c/strong\u003e. If an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a \u003cstrong\u003ebreach\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eKnown or suspected security or privacy incidents involving CMS information or information systems \u003cstrong\u003emust be reported immediately\u003c/strong\u003e to the CMS IT Service Desk:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 1-800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou as the ISSO should be apprised of the situation as soon as possible (if youre not the one who initially reported the incident). You will work with the Incident Management Team (IMT) and others involved with your system to manage and report the incident and mitigate any resulting harm. More details can be found in the CMS Risk Management Handbook (RMH) Chapter 8: Incident Response.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eISSO toolkit\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis section contains links to documents you will access often in your daily activities, and resources to support your work as an ISSO. You should become familiar with the purpose and usage of each.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDocuments\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Acceptable Risk Safeguards (ARS 5.1)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Information Security Acceptable Risk Safeguards (ARS 5.1) defines information security and privacy control requirements and includes additional, detailed policy traceability statements within each control description. The ARS 5.1 provides guidance on customizing (tailoring) controls and enhancements for specific types of missions/business functions, technologies, or environments of operation. Users of the ARS 5.1 may tailor specific mandatory controls as well as most of the non-mandatory and unselected controls.\u003c/p\u003e\u003cp\u003eThe goal of the ARS 5.1 is to define a baseline of minimum information security and privacy assurance controls. The controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS. Protecting and ensuring the confidentiality, integrity, and availability for all of CMS information and information systems is the primary purpose of the information security and privacy assurance program. The ARS 5.1 complies with the CMS IS2P2 by providing a defense-in-depth security structure along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cybergeek.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eLearn more about ARS 5.1\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information Security and Privacy Policy (IS2P2)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis policy defines the framework under which CMS protects and controls access to CMS information and information systems. It provides direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information to assure the confidentiality, integrity, and availability of CMS information and systems.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eAlong with the Acceptable Risk Safeguards (ARS 5.1), the IS2P2 stands as one of the core reference sources for cybersecurity policies and practices at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eGo to the IS2P2\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Risk Management Handbooks\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis series of handbooks is designed to help ISSOs understand and address the many CMS security and privacy requirements developed to protect their system(s). The RMH chapters are generally aligned to provide specific guidance and recommendations for specific ARS 5.1 Control Families. (For example, \u003cstrong\u003eRMH Chapter 6: Contingency Planning\u003c/strong\u003e addresses the ARS 5.1 controls in the \u003cstrong\u003eCP Family\u003c/strong\u003e.) As you work through your ARS 5.1 controls, you should have the appropriate RMH handy.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\"\u003eLearn more about the CMS Risk Management Handbook (RMH)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTools and resources\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCFACTS\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS FISMA Controls Tracking System (CFACTS) is the system used by CMS as a repository for managing the security and privacy requirements of its information systems. It provides a common foundation to manage policies, controls, risks, assessments, and deficiencies across the CMS enterprise. You will use it for tracking your tasks associated with system authorization, risk remediation, and more.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cfacts3.cms.cmsnet/apps/ArcherApp/Home.aspx#home\"\u003eGo to CFACTS\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003cp\u003eA user manual is produced by the team that administers CFACTS and gives a guided tour through all activities in CFACTS. Although it is not a primer in risk management, many activities and concepts can be understood implicitly through their description in the User Manual and implementation in CFACTS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cfacts3.cms.cmsnet/apps/ArcherApp/Home.aspx\"\u003eGo to CFACTS user manual\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISPG website (CyberGeek)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Information Security and Privacy Group (ISPG) provides the “CyberGeek” website as a one-stop shop for all security and privacy related information at CMS including dedicated resource pages for ISSOs and other roles. This is a new site, and more information will become available as it grows.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/\"\u003eGo to ISPG website (CyberGeek)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Slack\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSlack is an application that allows for fast and easy communication among all CMS employees and contractors. Spaces called channels allow for focused communication which will keep you organized and informed during your daily routine. Below is a list of Slack channels that will help you on your journey to becoming a fully independent ISSO:\u003c/p\u003e\u003cul\u003e\u003cli\u003e#ars-feedback\u003c/li\u003e\u003cli\u003e#cfacts_community\u003c/li\u003e\u003cli\u003e#cisab\u003c/li\u003e\u003cli\u003e#cms-isso\u003c/li\u003e\u003cli\u003e#cyber-risk-management\u003c/li\u003e\u003cli\u003e#ispg-all\u003c/li\u003e\u003cli\u003e#isso-as-a-service\u003c/li\u003e\u003cli\u003e#security_community\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eAcronyms\u003c/h4\u003e\u003cp\u003eLike most other parts of government, the security and privacy world at CMS is full of acronyms. ISPG maintains a list of acronyms so you can easily look up unfamiliar terms.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/acronyms\"\u003eSee the acronym list here\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Framework\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs an ISSO, your daily tasks support CMS in applying the NIST Cybersecurity Framework (CSF), guidance created by the National Institute of Standards and Technology to help organizations effectively manage cybersecurity risk. (Executive Order 13800, \u003ca href=\"https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure\"\u003eStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure\u003c/a\u003e, made the Framework mandatory for U.S. federal government agencies.)\u003c/p\u003e\u003cp\u003eWe have created the \u003cstrong\u003eISSO Framework\u003c/strong\u003e to show how ISSO responsibilities align with specific functions and categories of the NIST Cybersecurity Framework, and how the ISSO works with other people within the organization to complete tasks. You can refer to this Framework whenever you have questions about documentation or activities related to your job.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://share.cms.gov/Office/OIT/ISPG/DSPC/ISPG%20DSPC%20Documents%20%20Internal/ISSO%20Engagement%20and%20Outreach%20Initiative/ISSO%20Framework\"\u003eGo to the ISSO Framework\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity and Privacy Language for IT Procurements\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS provides templated language to use in IT procurements to ensure the security and privacy of information and information systems that CMS uses. This includes systems provided or managed by contractors or subcontractors on behalf of CMS. The ISSO may provide support to this process.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-and-privacy-requirements-it-procurements\"\u003eLearn more about Security and Privacy Language for IT Procurements\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTarget Life Cycle (TLC)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS requires all new IT systems to follow the Target Life Cycle (TLC), a common framework for governing system development across the enterprise. The TLC accommodates various IT development methodologies while ensuring that systems meet all applicable legislative and policy requirements.\u0026nbsp;\u003c/p\u003e\u003cp\u003e(The TLC has replaced the former Expedited Life Cycle (XLC) as the official IT governance framework at CMS. If your current projects or contracts specify the use of XLC-related tools, templates, or reviews, you may continue using them.\u0026nbsp; You may also use fewer or alternative tools and templates, as long as you meet the minimum requirements outlined within the TLC.)\u003c/p\u003e\u003cp\u003eAs an ISSO, you will enter the TLC by filling out an intake form when:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInitiate a new IT project\u003c/li\u003e\u003cli\u003eConduct an acquisition to support a new IT project\u003c/li\u003e\u003cli\u003eRequest new/increased funding to support an IT project\u0026nbsp;\u003c/li\u003e\u003cli\u003ePlan significant changes to an existing IT project\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter submitting your form, the CMS IT Governance Team will help you meet TLC requirements. You can also contact the governance team via email: \u003ca href=\"mailto:IT_Governance@cms.hhs.gov\"\u003eIT_Governance@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/TLC\"\u003eLearn more about the TLC\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://share.cms.gov/Office/OIT/CIOCorner/Lists/Intake/NewForm.aspx\"\u003eFill out an intake form\u003c/a\u003e (requires CMS login)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eResources external to CMS\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Department of Health and Human Services (HHS) is the parent organization for CMS. All of our policies and guidance are based on HHS-level documentation. The IS2P comprises HHS policies and procedures that ensure the secure collection, use, sharing, and storage of information that is both terrorism-related information and “protected information (PI)”.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhere possible, this document identifies existing HHS policies and procedures that meet the privacy requirements. Where necessary, however, this document also creates policies specific to the activities and resources that HHS requires.\u0026nbsp; The IS2P is one of the base documents from which CMS requirements are created. You can request a copy of this policy from the CISO team: \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHHS Cybersecurity Library\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSometimes CMS borrows policies and standards directly from HHS, our parent organization. You will sometimes need to access the HHS library of cybersecurity documents for your work.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://intranet.hhs.gov/security/index.html\"\u003eGo to the HHS library\u003c/a\u003e (requires login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNIST Special Publications\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eNIST Special Publications in the 800 series are of general interest to the computer security community, and these documents serve as the foundation for CMS security and privacy practices. Specifically helpful to ISSOs are the publications that contain detailed explanations of information security controls and the test cases used to assess them.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53: Recommended Security Controls for Federal Information Systems\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final\"\u003eNIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-800-series-of-special-publications\"\u003eLearn more about NIST SP 800 series\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNIST Computer Security Resource Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe National Institute of Standards and Technology (NIST) publishes helpful resources on computer, cyber, and information security and privacy. Explore publications, news, programs, and events that will help you expand your cybersecurity knowledge.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/\"\u003eVisit the NIST Resource Center\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eOMB Memoranda and Circulars\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEvery year, the Office of Management and Budget (OMB) publishes a Memo with reporting instructions and guidance for FISMA, which can be useful to people with cybersecurity responsibilities at CMS. \u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/memoranda/\"\u003eExplore OMB memos here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThere are a number of OMB Circulars that provide general guidance on information security. Three of the most relevant are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/omb/circulars_a130_a130appendix_iii\"\u003eA-130 - Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.osec.doc.gov/opog/privacy/Memorandums/OMB_Circular_A-123.pdf\"\u003eA-123 - Management's Responsibility for Internal Control\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/omb/circulars_a127/\"\u003eA-127 - Financial Management Systems\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOMB A-130 applies to all IT systems while A-123 and A-127 apply primarily to financial systems. ISSOs should be aware of these foundation documents and have a general understanding of their content. \u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars/\"\u003eExplore all OMB Circulars here\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho to contact\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen you have a question or challenge, we are here to help! Here are key points of contact for situations you may face as an ISSO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or privacy incident\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eReport known or suspected security or privacy incidents involving CMS data to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or privacy questions\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDo you have a question or concern related to CMS information security or privacy, and need a place to start? Send an email to the CISO Team at \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e regarding information security, or an email to \u003ca href=\"mailto:Privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e for questions regarding information privacy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eISSO questions\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf you have questions about the ISSO role or other activities such as the ISSO Forum —or if you just want to hear from an ISSO — send an email to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOversight and guidance\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Cyber Risk Advisor (CRA) and Privacy Advisor are your ISPG support representatives. They help improve accountability and risk management by providing hands-on oversight to system cybersecurity and privacy risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO community\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Cybersecurity Community Forum (C3F)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis monthly meeting is held for the benefit of the CMS security community, covering timely and relevant topics from ISPG speakers. Its open to all CMS and contractor security professionals. Meeting details (location, time, video conferencing link) will be in the email invitation, which is sent monthly to everyone at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eSee past Forum videos and materials\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Journal\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRead the ISSO Journal to stay updated on cybersecurity trends, learn about current events, and hear from other ISSOs. The Journal is distributed widely among CMS staff, and all cybersecurity professionals both CMS and contractor staff are invited to contribute! Contact us by email (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e) if you would like to write a post.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Journal\"\u003eRead the ISSO Journal\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Mentorship Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe mentorship program allows experienced ISSOs to support those who are newer to the role. For mentors, this is an opportunity to build leadership skills and strengthen the future of cybersecurity at CMS. For mentees, this allows you to build your knowledge faster and get hands-on support. The structure of the program is flexible — both ISSOs will decide what cadence and duration for meetings works for them.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA mentorship usually lasts 6 months to a year. Your supervisor will need to approve your participation in the program.\u0026nbsp; Note that although the program is generally used by newer ISSOs, it is also available for existing ISSOs who want additional bootstrap help for example, if they are dealing with an issue or project that is new to them. Mentorship is for these ISSOs, too!\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/isso-mentorship-program\"\u003eLearn about the ISSO Mentorship Program\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTraining\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePeople come to the ISSO role from many backgrounds, with differing experiences, so each may start at a different place. Broadly, ISSOs need to have both general cybersecurity knowledge and specific knowledge of how things operate at CMS. For new ISSOs, see the “Getting Started” section of this Handbook for tips on beginning your training journey.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNICE code for ISSOs\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere is a Federal initiative to help train cybersecurity professionals. The \u003ca href=\"https://www.nist.gov/itl/applied-cybersecurity/nice\"\u003eNational Initiative for Cybersecurity Education\u003c/a\u003e (NICE) seeks to link appropriate training to cybersecurity roles by associating NICE “codes” with training opportunities. \u003cstrong\u003eAs an ISSO, your NICE code is OVMGT001\u003c/strong\u003e. Knowing this will help you find appropriate training for particular tasks or knowledge areas.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTraining sources\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere are many external sources such as professional associations and training organizations that can help you expand your cybersecurity knowledge and skills, but you can also get excellent free training that is provided by CMS and HHS. They are offered via the following platforms:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"http://www.cms.gov/cbt\"\u003eCMS Computer Based Training\u003c/a\u003e (CBT) - Free online training courses provided by CMS\u003c/li\u003e\u003cli\u003eCMS Cybersecurity Training Catalog - List of current training offerings and events (such as webinars) from CMS\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://confluenceent.cms.gov/display/IIP/ISSO+Training\"\u003eISSO Training Page\u003c/a\u003e - Collection of training resources in the ISPG Confluence environment that helps you navigate the training options available to you\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://ams.hhs.gov/amsLogin/SimpleLogin.jsp\"\u003eHHS Learning Management System\u003c/a\u003e\u0026nbsp; (LMS) - Free courses for federal employees (not contractors) provided through HHS to advance your core cybersecurity knowledge or prepare you for certifications\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://fedvte.usalearning.gov/\"\u003eFederal Virtual Training Environment\u003c/a\u003e (FedVTE) - Another source of free training courses available to federal employees and contractors (similar to the LMS above).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo help ISSOs focus on the most relevant training, below is a list of Basic, Intermediate, and Advanced courses that will help you grow in the specific skills needed for your role.\u003c/p\u003e\u003ch4\u003eBasic ISSO training\u003c/h4\u003e\u003cp\u003eThe courses recommended below provide both an introduction to cybersecurity in general and guidance on how these concepts are implemented at CMS. The courses listed in bold are the most important. You should consider some or all of the rest of the courses as your time permits. If possible, try to complete the bolded courses within your first two months as an ISSO. There is no cost to take these courses. Note: HHS LMS is only available to federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eISSO Fundamentals\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWorking With CFACTS\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eClassroom / Remote\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAll About the CMS Acceptable Risk Safeguards (ARS 5.1)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePrivacy and Awareness Training\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eExecutives Guide to Security: Protecting Your Information\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Awareness: Getting Started with Security Foundations, Information Security Fundamentals, and Key Security Terms\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompliance Expert: IT Security - Phishing, Safeguarding Mobile Devices, and Privacy \u0026amp; Information Security (The Basics)\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity 101: Auditing \u0026amp; Incident Response and Session \u0026amp; Risk Management\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003eIntermediate ISSO training\u003c/h4\u003e\u003cp\u003eThe courses recommended below will build on your initial knowledge. As before, you should start with the courses listed in bold, or on topics that have immediate importance to you. There is no cost to take these courses. Note: HHS LMS is only available for federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eNavigating New Cybersecurity and Privacy Policies and Procedures\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHow Hackers Hack and How to Protect Yourself\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIncident Response at CMS\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCMS Privacy Incident Response: Quick Guide for Business Owners\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Race\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eFundamentals of Cyber Risk Management\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFoundations of Incident Management\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompliance Expert: IT Security - Phishing\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Audits\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eImplementation of Security Controls\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003eAdvanced ISSO training\u003c/h4\u003e\u003cp\u003eThe advanced courses recommended below will help you gain a deeper understanding of the cybersecurity issues that you have been working with. They may also be appropriate to take earlier if you entered the ISSO role with a good basic understanding of both CMS operations and cybersecurity in general. There is no cost to take these courses.\u0026nbsp; Note: HHS LMS is only available for federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eEmerging Cyber Security Threats\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecuring Infrastructure Devices\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecuring the Network Perimeter\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Computing Fundamentals: Cloud Security\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Architecture\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Security\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Platforms\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCloud Security Fundamentals\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA A+: Security Fundamentals\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eEncryption and Malware\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA Server+: Network Security Protocols\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA Cloud+\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"176:T12321,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eIntroduction\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis handbook gives practical guidance to Information System Security Officers (ISSO)s at CMS when performing their necessary tasks.\u0026nbsp; It helps new ISSOs get started and explains the responsibilities, resources, and organizational relationships needed for an ISSO to be successful.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis guide is for CMS (Federal) ISSOs, Contractor ISSOs, and contract security support individuals.\u0026nbsp; Business Owners and their staff may also find parts of this handbook useful, particularly when appointing new ISSOs or gaining a better understanding of ISSO tasks.\u003c/p\u003e\u003cp\u003eThe ISSO role is critical to the safe and authorized use of sensitive information in support of CMS commitment to improving healthcare for millions of Americans. As an ISSO,\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat do ISSOs do?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEvery CMS system must formally designate an ISSO who serves as the primary point of contact responsible for the systems security and privacy.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISSOs at CMS are responsible for overseeing the security and privacy posture of the system(s) entrusted to their care, coordinating all information system risk management and information privacy activities, and acting as the Business Owners “go-to person” for security questions and needs. Together, the ISSOs make up a supportive community working to ensure the success of the cybersecurity program at CMS.\u003c/p\u003e\u003cp\u003eFor more details, see the section on role and responsibilities.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho do ISSOs work with?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO is part of the\u003cstrong\u003e portfolio team\u003c/strong\u003e the group of people who work together to make sure that any given CMS information system complies with federal security requirements and is managed in a way that protects the personal and health information of those who depend on CMS for benefits. The portfolio team has the following roles:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProgram Executive, Information System Owner (ISO), Business Owner (BO), and Information System Security Officer (ISSO)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThese people work together to take full responsibility for implementing the required security and privacy controls and managing the cybersecurity and privacy risk posture for each system. All of these roles must be an agency official (federal government employee) except the ISSO, which may be a federal employee or a contractor.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eCRAs are the “go-to” experts in all areas of risk management, and as such they evaluate and communicate the risk posture of each FISMA system to executive leadership and make risk-based recommendations to the Authorizing Official. CRAs also help to identify the types of information processed by a system, assign the appropriate security categorizations, determine the privacy impacts, and manage information security and privacy risk. They facilitate the completion of all federal cybersecurity and privacy requirements and this means that CRAs and ISSOs often work closely together.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Data Guardian coordinates CMS Program activities involving beneficiary and other types of consumer information that require privacy protections.\u0026nbsp; The Data Guardian must be an agency official (federal government employee) and must fulfill shared responsibilities with the CMS Business Owner.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Advisor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Privacy Advisor is a member of ISPG who provides privacy-related expertise to help the team identify and manage privacy risk.\u0026nbsp; The Privacy Advisor is an agency official (federal government employee) and serves as a point of contact for issues related to the Privacy Act. They also support the completion of privacy-related artifacts such as Systems of Records Notice (SORN), Privacy Act reviews, and FISMA and Privacy Management Report.\u003c/p\u003e\u003cp\u003eDetailed information about all of these roles can be found in the CMS Information Security and Privacy Policy (IS2P2) and the HHS Policy for Information Security and Privacy Protection (IS2P).\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat should an ISSO know?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of every ISSO should be to support the BO to securely provide the service intended by the system. To help accomplish this goal, an ISSO should ideally know and understand their components business processes and how the system supports that business. This knowledge is critically applied during the construction of the System Security and Privacy Plan (SSPP).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation security is a means to an end and not the end in itself\u003c/strong\u003e. In the public sector, information security is secondary to the agency's services provided to its constituency. We, as security professionals, must not lose sight of these goals and objectives.\u003c/p\u003e\u003cp\u003eIn order to help the BO provide a CMS service in a manner that is demonstrably secure and safeguards any sensitive beneficiary information, the ISSO must know (at a minimum):\u003c/p\u003e\u003cul\u003e\u003cli\u003eMission and business functions of their component\u003c/li\u003e\u003cli\u003eHow the system supports the components mission\u003c/li\u003e\u003cli\u003eSystem details, including:\u003cul\u003e\u003cli\u003eArchitecture\u003c/li\u003e\u003cli\u003eSystem components (hardware, software, peripherals, etc.)\u003c/li\u003e\u003cli\u003eLocation of each system component\u003c/li\u003e\u003cli\u003eData flow\u003c/li\u003e\u003cli\u003eInterconnections (internal and external)\u003c/li\u003e\u003cli\u003eSecurity categorization\u0026nbsp;\u003c/li\u003e\u003cli\u003eSecurity requirements\u003c/li\u003e\u003cli\u003eConfiguration management processes and procedures\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eUsers (how many, location, role, etc.)\u003c/li\u003e\u003cli\u003eKey personnel by name\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eHow are ISSOs appointed?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS Program Executive in coordination with the Data Guardian, ISO, and Business Owner, is responsible for nominating appropriately qualified ISSO appointees, as defined under FISMA, to the CISO for approval.\u003c/p\u003e\u003cp\u003eThe nominated ISSO, by signing the appointment letter, agrees to maintain the appropriate operational security posture of the information system by fulfilling all of the responsibilities identified in the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Security and Privacy Policy (IS2P2)\u003c/a\u003e and the HHS Policy for Information Security and Privacy Protection (IS2P).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eA subset of the ISSOs duties and responsibilities is contained in the \u003ca href=\"/learn/isso-appointment-letter\"\u003eappointment letter\u003c/a\u003e. ISSO letters must be updated whenever a change occurs. The designated ISSO should be consistently identified in three sources: the ISSO letter, the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e, and in \u003ca href=\"/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe signed appointment letter should be given to the appropriate CRA for further action.\u0026nbsp;\u003cstrong\u003e It is the responsibility of the CRA to upload the letter to CFACTS\u003c/strong\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eGetting started (for new ISSOs)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCongratulations on your new assignment as an Information System Security Officer (ISSO) at CMS! Because you are charged with protecting the sensitive information contained in systems that support healthcare delivery for millions of people, your role is vital to the success of CMS mission. You will learn how to identify and protect information that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePersonally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eIndividually Identifiable Information (IIF)\u003c/li\u003e\u003cli\u003eProtected Health Information (PHI)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis means that security must become a vital part of your daily routine and always top-of-mind. Your training as an ISSO will ensure that you know and understand the requirements for protecting government assets like classified information, property, and personnel.\u003c/p\u003e\u003cp\u003eMost importantly, you will learn to work as part of a team that is dedicated to making sure CMS information systems can operate securely. While CMS has established a security program to protect assets and keep sensitive information safe, the key ingredient is always \u003cstrong\u003epeople\u003c/strong\u003e. No matter how comprehensive a program may be, you and your coworkers will ultimately determine the success of our established procedures.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAnd we are here to help you along the way! This Handbook is your primary resource for initial information about your role, and will direct you to other sources of help and support.\u003c/p\u003e\u003cp\u003eHere are the steps you should take to get started:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the paperwork\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf you have not already, make sure that your \u003ca href=\"/learn/isso-appointment-letter\"\u003e\u003cstrong\u003eISSO Appointment Letter\u003c/strong\u003e\u003c/a\u003e is completed and submitted to your Cyber Risk Advisor (CRA) by your Business Owner (BO). The Appointment Letter is intended to formally nominate you as an ISSO. It also gives you a wealth of information about your duties and responsibilities. It also contains the qualifications and training to which you should aspire. This document may be your first communication with your CRA — the first of many conversations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf you need a copy of the ISSO Appointment Letter template, contact the ISSO Support Team: \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete ISSO onboarding\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO Support team in ISPG can help get you started. You should ask for an initial meeting with the team to orient you to your new role and next steps. \u0026nbsp; You should also reach out to your CRA, who may wish to meet on a regular basis initially, especially if your system has an important near-term milestone. If your BO did not set this up for you, you can do it yourself by sending a note to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e. It is helpful to put the word “Onboarding” in the subject line.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eKnow your systems\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMake sure that in your conversation with your Business Owner, you understand whether you are going to be the primary ISSO (or the only ISSO), or if you are going to be an assistant. Do you know where your system is located? When does the Authority to Operate (ATO) expire? Are you working on a new system? The more you know at the beginning, the easier it will be to prioritize and to work with your integrated team. If you have questions about any of this, reach out to the ISSO Support Team (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMeet your team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIn addition to your BO and your CRA, there are others that you should get to know. We recommend that you reach out to them. We also recommend face to face meetings, at least initially. Some others you should get to know include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOther ISSOs in your component, if applicable\u003c/li\u003e\u003cli\u003eYour systems Technical Lead\u003c/li\u003e\u003cli\u003eWhen appropriate, your systems contractor security support\u003c/li\u003e\u003cli\u003eThe ISSO Support Team (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssess your skills with the ISSO Score Card\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOs come from many backgrounds, both technical and non-technical. Even new ISSOs with a technical background may not be familiar with the “CMS way” of operating. While you will be busy with your new role, you should take some initial time to get a better awareness of your capabilities to be a CMS ISSO through some focused initial training.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWeve made it easy to figure out what training you should prioritize using a self-assessment tool: the \u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eISSO Score Card.\u003c/a\u003e Every ISSO is encouraged to take this assessment regularly as their knowledge expands. The ISSO Score Card is:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eConfidential\u003c/strong\u003e - only you will see the results\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eQuick\u003c/strong\u003e - only taking 10-15 minutes to complete\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eGeared to ISSO duties\u003c/strong\u003e - taken directly from CMS policies and requirements\u003c/li\u003e\u003cli\u003e\u003cstrong\u003ePersonalized\u003c/strong\u003e - youll get a customized report to help you make a training plan\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eEasy\u003c/strong\u003e - using a simple online web interface\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eGo to the ISSO Score Card\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSign up for training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs an ISSO, it is vital that you understand security and privacy fundamentals and how they are applied at CMS. Regardless of your prior level of experience, you will need to know the CMS-specific workflows and governance. There is a wealth of training available to you, both for getting started and deepening your knowledge.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWondering where to start\u003c/strong\u003e? Heres a simple checklist to make sure you complete the essential training that will start you on the road to success:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFigure out what you need to know (or brush up on) using the \u003ca href=\"https://cms-lms.usalearning.net/mod/quiz/view.php?id=389\"\u003eISSO Score Card\u003c/a\u003e. Use the results to sign up for training that is customized to your level.\u003c/li\u003e\u003cli\u003eLearn about 6 key job functions of ISSOs using the \u003ca href=\"https://www.cms.gov/cbt/login/default.aspx\"\u003evideo training series from CMS\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eSign up for CFACTS training its worth the 2-day time investment to get a solid grasp on this essential tool for the ISSOs daily work. (This is available in the CMS Computer Based Training platform).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFinally, to build upon the checklist above, we have provided a list of Basic, Intermediate, and Advanced ISSO training courses that are free for you to take. See the Training section of this Handbook for details.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGet a mentor\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOptionally, you can join the \u003ca href=\"/learn/isso-mentorship-program\"\u003e\u003cstrong\u003eISSO Mentorship Program\u003c/strong\u003e\u003c/a\u003e to be paired with an experienced ISSO. Once paired, you should work together to develop a cadence for meeting and knowledge sharing. This allows you to gain confidence faster and get hands-on support. Learn more about the ISSO Mentorship Program here.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eJoin the community\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe cybersecurity community at CMS is alive and growing. There are all kinds of ways that you can get involved, get an idea of whats going on at CMS, and learn how it affects you. Attend the CMS Cybersecurity Community Forum, read the ISSO Journal, and look for ISPG-sponsored security and privacy activities.\u003c/p\u003e\u003cp\u003eFinally, if you have any questions along the way, just ask. Your job is very important to the success of CMS programs, and everyone at ISPG is here to support you!\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGoals for your first year\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBy the end of your first year as an ISSO, it should be your goal to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLearn the security planning and administrative security procedures for systems that process sensitive information such as PHI, PII, FTI, and classified and national intelligence data\u003c/li\u003e\u003cli\u003eUnderstand the implementation and enforcement of CMS Information System Security and Privacy policies and practices\u0026nbsp;\u003c/li\u003e\u003cli\u003eKnow the concerns and requirements that determine the administration and management of physical, system, and data access controls based on the sensitivity of the data processed and the corresponding authorization requirements\u003c/li\u003e\u003cli\u003eLearn the identification, analysis, assessment and evaluation of information system threats and vulnerabilities and their impact on their components critical information infrastructures\u003c/li\u003e\u003cli\u003eBe able to identify management, technical, personnel, operational and physical security controls\u003c/li\u003e\u003cli\u003eUnderstand any additional critical areas of knowledge related to your system\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eRole and responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISSOs maintain a strong security and privacy posture for their assigned system(s) in the following high-level ways:\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eServe as principal advisor\u003c/strong\u003e to the System Owner (SO), Business Owner (BO), and the Chief Information Security Officer (CISO) on all system security and privacy matters\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMaintain system authorization \u003c/strong\u003eby following the \u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eNIST Risk Management Framework\u003c/a\u003e to select, implement, document, test, and maintain the security and privacy controls required to authorize and operate information systems within CMSs risk tolerance throughout the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle\u003c/a\u003e (TLC)\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMaintain security and privacy operations\u003c/strong\u003e capabilities sufficient to identify, detect, protect, respond, and recover from security incidents (as per the \u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-cybersecurity-framework-csf\"\u003eNIST Cybersecurity Framework\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eMeet federal reporting requirements\u003c/strong\u003e for information security and privacy, including documenting and mitigating weaknesses and reporting incidents and breaches\u003c/p\u003e\u003cp\u003e• \u003cstrong\u003eManage privacy requirements\u003c/strong\u003e by working collaboratively with Data Guardians and Privacy Advisors\u003c/p\u003e\u003cp\u003eThe official role and specific responsibilities for ISSOs are outlined in detail by the CMS Information Security and Privacy Policy (IS2P2), which is based upon the related policy document from HHS (IS2P). The following list is based on those policy documents and includes some key duties for ISSOs:\u003c/p\u003e\u003cul\u003e\u003cli\u003eComplete the security categorization for the FISMA system using the CFACTS tool\u003c/li\u003e\u003cli\u003eComplete and maintain the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan\u003c/a\u003e using the CFACTS tool\u003c/li\u003e\u003cli\u003eEnsure \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e and \u003ca href=\"/learn/penetration-testing\"\u003ePenetration Tests\u003c/a\u003e have been scheduled and completed in a timely manner\u003c/li\u003e\u003cli\u003eDevelop, document and maintain an inventory of hardware and software components within the FISMA systems authorization boundary\u003c/li\u003e\u003cli\u003eCoordinate the development of a \u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan\u003c/a\u003e and ensure the plan is tested and maintained accordingly\u003c/li\u003e\u003cli\u003eMaintain primary responsibility for the actions and activities associated with the FISMA system receiving and maintaining an \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the ISO, BO, and CRA to manage information security and privacy risk\u003c/li\u003e\u003cli\u003eMonitor and update all POA\u0026amp;Ms in accordance with current requirements and instruction\u003c/li\u003e\u003cli\u003eSubmit recommendations to the CRA for system configuration deviations from the required baseline\u003c/li\u003e\u003cli\u003eIdentify the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems;\u003c/li\u003e\u003cli\u003eCoordinate with the ISO, BO, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for sensitive information in accordance with the Privacy Act, E-Government Act, and all other applicable guidance\u003c/li\u003e\u003cli\u003eCoordinate with the BO, Contracting Officer, ISO, and CISO to ensure that all requirements specified by the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eARS 5.1\u003c/a\u003e and the \u003ca href=\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\"\u003eRMH\u003c/a\u003e are implemented and enforced for applicable information and information systems\u003c/li\u003e\u003cli\u003eReport and manage IT Security and Privacy Incidents in accordance to the RMH and other applicable federal guidance\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eTypes of ISSO roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe specific type of ISSO role assigned to a system will depend on the needs of the system and the available personnel. The descriptions below are taken from the CMS Information Security and Privacy Policy (IS2P2).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrimary Information System Security Officer (P-ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS P-ISSO may be either a federal government employee or a contractor and must fulfill all of the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.24, System Security and System Privacy Officers. ISSO must ensure the duties of the Security Control Assessor and Contingency Planning Coordinator are completed as described in the IS2P Sections 7.26 and 7.30.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecondary Information System Security Officer (S-ISSO)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS S-ISSO may be either a federal government employee or a contractor identified in the IS2P Section 7.25, ISSO Designated Representative / Security Steward and must assist the P-ISSO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Security Officer Contractor Support (ISSOCS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe ISSOCS is a contractor-only role that assists and supports the P-ISSO and S-ISSO roles in fulfillment of their CMS cybersecurity duties.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity or Privacy Control Assessor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Security or Privacy Control Assessor role may be performed by an ISSO. The CMS Security or Privacy Control Assessor must fulfill all the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.23.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eContingency Planning Coordinator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Contingency Planning Coordinator may either be a federal government employee or a contractor. The role may also be performed by an ISSO. The CMS Contingency Planning Coordinator must fulfill all the responsibilities identified in the HHS Policy for Information Systems Security and Privacy Protection (IS2P) Section 7.30.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO checklist\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis section provides a list of specific tasks an ISSO should perform periodically. The timelines listed for each task are general guidelines, which may vary depending on the Component guidance or system circumstances. This list isnt comprehensive, but serves as a quick reference to help you plan your work. You may choose to make a spreadsheet for yourself to keep track of recurring tasks and due dates.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWeekly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview audit logs\u003c/li\u003e\u003cli\u003eRoutinely evaluate risk posture based upon change requests\u003c/li\u003e\u003cli\u003eEnsure data is backed up\u003c/li\u003e\u003cli\u003eCheck status of any \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eMonthly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview / deactivate unused accounts\u003c/li\u003e\u003cli\u003eEnsure all POA\u0026amp;Ms with Open or Delay status are annotated with current status\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eQuarterly\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that all data in CFACTS is current and accurate one week before the end of the quarter (CMS submits a quarterly FISMA report to OMB based on this data)\u003c/li\u003e\u003cli\u003eEnsure the completion of internal vulnerability scans\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAnnually\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview and update all \u003cstrong\u003eSecurity Authorization Process documentation\u003c/strong\u003e, such as those listed below. Remember that most of these require months of effort to complete, so you must be working on them well in advance.\u003cul\u003e\u003cli\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eInformation System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessment (PIA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e Note: Updating security control implementation is a necessary first step to updating the SSPP. When updating any documents, ensure the old copy is retained.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure that all system users and people with significant security responsibilities (e.g., ISSOs) receive their required annual awareness training\u003c/li\u003e\u003cli\u003eConduct a Contingency Plan Test with associated training, after-action, and updated POA\u0026amp;Ms as necessary. Ensure that the Business Owner certifies (signs) any updated CP document.\u003c/li\u003e\u003cli\u003eReview the Privacy Impact Assessment (PIA) for your system(s) and update as appropriate\u003c/li\u003e\u003cli\u003eEnsure vulnerability assessments are completed at least annually, or when significant changes are made to the system\u003c/li\u003e\u003cli\u003eReview and validate user access rights\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOngoing\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eContinual security control assessment to ensure no risks are present\u003c/li\u003e\u003cli\u003eContinual work on tests and assessments (as needed) such as:\u003cul\u003e\u003cli\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/li\u003e\u003cli\u003ePenetration Testing\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eContinual updating of the \u003cstrong\u003eSecurity Authorization Process documentation\u003c/strong\u003e (see list in the section above). All of these should be updated as changes occur, and all require an annual review and update.\u003c/li\u003e\u003cli\u003eComplete incident response reports (as required)\u003c/li\u003e\u003cli\u003eATO updates (as required)\u003c/li\u003e\u003cli\u003eRespond to any CCIC monitoring alerts (as required)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eISSO activities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eUse this section to learn in-depth about the activities you must understand and perform as an ISSO from the very beginning of your systems development. These activities support the CMS \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle\u003c/a\u003e (TLC), which is the framework that standardizes how IT systems are built, maintained, and retired at CMS. The ISSO activities also support the Risk Management Framework (RMF) from NIST, which helps organizations integrate security considerations into their software development processes.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct a Security Impact Analysis (SIA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"/learn/security-impact-analysis-sia\"\u003eSecurity Impact Analysis\u003c/a\u003e\u0026nbsp;is the process that you will use initially for your new system and \u003cstrong\u003eevery time\u003c/strong\u003e a new change to the system is proposed. When you have completed this process, you will be able to provide substantive recommendations to your Business Owner on the impact of any proposed change(s). The impact may be small, or it may rise to the level of a new ATO process.\u003c/p\u003e\u003cp\u003eNote:\u0026nbsp; SIAs are frequently thought of as documents.\u0026nbsp; Remember that \u003cstrong\u003eSIA is a process\u003c/strong\u003e.\u0026nbsp; Based on the complexity and extent of the process, a completed form may help better describe the security impact, as well as necessary actions to take.\u0026nbsp; The actual CMS/FISMA requirement noted in ARS 5.1 Control CM-4 requires “Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) to conduct security impact analyses.”\u0026nbsp; It is up to you and your Business Owner/organization to determine the level to which you document your analysis.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-impact-analysis-sia\"\u003eLearn about Security Impact Assessment (SIA)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCategorize your FISMA system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour FISMA system has different security controls based on the sensitivity of the information contained in or processed by your system. Categorization takes place within CFACTS.\u0026nbsp; You enter the appropriate area and select the type of information that will be processed.\u0026nbsp; The system categorization will be suggested automatically and noted as “Low”, “Moderate”, or “High”.\u0026nbsp; If necessary, the categorization may be manually overridden; your CRA will have to help with this.\u0026nbsp; In practice this seldom happens.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis system categorization will have a variety of uses.\u0026nbsp; Most importantly, you will need to have this information to determine which controls to allocate for your system.\u003c/p\u003e\u003cp\u003eNote: Although this process sounds like it will only be done once for your FISMA system, \u003cstrong\u003eyou may have to repeat it\u003c/strong\u003e if a proposed change includes access or storage of different types of data. \u0026nbsp; Your completed SIA will guide your actions.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/federal-information-security-modernization-act-fisma#perform-system-risk-categorization\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eLearn more about system categorization here\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/posts/watch-and-learn-system-categorization-cfacts\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eSee how to categorize your system in CFACTS\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eDetermine the Authorization Boundary\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAnother major initial task is to determine the systems \u003cstrong\u003eAuthorization Boundary\u003c/strong\u003e. The NIST definition of authorization boundary is: “All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected”.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eOne practical way of determining the systems authorization boundary is to ask whether a particular component can be changed by ones system team, or if another team has to make updates or changes.\u0026nbsp; If your team can make the change or configuration, chances are that the component falls within your authorization boundary. As with system categorization, the authorization boundary is usually determined at the outset of system development. It may expand or contract based on changes to the system over its lifecycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBe aware of High Value Assets (HVAs)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe HHS HVA Program Policy defines HVAs as: “Assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people.”\u003c/p\u003e\u003cp\u003eThe practical impact of this program is that, if your FISMA system is defined as an HVA, it will face additional security requirements from DHS and HHS, which may impact the continuity operations and assessments of the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAllocate controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce a system has been categorized, the ISSO has the information necessary to select controls, or allocate them.\u0026nbsp; The process is largely automatic, and is well-described in the CMS Risk Management Handbook (RMH) Chapter 12: Security and Privacy Planning. Selected controls are allocated for Low, Moderate, or High systems based on system categorization. The mechanics are described very well in the CFACTS User Manual, so that should be your primary reference point on allocating controls. Some general control types include:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSystem-specific controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThese are controls that your system “owns”.\u0026nbsp; If you are running on hardware that you are responsible for, there are system-specific controls for it.\u0026nbsp; If your system is an application, or Major Application, the system-specific controls are those controls that your developers and administrators configure and maintain.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInherited controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn many cases your system uses components provided by other FISMA systems. In the above example about hardware, what if your system is housed on hardware administered by others? This is not just a possibility in most cases major applications run within a separate data center. Certainly this is the case for systems housed in the AWS Cloud. In these instances, the data center (or other entity) that houses your system will most likely take care of some of the controls for your system in which case your system will be able to “inherit” controls.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eIf the providing system completely takes care of a control, it is called a \u003cstrong\u003ecommon, or fully inherited\u003c/strong\u003e control. If the providing system takes care of part of a control, and relies on your system to take care of the rest of the control, it is called a \u003cstrong\u003ehybrid\u003c/strong\u003e control. (The CFACTS User Manual has additional information on how to inherit a control.)\u003c/p\u003e\u003cp\u003eUnderstanding which controls your team must address and which controls are available through full or partial inheritance will help you understand how to document your security control compliance (which is the next step in the cycle).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSupplemental controls\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSupplemental controls (previously referred to as non-mandatory controls in ARS 3.1) can be added to a system as necessary, and are not included in baseline control allocation. They should be reviewed and added as appropriate for your system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eImplement security controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIt is your responsibility as your systems security and privacy Subject Matter Expert to make sure that your Business Owner, system developers, and system administrators understand the controls that must be in place for your system to be “secure” to CMS standards.\u0026nbsp; Once these controls have been implemented, \u003cstrong\u003ethey need to be documented within CFACTS\u003c/strong\u003e.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote:\u0026nbsp; All security controls that have been allocated for your system \u003cstrong\u003emust have some comment\u003c/strong\u003e. \u0026nbsp; Even fully inherited controls should have a notation that the control is fully inherited.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDevelop system documentation\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eProminent documents are important to understanding the security posture of your FISMA system.\u0026nbsp; CFACTS can help with this process by automatically generating some of the documents, such as the System Security Plan. Other documents are found within CFACTS, such as System Categorization. Others, such as the Information System Risk Assessment (ISRA) must be completed using CMS-approved templates. Finally, others may either use a CMS template or a locally generated document such as the Security Impact Assessment (SIA).\u003c/p\u003e\u003cp\u003eNote:\u003cstrong\u003e Make sure that all CFACTS entries, including all security controls, are accurate and complete at all times.\u0026nbsp;\u003c/strong\u003e This will ensure that CFACTS-generated documents are accurate.\u003c/p\u003e\u003cp\u003eItems for the system documentation include:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSystem Security and Privacy Plan (SSPP)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSSPP\u003c/a\u003e is the key document associated with the FISMA system security. It should provide an accurate, detailed description of the FISMA system itself, security requirements, and those controls that are actually in place to protect the system. This document is generated by CFACTS.\u003c/p\u003e\u003cp\u003eTip: It is a best practice to maintain older copies of SSPPs as new versions are generated. Do not overwrite old SSPPs; you never can tell when you might need to refer to an older version.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eLearn more about System Security and Privacy Plan (SSPP)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Risk Assessment (ISRA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eISRA\u003c/a\u003e details the business and technical risks associated with a FISMA system.\u0026nbsp; It shares high-level information from CFACTS, as well as specific risks noted and how critical they are.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eLearn more about Information System Risk Assessment (ISRA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Impact Assessment (PIA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePIA\u003c/a\u003e is not simply a compliance step it guides the full analysis of a system for privacy risks and controls. A PIA is a process for assessing whether appropriate privacy policies, procedures, business practices, and security controls are implemented to ensure compliance with federal privacy regulations. PIAs are published on HHS.gov and go through a three-year review process.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003eLearn more about Privacy Impact Assessment (PIA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eThird-Party Websites and Applications\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"https://www.osec.doc.gov/opog/privacy/Memorandums/OMB_M-10-23.pdf\"\u003eOffice of Management and Budget Memorandum 10-23\u003c/a\u003e, Guidance for Agency Use of Third-Party Websites and Applications, requires that agencies assess their uses of third-party websites and applications to ensure that the use protects privacy. The mechanism by which agencies perform this assessment is a privacy impact assessment (PIA).\u0026nbsp;\u003c/p\u003e\u003cp\u003eIn accordance with HHS policy, operating divisions (OPDIVs) are responsible for completing and maintaining PIAs for all third-party websites and applications in use. Upon completion of each assessment, agencies are required to make the PIAs publicly available. The CMS Third-Party Websites and Applications (TPWA) Privacy Impact Assessments for each individual OPDIV system can be \u003ca href=\"https://www.hhs.gov/pia/index.html#Third-Party\"\u003eaccessed here on the HHS website\u003c/a\u003e. CMS implementation specifications are included in the CMS Acceptable Risk Safeguards (ARS 5.1).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Threshold Analysis\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eA Privacy Threshold Analysis (PTA) is a PIA for a system that does not contain PII or only contains HHS employee information. PTAs remain internal to HHS and do not have to go through the three-year review process. A PTA may be updated based on a major change to the system. It is also possible that change to a system could result in a PTA then meeting the threshold to be a PIA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConduct Contingency Planning (CP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://dkanreserve.prod.acquia-sites.com/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp;provides instructions, disaster declaration criteria, and procedures to recover information systems and associated services after a disruption. It involves cooperation with your Business Owner, your data center or hosting facility, and senior CMS leadership. (See CMS Risk Management Handbook Chapter 6: Contingency Planning).\u003c/p\u003e\u003cp\u003eAs the ISSO, you will coordinate efforts with your Business Owner to determine the business criticality of key processes. This effort will result in a Business Impact Analysis (BIA) which, in turn, serves as the primary requirement document for determining key recovery metrics including the Recovery Point Objective (RPO), Recovery Time Objective (RTO), Maximum Tolerable Downtime (MTD), and Work Recovery Time (WRT).\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe goal is to ensure that there are plans in place to restore business functionality within the Maximum Tolerable Downtime.\u0026nbsp; Note that this may involve restoring the system as originally constructed, moving to alternate processing facilities, or even moving to alternate processing methods.\u0026nbsp;\u003c/p\u003e\u003cp\u003eHere are the key steps and documents involved in Contingency Planning:\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCreate Contingency Plan (CP) document\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CP Plan is a single document that contains:\u003c/p\u003e\u003cul\u003e\u003cli\u003eKey recovery metrics for your FISMA system\u003c/li\u003e\u003cli\u003ePre-defined descriptions of conditions that constitute a need for action\u003c/li\u003e\u003cli\u003ePre-defined actions based on the severity of an identified incident\u003c/li\u003e\u003cli\u003eKey staff, contact information, and specific duties for each person\u003c/li\u003e\u003cli\u003eItem-level understanding of all of the hardware and software components of the FISMA system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIts important to keep in mind:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe CP must be attested to (signed) by the FISMA System Owner annually.\u003c/li\u003e\u003cli\u003eAll of the information necessary for the conducting of a contingency plan must be in the CP.\u0026nbsp; There should be no references to offline personnel lists, contact information, system information, etc.\u0026nbsp;\u003c/li\u003e\u003cli\u003eAll identified Key Personnel must have access to their own copy of the CP in a secure location that is accessible in the event that the FISMA system is unavailable.\u003c/li\u003e\u003cli\u003eThe Contingency Plan, above all FISMA system documentation, must remain current.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eConduct Contingency Plan (CP) Exercise\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CP must be exercised (tested) at least once every 365 days. This is commonly referred to as the “Tabletop Exercise”, but a tabletop exercise is only one (the easiest) way to test the CP. An exercise plan must be prepared and followed during the execution of the test. All staff who participate in an actual CP event must be available for the exercise.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: \u003cstrong\u003eKey staff members must be trained annually in their contingency responsibilities.\u003c/strong\u003e It is best to perform this training immediately prior to the exercise. Training in this way refreshes individuals memories and ensures their availability for the test.\u003c/p\u003e\u003cp\u003e\u003cem\u003eTip: If your FISMA system is involved in an outage that causes you to exercise the CP Plan, you should consider documenting this event as an exercise of your CP Plan.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/contingency-plan\"\u003eLearn more about Contingency Plan testing\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGet after action report\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAfter the exercise is conducted, an after action report must be generated to describe the test and highlight specific deficiencies that must be corrected.\u0026nbsp; These deficiencies may be easily correctable, or may result in POA\u0026amp;Ms.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAchieve Contingency Plan (CP) re-certification\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAfter any corrections have been made, the updated Contingency Plan must be re-certified by the System Owner. Make sure that all key staff members receive updated CP documents that they have access to (\u003cstrong\u003eeven away from the office or after hours\u003c/strong\u003e). Destroy (or return) older copies.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssess security controls for your system(s)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS systems are required to undergo assessments of risk and security/privacy control compliance before they are given Authorization to Operate (ATO). The assessment and authorization process protects the security and privacy posture of CMS systems throughout the system development lifecycle.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAssessments of risk and/or control compliance are conducted:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWhen a new system is ready to be placed into an operational state\u003c/li\u003e\u003cli\u003eWhen a significant change has been made to an existing system\u003c/li\u003e\u003cli\u003eAnnually, if a system follows a FISMA 1/3 assessment schedule\u003c/li\u003e\u003cli\u003eAd hoc when requested or otherwise required\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCurrently there are two main types of controls assessments SCA and ACT.\u0026nbsp; Your component will dictate which type of assessment your system undergoes.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: Whichever one your system uses, make sure to schedule your assessment \u003cstrong\u003eas soon as possible\u003c/strong\u003e. When the assessment is complete, make sure all documentation is complete and housed in CFACTS appropriately.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Controls Assessment (SCA)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis is a detailed evaluation of the controls protecting an information system.\u0026nbsp; The security controls assessment determines the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-controls-assessment-sca\"\u003eLearn more about Security Controls Assessment (SCA)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCybersecurity and Risk Assessment Program (CSRAP) (Formally Adaptive Capabilities Testing (ACT))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system's security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePenetration testing\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePenetration testing is performed on information systems or individual system components to identify vulnerabilities that could be exploited by bad actors. It is used to validate vulnerabilities or determine the degree of resistance that organizational information systems have to risk within a set of specified constraints (e.g., time, resources, and/or skills).\u0026nbsp;\u003c/p\u003e\u003cp\u003ePenetration testing attempts to duplicate the actions of internal and external bad actors in carrying out hostile cyber-attacks against the organization and allows a more in-depth analysis. It can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003ePenetration testing is performed on all High Value Assets (HVA) information systems within CMS at a frequency of every 365 days or when there has been a significant change to the system.\u0026nbsp;\u003c/p\u003e\u003cp\u003eIt is considered to be part of the group of assessments required for CMS systems, and its results are recorded in CFACTS similarly to the controls assessments (SCA and/or ACT).\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/penetration-testing\"\u003eLearn more about penetration testing\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Assessment Report (SAR) and CAAT file\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eFor all assessments, a final Security Assessment Report (SAR) chronicles the results of the assessment. The \u003ca href=\"/policy-guidance/risk-management-handbook-chapter-4-security-assessment-authorization-ca\"\u003eRisk Management Handbook (RMH) Chapter 4: Security Assessment and Authorization\u003c/a\u003e states:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eAt the completion of a security controls assessment, the independent assessor completes a CMS Assessment and Audit Tracking (CAAT) spreadsheet. The CAAT spreadsheet is utilized for all CMS audits, assessments and penetration testing vulnerabilities. The completed CAAT spreadsheet is emailed to the CMS CISO mailbox at \u003c/em\u003e\u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003e\u003cem\u003eCISO@cms.hhs.gov\u003c/em\u003e\u003c/a\u003e\u003cem\u003e for upload into the CFACTS tool. Once uploaded into CFACTS, the weaknesses are automatically generated for all items with a status of “other than satisfied”. The ISSO for the associated information system receives an automated email notification from the CFACTS tool identifying a new weakness. The ISSO has 30 days to create a POA\u0026amp;M within CFACTS.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eManage Plan of Action and Milestones (POA\u0026amp;M)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe POA\u0026amp;M is a remedial action plan (the process of accepting or resolving a risk) which helps the agency to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify and assess information system security and privacy weaknesses\u003c/li\u003e\u003cli\u003eSet priorities about how to mitigate weaknesses using available resources\u003c/li\u003e\u003cli\u003eMonitor and report progress toward mitigating the weaknesses\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou as the ISSO are responsible for opening, maintaining / updating, and closing POA\u0026amp;Ms on a continual basis to ensure the maximum level of information security for system(s) entrusted to your care.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003eLearn more about Plan of Action \u0026amp; Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAuthorize the system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSystem authorization is the formal decision by senior officials to allow a CMS information system to operate. Commonly known as Authorization to Operate (ATO), this is the culmination of all the tests, assessments, remediation, documentation, and other activities that the ISSO and others on the portfolio team have done to ensure information security for the system.\u003c/p\u003e\u003cp\u003eIn formal terms, authorization is described in the CMS Risk Management Handbook Chapter 4: Security Assessment and Authorization:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSecurity authorizations are official management decisions that are conveyed through authorization decision documents by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. The CIO serves as the authorizing official for CMS. The CIO is responsible for making an overall determination of risk and authorizing CMS information systems for operation, if it is determined that the associated risks are acceptable. An ATO memo is signed by the CIO giving the System Owner/BO formal authority to operate a CMS information system.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThere are three NIST document requirements for an ATO “package” and six more that are specific to CMS.\u0026nbsp; The documents include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem Security and Privacy Plan (SSPP)\u003c/li\u003e\u003cli\u003eSecurity Assessment (Final) Report (SAR)\u003c/li\u003e\u003cli\u003ePlans of Action and Milestones (POA\u0026amp;M)\u003c/li\u003e\u003cli\u003eContingency Plan (CP)\u003c/li\u003e\u003cli\u003eCP Testing Plan\u003c/li\u003e\u003cli\u003eCP Test After Action Report\u003c/li\u003e\u003cli\u003eInformation System Risk Assessment (ISRA)\u003c/li\u003e\u003cli\u003ePrivacy Impact Assessment (PIA)\u003c/li\u003e\u003cli\u003eInterconnection Security Agreement (ISA) as applicable\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eGetting these documents together and conducting all necessary steps can be a long process so \u003cstrong\u003eyou should start working on your ATO as early as possible\u003c/strong\u003e to ensure timely completion.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/authorization-operate-ato\"\u003eLearn more about System Authorization\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContinuous monitoring\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eContinuous monitoring is the practice of using modern tools and technology to continuously check systems for vulnerabilities and risks. Rather than thinking of getting an ATO as having “achieved” compliance, continuous monitoring allows us to observe and track evolving risks over time. Security is never “done”.\u003c/p\u003e\u003cp\u003eContinuous monitoring is a growing program at CMS. As an ISSO, you will work closely with the CMS Cybersecurity Integration Center (CCIC) to ensure that your system is appropriately monitored.\u0026nbsp; CCIC ensures oversight of information security and privacy, including Security Information Event Management, for each FISMA system operating by or on behalf of CMS.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CCIC delivers various agency-wide security services.\u0026nbsp; These services include \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e as well as security engineering, incident management, forensics and malware analysis, information sharing, cyber threat intelligence, penetration testing, and software assurance.\u003c/p\u003e\u003cp\u003eMore information about continuous monitoring can be found in the \u003ca href=\"/policy-guidance/risk-management-handbook-chapter-4-security-assessment-authorization-ca\"\u003eCMS Risk Management Handbook (RMH) Chapter 4: Security Assessment and Authorization\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eManage security incidents\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAlong the way, a system entrusted to your care might have a security or privacy incident or breach. Anytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an\u003cstrong\u003e incident\u003c/strong\u003e. If an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a \u003cstrong\u003ebreach\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eKnown or suspected security or privacy incidents involving CMS information or information systems \u003cstrong\u003emust be reported immediately\u003c/strong\u003e to the CMS IT Service Desk:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhone: 410-786-2580 or 1-800-562-1963\u003c/li\u003e\u003cli\u003eEmail: \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eYou as the ISSO should be apprised of the situation as soon as possible (if youre not the one who initially reported the incident). You will work with the Incident Management Team (IMT) and others involved with your system to manage and report the incident and mitigate any resulting harm. More details can be found in the CMS Risk Management Handbook (RMH) Chapter 8: Incident Response.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eISSO toolkit\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis section contains links to documents you will access often in your daily activities, and resources to support your work as an ISSO. You should become familiar with the purpose and usage of each.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eDocuments\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Acceptable Risk Safeguards (ARS 5.1)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Information Security Acceptable Risk Safeguards (ARS 5.1) defines information security and privacy control requirements and includes additional, detailed policy traceability statements within each control description. The ARS 5.1 provides guidance on customizing (tailoring) controls and enhancements for specific types of missions/business functions, technologies, or environments of operation. Users of the ARS 5.1 may tailor specific mandatory controls as well as most of the non-mandatory and unselected controls.\u003c/p\u003e\u003cp\u003eThe goal of the ARS 5.1 is to define a baseline of minimum information security and privacy assurance controls. The controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS. Protecting and ensuring the confidentiality, integrity, and availability for all of CMS information and information systems is the primary purpose of the information security and privacy assurance program. The ARS 5.1 complies with the CMS IS2P2 by providing a defense-in-depth security structure along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cybergeek.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eLearn more about ARS 5.1\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Information Security and Privacy Policy (IS2P2)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis policy defines the framework under which CMS protects and controls access to CMS information and information systems. It provides direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information to assure the confidentiality, integrity, and availability of CMS information and systems.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eAlong with the Acceptable Risk Safeguards (ARS 5.1), the IS2P2 stands as one of the core reference sources for cybersecurity policies and practices at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eGo to the IS2P2\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Risk Management Handbooks\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis series of handbooks is designed to help ISSOs understand and address the many CMS security and privacy requirements developed to protect their system(s). The RMH chapters are generally aligned to provide specific guidance and recommendations for specific ARS 5.1 Control Families. (For example, \u003cstrong\u003eRMH Chapter 6: Contingency Planning\u003c/strong\u003e addresses the ARS 5.1 controls in the \u003cstrong\u003eCP Family\u003c/strong\u003e.) As you work through your ARS 5.1 controls, you should have the appropriate RMH handy.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\"\u003eLearn more about the CMS Risk Management Handbook (RMH)\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTools and resources\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCFACTS\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS FISMA Controls Tracking System (CFACTS) is the system used by CMS as a repository for managing the security and privacy requirements of its information systems. It provides a common foundation to manage policies, controls, risks, assessments, and deficiencies across the CMS enterprise. You will use it for tracking your tasks associated with system authorization, risk remediation, and more.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cfacts3.cms.cmsnet/apps/ArcherApp/Home.aspx#home\"\u003eGo to CFACTS\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003cp\u003eA user manual is produced by the team that administers CFACTS and gives a guided tour through all activities in CFACTS. Although it is not a primer in risk management, many activities and concepts can be understood implicitly through their description in the User Manual and implementation in CFACTS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://cfacts3.cms.cmsnet/apps/ArcherApp/Home.aspx\"\u003eGo to CFACTS user manual\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISPG website (CyberGeek)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Information Security and Privacy Group (ISPG) provides the “CyberGeek” website as a one-stop shop for all security and privacy related information at CMS including dedicated resource pages for ISSOs and other roles. This is a new site, and more information will become available as it grows.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/\"\u003eGo to ISPG website (CyberGeek)\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCMS Slack\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSlack is an application that allows for fast and easy communication among all CMS employees and contractors. Spaces called channels allow for focused communication which will keep you organized and informed during your daily routine. Below is a list of Slack channels that will help you on your journey to becoming a fully independent ISSO:\u003c/p\u003e\u003cul\u003e\u003cli\u003e#ars-feedback\u003c/li\u003e\u003cli\u003e#cfacts_community\u003c/li\u003e\u003cli\u003e#cisab\u003c/li\u003e\u003cli\u003e#cms-isso\u003c/li\u003e\u003cli\u003e#cyber-risk-management\u003c/li\u003e\u003cli\u003e#ispg-all\u003c/li\u003e\u003cli\u003e#isso-as-a-service\u003c/li\u003e\u003cli\u003e#security_community\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eAcronyms\u003c/h4\u003e\u003cp\u003eLike most other parts of government, the security and privacy world at CMS is full of acronyms. ISPG maintains a list of acronyms so you can easily look up unfamiliar terms.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/acronyms\"\u003eSee the acronym list here\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Framework\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAs an ISSO, your daily tasks support CMS in applying the NIST Cybersecurity Framework (CSF), guidance created by the National Institute of Standards and Technology to help organizations effectively manage cybersecurity risk. (Executive Order 13800, \u003ca href=\"https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure\"\u003eStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure\u003c/a\u003e, made the Framework mandatory for U.S. federal government agencies.)\u003c/p\u003e\u003cp\u003eWe have created the \u003cstrong\u003eISSO Framework\u003c/strong\u003e to show how ISSO responsibilities align with specific functions and categories of the NIST Cybersecurity Framework, and how the ISSO works with other people within the organization to complete tasks. You can refer to this Framework whenever you have questions about documentation or activities related to your job.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://share.cms.gov/Office/OIT/ISPG/DSPC/ISPG%20DSPC%20Documents%20%20Internal/ISSO%20Engagement%20and%20Outreach%20Initiative/ISSO%20Framework\"\u003eGo to the ISSO Framework\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eSecurity and Privacy Language for IT Procurements\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS provides templated language to use in IT procurements to ensure the security and privacy of information and information systems that CMS uses. This includes systems provided or managed by contractors or subcontractors on behalf of CMS. The ISSO may provide support to this process.\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/security-and-privacy-requirements-it-procurements\"\u003eLearn more about Security and Privacy Language for IT Procurements\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eTarget Life Cycle (TLC)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS requires all new IT systems to follow the Target Life Cycle (TLC), a common framework for governing system development across the enterprise. The TLC accommodates various IT development methodologies while ensuring that systems meet all applicable legislative and policy requirements.\u0026nbsp;\u003c/p\u003e\u003cp\u003e(The TLC has replaced the former Expedited Life Cycle (XLC) as the official IT governance framework at CMS. If your current projects or contracts specify the use of XLC-related tools, templates, or reviews, you may continue using them.\u0026nbsp; You may also use fewer or alternative tools and templates, as long as you meet the minimum requirements outlined within the TLC.)\u003c/p\u003e\u003cp\u003eAs an ISSO, you will enter the TLC by filling out an intake form when:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInitiate a new IT project\u003c/li\u003e\u003cli\u003eConduct an acquisition to support a new IT project\u003c/li\u003e\u003cli\u003eRequest new/increased funding to support an IT project\u0026nbsp;\u003c/li\u003e\u003cli\u003ePlan significant changes to an existing IT project\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAfter submitting your form, the CMS IT Governance Team will help you meet TLC requirements. You can also contact the governance team via email: \u003ca href=\"mailto:IT_Governance@cms.hhs.gov\"\u003eIT_Governance@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/TLC\"\u003eLearn more about the TLC\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://share.cms.gov/Office/OIT/CIOCorner/Lists/Intake/NewForm.aspx\"\u003eFill out an intake form\u003c/a\u003e (requires CMS login)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eResources external to CMS\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Department of Health and Human Services (HHS) is the parent organization for CMS. All of our policies and guidance are based on HHS-level documentation. The IS2P comprises HHS policies and procedures that ensure the secure collection, use, sharing, and storage of information that is both terrorism-related information and “protected information (PI)”.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhere possible, this document identifies existing HHS policies and procedures that meet the privacy requirements. Where necessary, however, this document also creates policies specific to the activities and resources that HHS requires.\u0026nbsp; The IS2P is one of the base documents from which CMS requirements are created. You can request a copy of this policy from the CISO team: \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHHS Cybersecurity Library\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSometimes CMS borrows policies and standards directly from HHS, our parent organization. You will sometimes need to access the HHS library of cybersecurity documents for your work.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://intranet.hhs.gov/security/index.html\"\u003eGo to the HHS library\u003c/a\u003e (requires login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNIST Special Publications\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eNIST Special Publications in the 800 series are of general interest to the computer security community, and these documents serve as the foundation for CMS security and privacy practices. Specifically helpful to ISSOs are the publications that contain detailed explanations of information security controls and the test cases used to assess them.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53: Recommended Security Controls for Federal Information Systems\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final\"\u003eNIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca href=\"/learn/national-institute-standards-and-technology-nist#nist-800-series-of-special-publications\"\u003eLearn more about NIST SP 800 series\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eNIST Computer Security Resource Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe National Institute of Standards and Technology (NIST) publishes helpful resources on computer, cyber, and information security and privacy. Explore publications, news, programs, and events that will help you expand your cybersecurity knowledge.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://csrc.nist.gov/\"\u003eVisit the NIST Resource Center\u003c/a\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eOMB Memoranda and Circulars\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEvery year, the Office of Management and Budget (OMB) publishes a Memo with reporting instructions and guidance for FISMA, which can be useful to people with cybersecurity responsibilities at CMS. \u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/memoranda/\"\u003eExplore OMB memos here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThere are a number of OMB Circulars that provide general guidance on information security. Three of the most relevant are:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/omb/circulars_a130_a130appendix_iii\"\u003eA-130 - Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.osec.doc.gov/opog/privacy/Memorandums/OMB_Circular_A-123.pdf\"\u003eA-123 - Management's Responsibility for Internal Control\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/omb/circulars_a127/\"\u003eA-127 - Financial Management Systems\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOMB A-130 applies to all IT systems while A-123 and A-127 apply primarily to financial systems. ISSOs should be aware of these foundation documents and have a general understanding of their content. \u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars/\"\u003eExplore all OMB Circulars here\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho to contact\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen you have a question or challenge, we are here to help! Here are key points of contact for situations you may face as an ISSO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or privacy incident\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eReport known or suspected security or privacy incidents involving CMS data to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to \u003ca href=\"mailto:CMS_IT_Service_Desk@cms.hhs.gov\"\u003eCMS_IT_Service_Desk@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or privacy questions\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDo you have a question or concern related to CMS information security or privacy, and need a place to start? Send an email to the CISO Team at \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov\u003c/a\u003e regarding information security, or an email to \u003ca href=\"mailto:Privacy@cms.hhs.gov\"\u003eprivacy@cms.hhs.gov\u003c/a\u003e for questions regarding information privacy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eISSO questions\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf you have questions about the ISSO role or other activities such as the ISSO Forum —or if you just want to hear from an ISSO — send an email to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eOversight and guidance\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe Cyber Risk Advisor (CRA) and Privacy Advisor are your ISPG support representatives. They help improve accountability and risk management by providing hands-on oversight to system cybersecurity and privacy risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO community\u003c/strong\u003e\u003c/h3\u003e\u003ch4\u003e\u003cstrong\u003eCMS Cybersecurity Community Forum (C3F)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThis monthly meeting is held for the benefit of the CMS security community, covering timely and relevant topics from ISPG speakers. Its open to all CMS and contractor security professionals. Meeting details (location, time, video conferencing link) will be in the email invitation, which is sent monthly to everyone at CMS.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Forum\"\u003eSee past Forum videos and materials\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Journal\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRead the ISSO Journal to stay updated on cybersecurity trends, learn about current events, and hear from other ISSOs. The Journal is distributed widely among CMS staff, and all cybersecurity professionals both CMS and contractor staff are invited to contribute! Contact us by email (\u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e) if you would like to write a post.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://confluenceent.cms.gov/pages/viewpage.action?spaceKey=IIP\u0026amp;title=CMS+ISSO+Journal\"\u003eRead the ISSO Journal\u003c/a\u003e (requires CMS login)\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eISSO Mentorship Program\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe mentorship program allows experienced ISSOs to support those who are newer to the role. For mentors, this is an opportunity to build leadership skills and strengthen the future of cybersecurity at CMS. For mentees, this allows you to build your knowledge faster and get hands-on support. The structure of the program is flexible — both ISSOs will decide what cadence and duration for meetings works for them.\u0026nbsp;\u003c/p\u003e\u003cp\u003eA mentorship usually lasts 6 months to a year. Your supervisor will need to approve your participation in the program.\u0026nbsp; Note that although the program is generally used by newer ISSOs, it is also available for existing ISSOs who want additional bootstrap help for example, if they are dealing with an issue or project that is new to them. Mentorship is for these ISSOs, too!\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/isso-mentorship-program\"\u003eLearn about the ISSO Mentorship Program\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTraining\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003ePeople come to the ISSO role from many backgrounds, with differing experiences, so each may start at a different place. Broadly, ISSOs need to have both general cybersecurity knowledge and specific knowledge of how things operate at CMS. For new ISSOs, see the “Getting Started” section of this Handbook for tips on beginning your training journey.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eNICE code for ISSOs\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere is a Federal initiative to help train cybersecurity professionals. The \u003ca href=\"https://www.nist.gov/itl/applied-cybersecurity/nice\"\u003eNational Initiative for Cybersecurity Education\u003c/a\u003e (NICE) seeks to link appropriate training to cybersecurity roles by associating NICE “codes” with training opportunities. \u003cstrong\u003eAs an ISSO, your NICE code is OVMGT001\u003c/strong\u003e. Knowing this will help you find appropriate training for particular tasks or knowledge areas.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eTraining sources\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThere are many external sources such as professional associations and training organizations that can help you expand your cybersecurity knowledge and skills, but you can also get excellent free training that is provided by CMS and HHS. They are offered via the following platforms:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"http://www.cms.gov/cbt\"\u003eCMS Computer Based Training\u003c/a\u003e (CBT) - Free online training courses provided by CMS\u003c/li\u003e\u003cli\u003eCMS Cybersecurity Training Catalog - List of current training offerings and events (such as webinars) from CMS\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://confluenceent.cms.gov/display/IIP/ISSO+Training\"\u003eISSO Training Page\u003c/a\u003e - Collection of training resources in the ISPG Confluence environment that helps you navigate the training options available to you\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://ams.hhs.gov/amsLogin/SimpleLogin.jsp\"\u003eHHS Learning Management System\u003c/a\u003e\u0026nbsp; (LMS) - Free courses for federal employees (not contractors) provided through HHS to advance your core cybersecurity knowledge or prepare you for certifications\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://fedvte.usalearning.gov/\"\u003eFederal Virtual Training Environment\u003c/a\u003e (FedVTE) - Another source of free training courses available to federal employees and contractors (similar to the LMS above).\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo help ISSOs focus on the most relevant training, below is a list of Basic, Intermediate, and Advanced courses that will help you grow in the specific skills needed for your role.\u003c/p\u003e\u003ch4\u003eBasic ISSO training\u003c/h4\u003e\u003cp\u003eThe courses recommended below provide both an introduction to cybersecurity in general and guidance on how these concepts are implemented at CMS. The courses listed in bold are the most important. You should consider some or all of the rest of the courses as your time permits. If possible, try to complete the bolded courses within your first two months as an ISSO. There is no cost to take these courses. Note: HHS LMS is only available to federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eISSO Fundamentals\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eWorking With CFACTS\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eClassroom / Remote\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAll About the CMS Acceptable Risk Safeguards (ARS 5.1)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePrivacy and Awareness Training\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eExecutives Guide to Security: Protecting Your Information\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Awareness: Getting Started with Security Foundations, Information Security Fundamentals, and Key Security Terms\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompliance Expert: IT Security - Phishing, Safeguarding Mobile Devices, and Privacy \u0026amp; Information Security (The Basics)\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity 101: Auditing \u0026amp; Incident Response and Session \u0026amp; Risk Management\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003eIntermediate ISSO training\u003c/h4\u003e\u003cp\u003eThe courses recommended below will build on your initial knowledge. As before, you should start with the courses listed in bold, or on topics that have immediate importance to you. There is no cost to take these courses. Note: HHS LMS is only available for federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eNavigating New Cybersecurity and Privacy Policies and Procedures\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eHow Hackers Hack and How to Protect Yourself\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eIncident Response at CMS\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCMS Privacy Incident Response: Quick Guide for Business Owners\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Race\u003c/td\u003e\u003ctd\u003eCBT\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eFundamentals of Cyber Risk Management\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFoundations of Incident Management\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompliance Expert: IT Security - Phishing\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCybersecurity Audits\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eImplementation of Security Controls\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003eAdvanced ISSO training\u003c/h4\u003e\u003cp\u003eThe advanced courses recommended below will help you gain a deeper understanding of the cybersecurity issues that you have been working with. They may also be appropriate to take earlier if you entered the ISSO role with a good basic understanding of both CMS operations and cybersecurity in general. There is no cost to take these courses.\u0026nbsp; Note: HHS LMS is only available for federal employees.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCourse\u003c/th\u003e\u003cth\u003eSource\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eEmerging Cyber Security Threats\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecuring Infrastructure Devices\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecuring the Network Perimeter\u003c/td\u003e\u003ctd\u003eFedVTE\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Computing Fundamentals: Cloud Security\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Architecture\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Security\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eCloud Data Platforms\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCloud Security Fundamentals\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA A+: Security Fundamentals\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eEncryption and Malware\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA Server+: Network Security Protocols\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eCompTIA Cloud+\u003c/td\u003e\u003ctd\u003eLMS\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"174:{\"value\":\"$175\",\"format\":\"body_text\",\"processed\":\"$176\",\"summary\":\"\"}\n179:[]\n178:{\"uri\":\"entity:node/376\",\"title\":\"Information System Security Officer (ISSO)\",\"options\":\"$179\",\"url\":\"/ispg/information-system-security-officer-isso\"}\n17b:[]\n17a:{\"uri\":\"entity:node/721\",\"title\":\"ISSO Appointment Letter\",\"options\":\"$17b\",\"url\":\"/learn/isso-appointment-letter\"}\n17d:[]\n17c:{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":\"$17d\",\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}\n177:[\"$178\",\"$17a\",\"$17c\"]\n17e:{\"value\":\"Guidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eGuidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training\u003c/p\u003e\\n\"}\n172:{\"drupal_internal__nid\":366,\"drupal_internal__vid\":5712,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-25T14:57:26+00:00\",\"status\":true,\"title\":\"CMS Information System Security Officer (ISSO) Handbook\",\"created\":\"2022-08-29T16:40:17+00:00\",\"changed\":\"2024-07-25T14:57:26+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$173\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$174\",\"field_contact_email\":\"ISSO@cms.hhs.gov\",\"field_contact_name\":\"ISSO Support Team\",\"field_last_reviewed\":\"2024-07-15\",\"field_related_resources\":\"$177\",\"field_short_description\":\"$17e\"}\n182:{\"drupal_internal__target_id\":\"library\"}\n181:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$182\"}\n184:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/node_type?resourceVersion=id%3A5712\"}\n185:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/node_type?resourceVersio"])</script><script>self.__next_f.push([1,"n=id%3A5712\"}\n183:{\"related\":\"$184\",\"self\":\"$185\"}\n180:{\"data\":\"$181\",\"links\":\"$183\"}\n188:{\"drupal_internal__target_id\":6}\n187:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$188\"}\n18a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/revision_uid?resourceVersion=id%3A5712\"}\n18b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/revision_uid?resourceVersion=id%3A5712\"}\n189:{\"related\":\"$18a\",\"self\":\"$18b\"}\n186:{\"data\":\"$187\",\"links\":\"$189\"}\n18e:{\"drupal_internal__target_id\":26}\n18d:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$18e\"}\n190:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/uid?resourceVersion=id%3A5712\"}\n191:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/uid?resourceVersion=id%3A5712\"}\n18f:{\"related\":\"$190\",\"self\":\"$191\"}\n18c:{\"data\":\"$18d\",\"links\":\"$18f\"}\n194:{\"drupal_internal__target_id\":91}\n193:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":\"$194\"}\n196:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/field_resource_type?resourceVersion=id%3A5712\"}\n197:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/field_resource_type?resourceVersion=id%3A5712\"}\n195:{\"related\":\"$196\",\"self\":\"$197\"}\n192:{\"data\":\"$193\",\"links\":\"$195\"}\n19b:{\"drupal_internal__target_id\":61}\n19a:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$19b\"}\n199:[\"$19a\"]\n19d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/field_roles?resourceVersion=id%3A5712\"}\n19e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/field_roles?resourceVersion=id%3A5712\"}\n19c:{\"related\":\"$19d\",\"self\":\"$19e\"}\n198:{\"data\":\"$199\",\"links\":"])</script><script>self.__next_f.push([1,"\"$19c\"}\n1a2:{\"drupal_internal__target_id\":56}\n1a1:{\"type\":\"taxonomy_term--topics\",\"id\":\"8b8ffea0-3b0b-404d-8442-7f3a4602482d\",\"meta\":\"$1a2\"}\n1a0:[\"$1a1\"]\n1a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/field_topics?resourceVersion=id%3A5712\"}\n1a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/field_topics?resourceVersion=id%3A5712\"}\n1a3:{\"related\":\"$1a4\",\"self\":\"$1a5\"}\n19f:{\"data\":\"$1a0\",\"links\":\"$1a3\"}\n17f:{\"node_type\":\"$180\",\"revision_uid\":\"$186\",\"uid\":\"$18c\",\"field_resource_type\":\"$192\",\"field_roles\":\"$198\",\"field_topics\":\"$19f\"}\n16f:{\"type\":\"node--library\",\"id\":\"fa2107f3-5c24-458b-b589-6c85321f2015\",\"links\":\"$170\",\"attributes\":\"$172\",\"relationships\":\"$17f\"}\n1a8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}\n1a7:{\"self\":\"$1a8\"}\n1aa:{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"}\n1ab:{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"}\n1ac:[\"#cfacts_community\"]\n1a9:{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1aa\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":\"$1ab\",\"field_slack_channel\":\"$1ac\"}\n1b0:{\"drupal_inte"])</script><script>self.__next_f.push([1,"rnal__target_id\":\"explainer\"}\n1af:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1b0\"}\n1b2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"}\n1b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}\n1b1:{\"related\":\"$1b2\",\"self\":\"$1b3\"}\n1ae:{\"data\":\"$1af\",\"links\":\"$1b1\"}\n1b6:{\"drupal_internal__target_id\":159}\n1b5:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$1b6\"}\n1b8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"}\n1b9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}\n1b7:{\"related\":\"$1b8\",\"self\":\"$1b9\"}\n1b4:{\"data\":\"$1b5\",\"links\":\"$1b7\"}\n1bc:{\"drupal_internal__target_id\":26}\n1bb:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1bc\"}\n1be:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"}\n1bf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}\n1bd:{\"related\":\"$1be\",\"self\":\"$1bf\"}\n1ba:{\"data\":\"$1bb\",\"links\":\"$1bd\"}\n1c3:{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}\n1c2:{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":\"$1c3\"}\n1c5:{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}\n1c4:{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":\"$1c5\"}\n1c7:{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}\n1c6:{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":\"$1c7\"}\n1c9:{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}\n1c8:{\"type\":\"paragraph--page_section\",\"id\":\"594"])</script><script>self.__next_f.push([1,"617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":\"$1c9\"}\n1c1:[\"$1c2\",\"$1c4\",\"$1c6\",\"$1c8\"]\n1cb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"}\n1cc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}\n1ca:{\"related\":\"$1cb\",\"self\":\"$1cc\"}\n1c0:{\"data\":\"$1c1\",\"links\":\"$1ca\"}\n1d0:{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}\n1cf:{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":\"$1d0\"}\n1d2:{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}\n1d1:{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":\"$1d2\"}\n1d4:{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}\n1d3:{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":\"$1d4\"}\n1d6:{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}\n1d5:{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":\"$1d6\"}\n1d8:{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}\n1d7:{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":\"$1d8\"}\n1da:{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}\n1d9:{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":\"$1da\"}\n1ce:[\"$1cf\",\"$1d1\",\"$1d3\",\"$1d5\",\"$1d7\",\"$1d9\"]\n1dc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"}\n1dd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}\n1db:{\"related\":\"$1dc\",\"self\":\"$1dd\"}\n1cd:{\"data\":\"$1ce\",\"links\":\"$1db\"}\n1e0:{\"drupal_internal__target_id\":121}\n1df:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$1e0\"}\n1e2:{\"href\":\"http"])</script><script>self.__next_f.push([1,"s://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"}\n1e3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}\n1e1:{\"related\":\"$1e2\",\"self\":\"$1e3\"}\n1de:{\"data\":\"$1df\",\"links\":\"$1e1\"}\n1e7:{\"drupal_internal__target_id\":66}\n1e6:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1e7\"}\n1e9:{\"drupal_internal__target_id\":61}\n1e8:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1e9\"}\n1eb:{\"drupal_internal__target_id\":76}\n1ea:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1eb\"}\n1ed:{\"drupal_internal__target_id\":71}\n1ec:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$1ed\"}\n1e5:[\"$1e6\",\"$1e8\",\"$1ea\",\"$1ec\"]\n1ef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"}\n1f0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}\n1ee:{\"related\":\"$1ef\",\"self\":\"$1f0\"}\n1e4:{\"data\":\"$1e5\",\"links\":\"$1ee\"}\n1f4:{\"drupal_internal__target_id\":36}\n1f3:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$1f4\"}\n1f6:{\"drupal_internal__target_id\":11}\n1f5:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$1f6\"}\n1f2:[\"$1f3\",\"$1f5\"]\n1f8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"}\n1f9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}\n1f7:{\"related\":\"$1f8\",\"self\":\"$1f9\"}\n1f1:{\"data\":\"$1f2\",\"links\":\"$1f7\"}\n1ad:{\"node_type\":\"$1ae\",\"revision_uid\":\"$1b4\",\"uid\":\"$1ba\",\"field_page_section\":\"$1c0\",\"field_related_colle"])</script><script>self.__next_f.push([1,"ction\":\"$1cd\",\"field_resource_type\":\"$1de\",\"field_roles\":\"$1e4\",\"field_topics\":\"$1f1\"}\n1a6:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":\"$1a7\",\"attributes\":\"$1a9\",\"relationships\":\"$1ad\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"d50f58ad-dc83-408d-b7c1-f3eb68429eba\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba?resourceVersion=id%3A6025\"}},\"attributes\":{\"drupal_internal__nid\":1221,\"drupal_internal__vid\":6025,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T22:47:59+00:00\",\"status\":true,\"title\":\"CMS Risk Management Framework (RMF)\",\"created\":\"2024-11-20T18:47:49+00:00\",\"changed\":\"2024-12-05T22:47:59+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-risk-management-framework-rmf\",\"pid\":1280,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"A structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/node_type?resourceVersion=id%3A6025\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/relationships/node_type?resourceVersion=id%3A6025\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/revision_uid?resourceVersion=id%3A6025\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/relationships/revision_uid?resourceVersion=id%3A6025\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/uid?resourceVersion=id%3A6025\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/relationships/uid?resourceVersion=id%3A6025\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"5080ba6c-234b-44bb-8e0f-e980ef7f54c3\",\"meta\":{\"target_revision_id\":19674,\"drupal_internal__target_id\":3534}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/field_page_section?resourceVersion=id%3A6025\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/relationships/field_page_section?resourceVersion=id%3A6025\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"67c48af9-ef58-4f4d-818b-732fcaeef05c\",\"meta\":{\"target_revision_id\":19675,\"drupal_internal__target_id\":3535}},{\"type\":\"paragraph--internal_link\",\"id\":\"dbaa5ea6-fc41-4077-aad9-ec43d64f07a7\",\"meta\":{\"target_revision_id\":19676,\"drupal_internal__target_id\":3536}},{\"type\":\"paragraph--internal_link\",\"id\":\"a527afbb-16a5-4376-83fb-72f8d48388fd\",\"meta\":{\"target_revision_id\":19677,\"drupal_internal__target_id\":3537}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/field_related_collection?resourceVersion=id%3A6025\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/relationships/field_related_collection?resourceVersion=id%3A6025\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/field_resource_type?resourceVersion=id%3A6025\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/relationships/field_resource_type?resourceVersion=id%3A6025\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/field_roles?resourceVersion=id%3A6025\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/relationships/field_roles?resourceVersion=id%3A6025\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/field_topics?resourceVersion=id%3A6025\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/d50f58ad-dc83-408d-b7c1-f3eb68429eba/relationships/field_topics?resourceVersion=id%3A6025\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"5080ba6c-234b-44bb-8e0f-e980ef7f54c3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3?resourceVersion=id%3A19674\"}},\"attributes\":{\"drupal_internal__id\":3534,\"drupal_internal__revision_id\":19674,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-11-20T20:08:53+00:00\",\"parent_id\":\"1221\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3/paragraph_type?resourceVersion=id%3A19674\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3/relationships/paragraph_type?resourceVersion=id%3A19674\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3/field_specialty_item?resourceVersion=id%3A19674\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/5080ba6c-234b-44bb-8e0f-e980ef7f54c3/relationships/field_specialty_item?resourceVersion=id%3A19674\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"67c48af9-ef58-4f4d-818b-732fcaeef05c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c?resourceVersion=id%3A19675\"}},\"attributes\":{\"drupal_internal__id\":3535,\"drupal_internal__revision_id\":19675,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-11-20T20:08:53+00:00\",\"parent_id\":\"1221\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c/paragraph_type?resourceVersion=id%3A19675\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c/relationships/paragraph_type?resourceVersion=id%3A19675\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"meta\":{\"drupal_internal__target_id\":381}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c/field_link?resourceVersion=id%3A19675\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/67c48af9-ef58-4f4d-818b-732fcaeef05c/relationships/field_link?resourceVersion=id%3A19675\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"dbaa5ea6-fc41-4077-aad9-ec43d64f07a7\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7?resourceVersion=id%3A19676\"}},\"attributes\":{\"drupal_internal__id\":3536,\"drupal_internal__revision_id\":19676,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-11-20T20:09:02+00:00\",\"parent_id\":\"1221\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7/paragraph_type?resourceVersion=id%3A19676\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7/relationships/paragraph_type?resourceVersion=id%3A19676\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"fa2107f3-5c24-458b-b589-6c85321f2015\",\"meta\":{\"drupal_internal__target_id\":366}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7/field_link?resourceVersion=id%3A19676\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dbaa5ea6-fc41-4077-aad9-ec43d64f07a7/relationships/field_link?resourceVersion=id%3A19676\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"a527afbb-16a5-4376-83fb-72f8d48388fd\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd?resourceVersion=id%3A19677\"}},\"attributes\":{\"drupal_internal__id\":3537,\"drupal_internal__revision_id\":19677,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-11-20T20:09:33+00:00\",\"parent_id\":\"1221\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd/paragraph_type?resourceVersion=id%3A19677\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd/relationships/paragraph_type?resourceVersion=id%3A19677\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":{\"drupal_internal__target_id\":261}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd/field_link?resourceVersion=id%3A19677\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a527afbb-16a5-4376-83fb-72f8d48388fd/relationships/field_link?resourceVersion=id%3A19677\"}}}}},{\"type\":\"node--explainer\",\"id\":\"af385f5f-f61b-47af-a235-7dc48efd251e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e?resourceVersion=id%3A5993\"}},\"attributes\":{\"drupal_internal__nid\":381,\"drupal_internal__vid\":5993,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-03T14:43:06+00:00\",\"status\":true,\"title\":\"National Institute of Standards and Technology (NIST)\",\"created\":\"2022-08-29T16:46:36+00:00\",\"changed\":\"2024-12-03T14:43:06+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/national-institute-standards-and-technology-nist\",\"pid\":371,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation about NIST and how the agency\u0026#039;s policies and guidance relate to security and privacy at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#security_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/node_type?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/node_type?resourceVersion=id%3A5993\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/revision_uid?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/revision_uid?resourceVersion=id%3A5993\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/uid?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/uid?resourceVersion=id%3A5993\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"65807e01-7389-4561-8818-b4453d59c7ac\",\"meta\":{\"target_revision_id\":19645,\"drupal_internal__target_id\":496}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_page_section?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_page_section?resourceVersion=id%3A5993\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"858b57e7-3499-42a6-9fd4-b045a2aa9c42\",\"meta\":{\"target_revision_id\":19646,\"drupal_internal__target_id\":2001}},{\"type\":\"paragraph--internal_link\",\"id\":\"d171c5fe-3bb3-47be-bd3e-c53cc75c4f9e\",\"meta\":{\"target_revision_id\":19647,\"drupal_internal__target_id\":2011}},{\"type\":\"paragraph--internal_link\",\"id\":\"26c9c7a0-fcc3-4d04-ab8c-21924a868e28\",\"meta\":{\"target_revision_id\":19648,\"drupal_internal__target_id\":2286}},{\"type\":\"paragraph--internal_link\",\"id\":\"4e888450-31b6-43e1-95a0-9ac56298fcc9\",\"meta\":{\"target_revision_id\":19649,\"drupal_internal__target_id\":2281}},{\"type\":\"paragraph--internal_link\",\"id\":\"f43c4cb2-4d4e-4020-a165-aab378f6254d\",\"meta\":{\"target_revision_id\":19650,\"drupal_internal__target_id\":2291}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_related_collection?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_related_collection?resourceVersion=id%3A5993\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_resource_type?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_resource_type?resourceVersion=id%3A5993\"}}},\"field_roles\":{\"data\":[],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_roles?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_roles?resourceVersion=id%3A5993\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/field_topics?resourceVersion=id%3A5993\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/af385f5f-f61b-47af-a235-7dc48efd251e/relationships/field_topics?resourceVersion=id%3A5993\"}}}}},{\"type\":\"node--library\",\"id\":\"fa2107f3-5c24-458b-b589-6c85321f2015\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015?resourceVersion=id%3A5712\"}},\"attributes\":{\"drupal_internal__nid\":366,\"drupal_internal__vid\":5712,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-25T14:57:26+00:00\",\"status\":true,\"title\":\"CMS Information System Security Officer (ISSO) Handbook\",\"created\":\"2022-08-29T16:40:17+00:00\",\"changed\":\"2024-07-25T14:57:26+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"pid\":356,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\",\"summary\":\"\"},\"field_contact_email\":\"ISSO@cms.hhs.gov\",\"field_contact_name\":\"ISSO Support Team\",\"field_last_reviewed\":\"2024-07-15\",\"field_related_resources\":[{\"uri\":\"entity:node/376\",\"title\":\"Information System Security Officer (ISSO)\",\"options\":[],\"url\":\"/ispg/information-system-security-officer-isso\"},{\"uri\":\"entity:node/721\",\"title\":\"ISSO Appointment Letter\",\"options\":[],\"url\":\"/learn/isso-appointment-letter\"},{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}],\"field_short_description\":{\"value\":\"Guidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eGuidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/node_type?resourceVersion=id%3A5712\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/node_type?resourceVersion=id%3A5712\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/revision_uid?resourceVersion=id%3A5712\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/revision_uid?resourceVersion=id%3A5712\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/uid?resourceVersion=id%3A5712\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/uid?resourceVersion=id%3A5712\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/field_resource_type?resourceVersion=id%3A5712\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/field_resource_type?resourceVersion=id%3A5712\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/field_roles?resourceVersion=id%3A5712\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/field_roles?resourceVersion=id%3A5712\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"8b8ffea0-3b0b-404d-8442-7f3a4602482d\",\"meta\":{\"drupal_internal__target_id\":56}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/field_topics?resourceVersion=id%3A5712\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/fa2107f3-5c24-458b-b589-6c85321f2015/relationships/field_topics?resourceVersion=id%3A5712\"}}}}},{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}},\"attributes\":{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cfacts_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}},{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}},{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}},{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}},{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}},{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}},{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}},{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1c\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$26\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$2a\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$2e\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$48\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$62\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7c\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$96\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$b0\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$ca\",\"5080ba6c-234b-44bb-8e0f-e980ef7f54c3\":\"$e4\",\"67c48af9-ef58-4f4d-818b-732fcaeef05c\":\"$f7\",\"dbaa5ea6-fc41-4077-aad9-ec43d64f07a7\":\"$109\",\"a527afbb-16a5-4376-83fb-72f8d48388fd\":\"$11b\",\"af385f5f-f61b-47af-a235-7dc48efd251e\":\"$12d\",\"fa2107f3-5c24-458b-b589-6c85321f2015\":\"$16f\",\"de0901ae-4ea5-491c-badd-90a32da3989b\":\"$1a6\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Risk Management Framework (RMF) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"A structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Risk Management Framework (RMF) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"A structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Risk Management Framework (RMF) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"A structured yet flexible process for managing risk throughout a systems lifecycle, used by CMS in accordance with the RMF from NIST\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink