1 line
No EOL
588 KiB
Text
1 line
No EOL
588 KiB
Text
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Security Data Lake (SDL) | CMS Information Security & Privacy Group</title><meta name="description" content="A centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities "/><link rel="canonical" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Security Data Lake (SDL) | CMS Information Security & Privacy Group"/><meta property="og:description" content="A centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities "/><meta property="og:url" content="https://security.cms.gov/learn/cms-security-data-lake-sdl"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/cms-security-data-lake-sdl/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Security Data Lake (SDL) | CMS Information Security & Privacy Group"/><meta name="twitter:description" content="A centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities "/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/cms-security-data-lake-sdl/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=16&q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here's how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here's how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance & Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance & Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments & Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy & Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy & Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools & Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools & Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting & Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests & Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Security Data Lake (SDL)</h1><p class="hero__description">A centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities </p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">CRM Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CRMPMO@cms.hhs.gov">CRMPMO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#security-datalake</li><li class="line-height-sans-5 margin-top-0">#cyber-risk-management</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2 dir="ltr">What is the CMS Security Data Lake (SDL)?</h2><p dir="ltr">The CMS Security Data Lake (SDL) is a centralized repository designed to store, process, maintain, secure, and govern large amounts of security data. Unlike most traditional databases and data warehouses, the CMS SDL can process all data types relevant to CMS's security posture including: </p><ul><li dir="ltr">Structured data with standardized formatting </li><li dir="ltr">Semi-structured data, markup languages, logs, telemetry, events, or other data sources.</li></ul><p dir="ltr">The CMS SDL allows CMS to store this raw data from diverse sources and formats and enables security stakeholders to access, analyze, transform, and research the full body of available data in a cost effective way. Analyzing this data provides CMS with the ability to: </p><ul><li dir="ltr">Strengthen our real-time visibility enterprise IT security posture with actionable intelligence and threat detection data</li><li dir="ltr">Take a data-driven approach to scale security products and services that enable teams across CMS to achieve their goals quickly and safely.</li><li dir="ltr">Promote cross-functional collaboration among various security stakeholders.</li><li dir="ltr">Create, mature, and diffuse services among our partners that are shared, reusable and sustainable</li><li dir="ltr">Easily add, remove, or replace tools as needed.</li></ul><p dir="ltr">In addition to the abilities listed above, the CMS SDL directly responds to both CMS priorities and federal system security requirements designed to improve the security posture of all US government systems.</p><h3 dir="ltr">Government priorities and requirements</h3><p dir="ltr">The White House has prioritized cybersecurity improvements, the adoption of best practices, and the implementation of innovative security tools across federal agencies. </p><ul><li dir="ltr"><a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">Executive Order 14028:</a> Executive Order on Improving the Nation’s Cybersecurity </li><li dir="ltr"><a href="https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf">Office of Management and Budget Memorandum M-22-18:</a> Enhancing the Security of the Software Supply Chain through Secure Software Development Practices </li><li dir="ltr"><a href="https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf">Office of Management and Budget Memorandum M-21-31: </a>Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents </li><li dir="ltr"><a href="https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf">Office of Management and Budget Memorandum M-22-09: </a>Moving the U.S. Government Toward Zero Trust Cybersecurity Principles</li></ul><p dir="ltr">In response, the CMS Information Security and Privacy Group (ISPG) has identified five organizational priorities that relate to cybersecurity at CMS. The CMS SDL addresses these priorities in the following ways: </p><h4 dir="ltr">Risk-based program management</h4><p dir="ltr">The CMS SDL provides a centralized repository for storing and managing data from various sources. This makes it easier to implement data governance controls and monitor access to the data, as opposed to having data spread across multiple systems or silos. This helps teams make more informed risk-based decisions.</p><h4 dir="ltr">Innovation unleashed through experimentation and adaptation </h4><p dir="ltr">Not only is the CMS SDL an innovative product, but it helps teams review and scale other products, tools, and services quickly. </p><h4 dir="ltr">Resilient enterprise security posture</h4><p dir="ltr">By aggregating and analyzing data from various sources within the SDL, CMS can perform advanced threat detection and security analytics. This can help identify unusual patterns or anomalies that may indicate security breaches. </p><h4 dir="ltr">First-class integrations, using open standards, ease of automation.</h4><p dir="ltr">The CMS SDL can be integrated with other CMS security tools. The SDL is built with simplicity and open standards in mind. This allows for real-time monitoring, security incident alerting, and 3rd party tool integrations making it easier for CMS to promptly detect and respond to threats.</p><h4 dir="ltr">Advance CMS toward Zero Trust security</h4><p dir="ltr">The CMS SDL powers CMS' <a href="https://security.cms.gov/learn/zero-trust">Zero Trust</a> maturity program by providing access to user and device behavior data, network traffic logs, and access control policies. Collecting and analyzing this data allows CMS to continuously monitor and verify access requests, detect anomalies, and mature the various Zero Trust pillars.</p><h2 dir="ltr">Why is CMS transitioning to the CMS SDL? </h2><p dir="ltr">As our Next Generation Reporting and CRM programs continue their maturation, DIR wanted to acknowledge the feedback from CMS’ cyber security stakeholders in the community (YOU) and build a data management strategy with a foundation that is flexible enough to meet our current and future requirements. In short, the shift towards the SDL was predicated on allowing security management teams to make better and faster decisions regarding CMS' systems.</p><p dir="ltr">Key factors driving CMS to transition are:</p><ul><li dir="ltr">Improved reporting with additional data sources</li><li dir="ltr">Aggregation, normalization, and grouping of data to enhance analysis and reporting</li><li dir="ltr">Allow CMS stakeholders to use the SDL as a self-service entity</li><li dir="ltr">Build your own reports/dashboards and add your own data</li><li dir="ltr">Enhance scalability and flexibility in data processing and data management</li><li dir="ltr">Bring additional security data from multiple sources into one feed (lessen data silos)</li><li dir="ltr">Set the groundwork for employing advanced analytics, machine learning, and artificial intelligence to improve threat detection and response times</li></ul></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>CMS CRM DW on Confluence </h1><p>Learn more about our transition from our "Legacy" Data Warehouse (LDW) to the more efficient Security Data Lake (SDL). </p><p><a href="https://confluenceent.cms.gov/display/ISPG/Security+Data+Warehouse+Transition#84394e3c-3d44-4e17-99d9-fac271da7bc3-568895703">Learn more about the CMS SDL</a></p></section><div class="text-block text-block--theme-explainer"><h2>Who can use the CMS SDL? </h2><p dir="ltr">The open format of the CMS SDL provides a flexible and cost-effective solution for teams across the CMS enterprise to address the agency’s strategic security priorities. The CMS SDL is recommended for teams engaged in the following activities:</p><h3 dir="ltr">Continuous Diagnostics and Monitoring (CDM)</h3><p dir="ltr">The CMS SDL is directly related to <a href="https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Monitoring (CDM)</a> and the work that’s being done by the Cyber Risk Management (CRM) Team. The CMS SDL can help teams:</p><ul><li dir="ltr">Manage configuration settings using data on asset compliance status, security policies, and severity of vulnerabilities</li><li dir="ltr">Manage hardware assets using data on hardware assets, inventory of EC2 and managed instances, and AWS resource tags</li><li dir="ltr">Assess and mitigate vulnerabilities using data on vulnerabilities, detection, and mitigation status</li></ul><h3 dir="ltr">Security Operations</h3><p dir="ltr">The CMS SDL’s centralized data management enables robust <a href="https://security.cms.gov/policy-guidance/cms-access-control-handbook">access control</a>, encryption, and audit capabilities. Additionally, the CMS SDL will: </p><ul><li dir="ltr">Enable and improve collection, detection, triage, investigation, incident response and lessons learned</li><li dir="ltr">Provide more actionable intelligence, higher fidelity alerting to speed up triage and incident response</li><li dir="ltr">Use AI tools to analyze low fidelity alerts for advanced attacks, analyze false positives to refine and tune existing detections / analytics, identify other patterns / trends</li><li dir="ltr">Offer robust detection logic using detection-as-code, Python and community-driven and developed analytics will reduce cost, improve portability and avoid vendor lock-in</li><li dir="ltr">Improved data will enhance purple and red teaming and tabletop testing</li><li dir="ltr">Collection policies not limited by cost or storage constraints</li></ul><h3 dir="ltr">Threat Intelligence</h3><p dir="ltr">The CMS SDL provides the context needed to feed all core functions of Security Operations including triage, investigation, and incident response. Additionally, the CMS SDL will offer better "strategic and operational" intelligence by enabling:</p><ul><li dir="ltr"><a href="https://security.cms.gov/learn/threat-modeling">Threat modeling</a> exercises</li><li dir="ltr">Quantitative data analysis including loss exceedance curves and probabilistic estimation in real dollars </li><li dir="ltr">Internally-sourced intelligence based on actual incident data that’s stored in the CMS SDL </li><li dir="ltr">Fulfilling CISO and CTI threat intelligence requirements </li></ul><h3 dir="ltr">Threat Hunting</h3><p dir="ltr">Threat hunting is a proactive, data driven approach that is reliant on up-to-date, high quality, comprehensive data. Current threat hunting is heavily dependent on atomic indicators of compromise (IOCs). The CMS SDL will allow for:</p><ul><li dir="ltr">More advanced threat hunting, such as anomaly-based and by specific threat actor groups</li><li dir="ltr">Greater focus on riskiest stages in kill chain: post exploitation </li><li dir="ltr">Improved analytics, detections, preventive controls, and incident response</li><li dir="ltr">Faster Observe, Orient, Decide, Act (OODA) loops that will allow CMS to be more responsive to attacks </li></ul><h3 dir="ltr">Software and Container Security</h3><p dir="ltr">The CMS SDL is also used to test and validate tools and services that are currently used by CMS including:</p><ul><li dir="ltr">Snyk to scan and fix vulnerabilities and license violations in open-source dependencies and containers</li><li dir="ltr">Semgrep </li><li dir="ltr">Grype</li><li dir="ltr">GitLeaks</li><li dir="ltr">Other DAST tools</li></ul><h3 dir="ltr">Software-as-a-Service (SaaS) Governance</h3><p dir="ltr"><a href="https://security.cms.gov/learn/saas-governance-saasg">SaaS governance</a> involves defining data ownership, access policies, and data lifecycle management rules. Implementing data governance practices within the CMS SDL helps re-enforce security policies and ensure compliance with current regulations and standards. </p><ul><li dir="ltr">Use AppOmni to monitor SaaS services, track issues, run scans, detail policies, and offer insight into associated risks</li><li dir="ltr">Use BitSight to provide overview of company portfolio, company rating, product rating, product information, changes in ratings, details about potential security threats of product</li><li dir="ltr">Include SaaS Security and operational health into CMS’ risk-based security posture</li></ul><p> </p><h2>ZeroTrust as a Security Model </h2><p><a href="https://security.cms.gov/learn/zero-trust">ZeroTrust</a> is a security model that is built on continuous validation at every stage of digital interaction. The ZeroTrust (ZT) security model, also known as ZeroTrust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a ZeroTrust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. ZeroTrust is a security strategy that is ideal for SaaS applications because it can help mitigate risks associated with access to sensitive data, tracking user activity, security posture, and cyberattacks.</p><p><strong>Use Cases for ZeroTrust</strong></p><ul><li>Replacing or augmenting VPNs: ZeroTrust can provide an extra layer of protection for organizations that are looking to replace or augment their VPNs.</li><li>Improving access control for the cloud: ZeroTrust can reduce the risk of unauthorized cloud-based access by verifying all requests.</li></ul><h2>How can I get help? </h2><p>During this period of transition, you may experience minor disruptions, unexpected issues, or notifications highlighting upcoming updates. The development team is proactively working on two primary issues during the transition period on our "Current Issues" list. Please visit our <a href="https://confluenceent.cms.gov/display/ISPG/CRM+Data+Quality+Status+Tracker">CRM Data Quality Ticket Status Tracker</a> for the latest ticket updates. </p><p>The CMS Cyber Risk Management (CRM) Team can help answer your questions and get your team onboarded to the CMS SDL. You can reach out to the team on CMS Slack in the #cyber-risk-management channel or via email at <a href="mailto:CRMPMO@cms.hhs.gov">CRMPMO@cms.hhs.gov</a>. </p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-cyber-risk-management-plan-crmp">CMS Cyber Risk Management Plan (CRMP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems. </p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cyber-risk-reports">Cyber Risk Reports (CRR)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/zero-trust">Zero Trust </a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Security paradigm that requires the continuous verification of system users to promote system security</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare & Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-security-data-lake-sdl\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"cms-security-data-lake-sdl\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-security-data-lake-sdl\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-security-data-lake-sdl\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T18c5,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhat is the CMS Security Data Lake (SDL)?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe CMS Security Data Lake (SDL)\u0026nbsp;is a\u0026nbsp;centralized repository designed to store, process, maintain, secure, and govern large amounts of security data. Unlike most traditional databases and data warehouses, the CMS SDL can process all data types relevant to CMS's security posture including:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStructured data with standardized formatting\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSemi-structured data, markup languages, logs, telemetry, events, or other data sources.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL allows CMS to store this raw data from diverse sources and formats and enables security stakeholders to access, analyze, transform, and research the full body of available data in a cost effective way. Analyzing this data provides CMS with the ability to:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStrengthen our real-time visibility enterprise IT security posture with actionable intelligence and threat detection data\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTake a data-driven approach to scale security products and services that enable teams across CMS to achieve their goals quickly and safely.\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePromote cross-functional collaboration among various security stakeholders.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCreate, mature, and diffuse services among our partners that are shared, reusable and sustainable\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEasily add, remove, or replace tools as needed.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eIn addition to the abilities listed above, the CMS SDL directly responds to both CMS priorities and federal system security requirements designed to improve the security posture of all US government systems.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eGovernment priorities and requirements\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe White House has prioritized cybersecurity improvements, the adoption of best practices, and the implementation of innovative security tools across federal agencies.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order 14028:\u003c/a\u003e Executive Order on Improving the Nation’s Cybersecurity\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOffice of Management and Budget Memorandum M-22-18:\u003c/a\u003e Enhancing the Security of the Software Supply Chain through Secure Software Development Practices\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOffice of Management and Budget Memorandum M-21-31:\u0026nbsp;\u003c/a\u003eImproving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\"\u003eOffice of Management and Budget Memorandum M-22-09:\u0026nbsp;\u003c/a\u003eMoving the U.S. Government Toward Zero Trust Cybersecurity Principles\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eIn response, the CMS Information Security and Privacy Group (ISPG) has identified five organizational priorities that relate to cybersecurity at CMS. The CMS SDL addresses these priorities in the following ways:\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRisk-based program management\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL provides a centralized repository for storing and managing data from various sources. This makes it easier to implement data governance controls and monitor access to the data, as opposed to having data spread across multiple systems or silos. This helps teams make more informed risk-based decisions.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eInnovation unleashed through experimentation and adaptation\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eNot only is the CMS SDL an innovative product, but it helps teams review and scale other products, tools, and services quickly.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eResilient enterprise security posture\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBy aggregating and analyzing data from various sources within the SDL, CMS can perform advanced threat detection and security analytics. This can help identify unusual patterns or anomalies that may indicate security breaches.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eFirst-class integrations, using open standards, ease of automation.\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL can be integrated with other CMS security tools. The SDL is built with simplicity and open standards in mind. This allows for real-time monitoring, security incident alerting, and 3rd party tool integrations making it easier for CMS to promptly detect and respond to threats.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eAdvance CMS toward Zero Trust security\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL powers\u0026nbsp;CMS' \u003ca href=\"https://security.cms.gov/learn/zero-trust\"\u003eZero Trust\u003c/a\u003e maturity program by providing access to user and device behavior data, network traffic logs, and access control policies. Collecting and analyzing this data allows CMS to continuously monitor and verify access requests, detect anomalies, and mature the various Zero Trust pillars.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhy is CMS transitioning to the CMS SDL?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAs our Next Generation Reporting and CRM programs continue their maturation, DIR wanted to acknowledge the feedback from CMS’ cyber security stakeholders in the community (YOU) and build a data management strategy with a foundation that is flexible enough to meet our current and future requirements. In short, the shift towards the SDL was predicated on allowing security management teams to make better and faster decisions regarding CMS' systems.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eKey factors driving CMS to transition are:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eImproved reporting with additional data sources\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAggregation, normalization, and grouping of data to enhance analysis and reporting\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAllow CMS stakeholders to use the SDL as a self-service entity\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBuild your own reports/dashboards and add your own data\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnhance scalability and flexibility in data processing and data management\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBring additional security data from multiple sources into one feed (lessen data silos)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSet the groundwork for employing advanced analytics, machine learning, and artificial intelligence to improve threat detection and response times\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"19:T18c5,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhat is the CMS Security Data Lake (SDL)?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe CMS Security Data Lake (SDL)\u0026nbsp;is a\u0026nbsp;centralized repository designed to store, process, maintain, secure, and govern large amounts of security data. Unlike most traditional databases and data warehouses, the CMS SDL can process all data types relevant to CMS's security posture including:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStructured data with standardized formatting\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSemi-structured data, markup languages, logs, telemetry, events, or other data sources.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL allows CMS to store this raw data from diverse sources and formats and enables security stakeholders to access, analyze, transform, and research the full body of available data in a cost effective way. Analyzing this data provides CMS with the ability to:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStrengthen our real-time visibility enterprise IT security posture with actionable intelligence and threat detection data\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTake a data-driven approach to scale security products and services that enable teams across CMS to achieve their goals quickly and safely.\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePromote cross-functional collaboration among various security stakeholders.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCreate, mature, and diffuse services among our partners that are shared, reusable and sustainable\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEasily add, remove, or replace tools as needed.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eIn addition to the abilities listed above, the CMS SDL directly responds to both CMS priorities and federal system security requirements designed to improve the security posture of all US government systems.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eGovernment priorities and requirements\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe White House has prioritized cybersecurity improvements, the adoption of best practices, and the implementation of innovative security tools across federal agencies.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order 14028:\u003c/a\u003e Executive Order on Improving the Nation’s Cybersecurity\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOffice of Management and Budget Memorandum M-22-18:\u003c/a\u003e Enhancing the Security of the Software Supply Chain through Secure Software Development Practices\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOffice of Management and Budget Memorandum M-21-31:\u0026nbsp;\u003c/a\u003eImproving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\"\u003eOffice of Management and Budget Memorandum M-22-09:\u0026nbsp;\u003c/a\u003eMoving the U.S. Government Toward Zero Trust Cybersecurity Principles\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eIn response, the CMS Information Security and Privacy Group (ISPG) has identified five organizational priorities that relate to cybersecurity at CMS. The CMS SDL addresses these priorities in the following ways:\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRisk-based program management\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL provides a centralized repository for storing and managing data from various sources. This makes it easier to implement data governance controls and monitor access to the data, as opposed to having data spread across multiple systems or silos. This helps teams make more informed risk-based decisions.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eInnovation unleashed through experimentation and adaptation\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eNot only is the CMS SDL an innovative product, but it helps teams review and scale other products, tools, and services quickly.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eResilient enterprise security posture\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBy aggregating and analyzing data from various sources within the SDL, CMS can perform advanced threat detection and security analytics. This can help identify unusual patterns or anomalies that may indicate security breaches.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eFirst-class integrations, using open standards, ease of automation.\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL can be integrated with other CMS security tools. The SDL is built with simplicity and open standards in mind. This allows for real-time monitoring, security incident alerting, and 3rd party tool integrations making it easier for CMS to promptly detect and respond to threats.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eAdvance CMS toward Zero Trust security\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL powers\u0026nbsp;CMS' \u003ca href=\"https://security.cms.gov/learn/zero-trust\"\u003eZero Trust\u003c/a\u003e maturity program by providing access to user and device behavior data, network traffic logs, and access control policies. Collecting and analyzing this data allows CMS to continuously monitor and verify access requests, detect anomalies, and mature the various Zero Trust pillars.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhy is CMS transitioning to the CMS SDL?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAs our Next Generation Reporting and CRM programs continue their maturation, DIR wanted to acknowledge the feedback from CMS’ cyber security stakeholders in the community (YOU) and build a data management strategy with a foundation that is flexible enough to meet our current and future requirements. In short, the shift towards the SDL was predicated on allowing security management teams to make better and faster decisions regarding CMS' systems.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eKey factors driving CMS to transition are:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eImproved reporting with additional data sources\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAggregation, normalization, and grouping of data to enhance analysis and reporting\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAllow CMS stakeholders to use the SDL as a self-service entity\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBuild your own reports/dashboards and add your own data\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnhance scalability and flexibility in data processing and data management\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBring additional security data from multiple sources into one feed (lessen data silos)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSet the groundwork for employing advanced analytics, machine learning, and artificial intelligence to improve threat detection and response times\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1a:T1b4d,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWho can use the CMS SDL?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe open format of the CMS SDL provides a flexible and cost-effective solution for teams across the CMS enterprise to address the agency’s strategic security priorities. The CMS SDL is recommended for teams engaged in the following activities:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL is directly related to\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/a\u003e and the work that’s being done by the Cyber Risk Management (CRM) Team. The CMS SDL can help teams:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eManage configuration settings using data on asset compliance status, security policies, and severity of vulnerabilities\u003c/li\u003e\u003cli dir=\"ltr\"\u003eManage hardware assets using data on hardware assets, inventory of EC2 and managed instances, and AWS resource tags\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAssess and mitigate vulnerabilities using data on vulnerabilities, detection, and mitigation status\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSecurity Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL’s centralized data management enables robust\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-access-control-handbook\"\u003eaccess control\u003c/a\u003e, encryption, and audit capabilities. Additionally, the CMS SDL will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eEnable and improve collection, detection, triage, investigation, incident response and lessons learned\u003c/li\u003e\u003cli dir=\"ltr\"\u003eProvide more actionable intelligence, higher fidelity alerting to speed up triage and incident response\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUse AI tools to analyze low fidelity alerts for advanced attacks, analyze false positives to refine and tune existing detections / analytics, identify other patterns / trends\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOffer robust detection logic using detection-as-code, Python and community-driven and developed analytics will reduce cost, improve portability and avoid vendor lock-in\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImproved data will enhance purple and red teaming and tabletop testing\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCollection policies not limited by cost or storage constraints\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eThreat Intelligence\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL provides the context needed to feed all core functions of Security Operations including triage, investigation, and incident response. Additionally, the CMS SDL will offer better \"strategic and operational\" intelligence by enabling:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/threat-modeling\"\u003eThreat modeling\u003c/a\u003e exercises\u003c/li\u003e\u003cli dir=\"ltr\"\u003eQuantitative data analysis including loss exceedance curves and probabilistic estimation in real dollars\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInternally-sourced intelligence based on actual incident data that’s stored in the CMS SDL\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFulfilling CISO and CTI threat intelligence requirements\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eThreat Hunting\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThreat hunting is a proactive, data driven approach that is reliant on up-to-date, high quality, comprehensive data. Current threat hunting is heavily dependent on atomic indicators of compromise (IOCs). The CMS SDL will allow for:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eMore advanced threat hunting, such as anomaly-based and by specific threat actor groups\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGreater focus on riskiest stages in kill chain: post exploitation\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImproved analytics, detections, preventive controls, and incident response\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFaster Observe, Orient, Decide, Act (OODA) loops that will allow CMS to be more responsive to attacks\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSoftware and Container Security\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL is also used to test and validate tools and services that are currently used by CMS including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSnyk to scan and fix vulnerabilities and license violations in open-source dependencies and containers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSemgrep\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGrype\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGitLeaks\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOther DAST tools\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSoftware-as-a-Service (SaaS) Governance\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/saas-governance-saasg\"\u003eSaaS governance\u003c/a\u003e involves defining data ownership, access policies, and data lifecycle management rules. Implementing data governance practices within the CMS SDL helps re-enforce security policies and ensure compliance with current regulations and standards.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eUse AppOmni to monitor SaaS services, track issues, run scans, detail policies, and offer insight into associated risks\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUse BitSight to provide overview of company portfolio, company rating, product rating, product information, changes in ratings, details about potential security threats of product\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInclude SaaS Security and operational health into CMS’ risk-based security posture\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003eZeroTrust as a Security Model\u0026nbsp;\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/zero-trust\"\u003eZeroTrust\u003c/a\u003e is a security model that is built on continuous validation at every stage of digital interaction. The ZeroTrust (ZT) security model, also known as ZeroTrust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a ZeroTrust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. ZeroTrust is a security strategy that is ideal for SaaS applications because it can help mitigate risks associated with access to sensitive data, tracking user activity, security posture, and cyberattacks.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eUse Cases for ZeroTrust\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReplacing or augmenting VPNs: ZeroTrust can provide an extra layer of protection for organizations that are looking to replace or augment their VPNs.\u003c/li\u003e\u003cli\u003eImproving access control for the cloud: ZeroTrust can reduce the risk of unauthorized cloud-based access by verifying all requests.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow can I get help?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eDuring this period of transition, you may experience minor disruptions, unexpected issues, or notifications highlighting upcoming updates. The development team is proactively working on two primary issues during the transition period on our \"Current Issues\" list. Please visit our \u003ca href=\"https://confluenceent.cms.gov/display/ISPG/CRM+Data+Quality+Status+Tracker\"\u003eCRM Data Quality Ticket Status Tracker\u003c/a\u003e for the latest ticket updates.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS Cyber Risk Management (CRM) Team can help answer your questions and get your team onboarded to the CMS SDL. You can reach out to the team on CMS Slack in the #cyber-risk-management channel or via email at\u0026nbsp;\u003ca href=\"mailto:CRMPMO@cms.hhs.gov\"\u003eCRMPMO@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:T1b4d,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWho can use the CMS SDL?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe open format of the CMS SDL provides a flexible and cost-effective solution for teams across the CMS enterprise to address the agency’s strategic security priorities. The CMS SDL is recommended for teams engaged in the following activities:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL is directly related to\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/a\u003e and the work that’s being done by the Cyber Risk Management (CRM) Team. The CMS SDL can help teams:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eManage configuration settings using data on asset compliance status, security policies, and severity of vulnerabilities\u003c/li\u003e\u003cli dir=\"ltr\"\u003eManage hardware assets using data on hardware assets, inventory of EC2 and managed instances, and AWS resource tags\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAssess and mitigate vulnerabilities using data on vulnerabilities, detection, and mitigation status\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSecurity Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL’s centralized data management enables robust\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-access-control-handbook\"\u003eaccess control\u003c/a\u003e, encryption, and audit capabilities. Additionally, the CMS SDL will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eEnable and improve collection, detection, triage, investigation, incident response and lessons learned\u003c/li\u003e\u003cli dir=\"ltr\"\u003eProvide more actionable intelligence, higher fidelity alerting to speed up triage and incident response\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUse AI tools to analyze low fidelity alerts for advanced attacks, analyze false positives to refine and tune existing detections / analytics, identify other patterns / trends\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOffer robust detection logic using detection-as-code, Python and community-driven and developed analytics will reduce cost, improve portability and avoid vendor lock-in\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImproved data will enhance purple and red teaming and tabletop testing\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCollection policies not limited by cost or storage constraints\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eThreat Intelligence\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL provides the context needed to feed all core functions of Security Operations including triage, investigation, and incident response. Additionally, the CMS SDL will offer better \"strategic and operational\" intelligence by enabling:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/threat-modeling\"\u003eThreat modeling\u003c/a\u003e exercises\u003c/li\u003e\u003cli dir=\"ltr\"\u003eQuantitative data analysis including loss exceedance curves and probabilistic estimation in real dollars\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInternally-sourced intelligence based on actual incident data that’s stored in the CMS SDL\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFulfilling CISO and CTI threat intelligence requirements\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eThreat Hunting\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThreat hunting is a proactive, data driven approach that is reliant on up-to-date, high quality, comprehensive data. Current threat hunting is heavily dependent on atomic indicators of compromise (IOCs). The CMS SDL will allow for:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eMore advanced threat hunting, such as anomaly-based and by specific threat actor groups\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGreater focus on riskiest stages in kill chain: post exploitation\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImproved analytics, detections, preventive controls, and incident response\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFaster Observe, Orient, Decide, Act (OODA) loops that will allow CMS to be more responsive to attacks\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSoftware and Container Security\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL is also used to test and validate tools and services that are currently used by CMS including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSnyk to scan and fix vulnerabilities and license violations in open-source dependencies and containers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSemgrep\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGrype\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGitLeaks\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOther DAST tools\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSoftware-as-a-Service (SaaS) Governance\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/saas-governance-saasg\"\u003eSaaS governance\u003c/a\u003e involves defining data ownership, access policies, and data lifecycle management rules. Implementing data governance practices within the CMS SDL helps re-enforce security policies and ensure compliance with current regulations and standards.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eUse AppOmni to monitor SaaS services, track issues, run scans, detail policies, and offer insight into associated risks\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUse BitSight to provide overview of company portfolio, company rating, product rating, product information, changes in ratings, details about potential security threats of product\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInclude SaaS Security and operational health into CMS’ risk-based security posture\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003eZeroTrust as a Security Model\u0026nbsp;\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/zero-trust\"\u003eZeroTrust\u003c/a\u003e is a security model that is built on continuous validation at every stage of digital interaction. The ZeroTrust (ZT) security model, also known as ZeroTrust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a ZeroTrust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. ZeroTrust is a security strategy that is ideal for SaaS applications because it can help mitigate risks associated with access to sensitive data, tracking user activity, security posture, and cyberattacks.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eUse Cases for ZeroTrust\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReplacing or augmenting VPNs: ZeroTrust can provide an extra layer of protection for organizations that are looking to replace or augment their VPNs.\u003c/li\u003e\u003cli\u003eImproving access control for the cloud: ZeroTrust can reduce the risk of unauthorized cloud-based access by verifying all requests.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow can I get help?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eDuring this period of transition, you may experience minor disruptions, unexpected issues, or notifications highlighting upcoming updates. The development team is proactively working on two primary issues during the transition period on our \"Current Issues\" list. Please visit our \u003ca href=\"https://confluenceent.cms.gov/display/ISPG/CRM+Data+Quality+Status+Tracker\"\u003eCRM Data Quality Ticket Status Tracker\u003c/a\u003e for the latest ticket updates.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS Cyber Risk Management (CRM) Team can help answer your questions and get your team onboarded to the CMS SDL. You can reach out to the team on CMS Slack in the #cyber-risk-management channel or via email at\u0026nbsp;\u003ca href=\"mailto:CRMPMO@cms.hhs.gov\"\u003eCRMPMO@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:T5768,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u0026nbsp;Introduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.\u003c/p\u003e\u003cp\u003eRisk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eoperation of an information system\u003c/a\u003e. Risk Management includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe conduct of a risk assessment;\u003c/li\u003e\u003cli\u003ethe implementation of a risk mitigation strategy; and\u003c/li\u003e\u003cli\u003ethe employment of techniques and procedures for continuous monitoring the security state of the information system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Purpose\u003c/h2\u003e\u003cp\u003eThe purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Risk Management Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined\u0026nbsp;(i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:\u003c/p\u003e\u003col\u003e\u003cli\u003eDevelop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (\u003cem\u003eRelates to: Risk Assessment)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDevelop metrics, dashboards, and reports to inform and prioritize remediation efforts. \u003cem\u003e(Relates to: Risk Mitigation\u003c/em\u003e\u003c/li\u003e\u003cli\u003eImplement capabilities and tools to support continuous assessment and ongoing authorization (OA). \u003cem\u003e(Relates to: Continuous Monitoring)\u003c/em\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.\u003c/p\u003e\u003ch2\u003eRisk Assessment\u003c/h2\u003e\u003cp\u003eRisk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.\u003c/p\u003e\u003cp\u003eThe following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:\u003c/p\u003e\u003ch3\u003eThreat Modeling\u003c/h3\u003e\u003cp\u003eThreat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.\u003c/p\u003e\u003ch3\u003eVulnerability Analysis Services\u003c/h3\u003e\u003cp\u003eCMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStatic Code Analysis \u003c/strong\u003e– provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNetwork Scanning \u003c/strong\u003e– provides tools allowing Users to automatically determine all active devices on the local network.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHost Scanning \u003c/strong\u003e– provides tools to automate the identification of vulnerabilities in an operating system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDatabase Scanning \u003c/strong\u003e– provides specialized tool used specifically to identify vulnerabilities in database applications.\u003c/p\u003e\u003ch3\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003eThe Adaptive Capabilities Testing (ACT) Program is now the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e. This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system’s security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Mitigation\u003c/h2\u003e\u003cp\u003eThe act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.\u003c/p\u003e\u003ch3\u003eOngoing Authorization (OA) Program Dashboard\u003c/h3\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM) Dashboards\u003c/h3\u003e\u003cp\u003eCMS maintains the following dashboards which support the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVULN\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerability Monitoring Dashboard – Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items\u003c/li\u003e\u003cli\u003eKnown Exploited Vulnerabilities Dashboard – Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHWAM\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset Details Dashboard – Provides comprehensive HWAM details for CMS System assets by datacenter\u003c/li\u003e\u003cli\u003eMaster Device Record – Provides high level overview of CMS assets\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThe terms ‘continuous’ and ‘ongoing’ in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eCyber Risk Report\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCMS Cyber Risk Report\u003c/a\u003e communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.\u003c/p\u003e\u003ch3\u003eHigh Risk Summary\u003c/h3\u003e\u003cp\u003eThe CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.\u003c/p\u003e\u003ch3\u003eCFACTS POA\u0026amp;M\u003c/h3\u003e\u003cp\u003eStakeholders must use \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e to identify, track, and manage all IT system weaknesses and associated \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003ePlans of Action and Milestones (POA\u0026amp;Ms) \u003c/a\u003eto closure for CMS information systems. The CFACTS POA\u0026amp;M User Guide provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system.\u003c/p\u003e\u003ch3\u003eContinuous Monitoring\u003c/h3\u003e\u003cp\u003eContinuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u003c/p\u003e\u003cp\u003eThe Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM Program\u003c/a\u003e provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReducing agency threat surface\u003c/li\u003e\u003cli\u003eIncreasing visibility into the federal cybersecurity posture\u003c/li\u003e\u003cli\u003eImproving federal cybersecurity response capabilities\u003c/li\u003e\u003cli\u003eStreamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:\u003cul\u003e\u003cli\u003eAsset Management | What is on the network?\u003c/li\u003e\u003cli\u003eIdentity and Access Management | Who is on the network?\u003c/li\u003e\u003cli\u003eNetwork Security Management | What is happening on the network? How is the network protected?\u003c/li\u003e\u003cli\u003eData Protection Management | How is data protected?\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHardware Asset Management (HWAM)\u003c/li\u003e\u003cli\u003eSoftware Asset Management (SWAM)\u003c/li\u003e\u003cli\u003eSoftware Vulnerability Management (VUL)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003ePenetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003ePenetration Testing \u003c/a\u003eis security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.\u003c/p\u003e\u003cp\u003eThe CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A system’s ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.\u003c/p\u003e\u003ch3\u003ebatCAVE\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://security.cms.gov/learn/batcave-infrastructure-service\"\u003ebatCAVE\u003c/a\u003e incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.\u003c/p\u003e\u003cp\u003eKey aspects of the batCAVE initiative:\u003c/p\u003e\u003col\u003e\u003cli\u003eReduce burden and obligations to Users\u003c/li\u003e\u003cli\u003eGive Users the knowledge necessary to make better security decisions\u003c/li\u003e\u003cli\u003eIncentivize behavior that strengthens the security posture of applications and CMS as a whole\u003c/li\u003e\u003cli\u003eIncrease transparency and empower distributed decision-making\u003c/li\u003e\u003cli\u003eMeasure, report, and champion the positive behavior rather than punish negative actions\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eCMS Security Automation Framework (SAF)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ACT team will accept security testing data from this framework.\u003c/li\u003e\u003cli\u003eDevelopers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u0026nbsp;Ongoing Authorization\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.\u003c/p\u003e\u003cp\u003eThere are two conditions for a system to participate in OA:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.\u003c/li\u003e\u003cli\u003eA robust ISCM program is in place that monitors all implemented controls:\u003cul\u003e\u003cli\u003eAt the appropriate frequencies,\u003c/li\u003e\u003cli\u003eWith the appropriate degree of rigor, and\u003c/li\u003e\u003cli\u003eIn accordance with the organization’s ISCM strategy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTime Driven Triggers \u003c/strong\u003e– controls are assessed at a discrete frequency as defined by the organization’s ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent Driven Triggers \u003c/strong\u003e– are defined by the organization. Examples include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncrease in defects from ISCM\u003c/li\u003e\u003cli\u003eChange in risk assessment findings\u003c/li\u003e\u003cli\u003eNew threat/vulnerability information\u003c/li\u003e\u003cli\u003eSignificant changes\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eCMS OA Initiative\u003c/h3\u003e\u003cp\u003eCMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.\u003c/p\u003e\u003cp\u003eCurrently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHave been granted initial \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e;\u003c/li\u003e\u003cli\u003eBe fully OIT AWS cloud hosted - no hybrids;\u003c/li\u003e\u003cli\u003eHave Security Hub enabled;\u003c/li\u003e\u003cli\u003eKey CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);\u003c/li\u003e\u003cli\u003eData needs to be integrated into requisite reporting mechanisms and made visible; and\u003c/li\u003e\u003cli\u003eMeet \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\"\u003eOA metrics baseline requirements.\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOnce placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.\u003c/p\u003e\u003ch2\u003eCMS Risk Management Program - Implementing the Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.\u003c/p\u003e\u003cp\u003eTo support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a\u0026nbsp;security context. Refer to Figure 1 to overview of the CMS Risk Management Program.\u003c/p\u003e\u003ch2\u003eAuthoritative Sources and References\u003c/h2\u003e\u003cp\u003eFederal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cyber Security Framework (CSF)\u003c/a\u003e. This Plan incorporates guidance from authoritative sources and initiatives including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDepartment of Health \u0026amp; Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eRisk Management Handbooks (RMH)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act\"\u003eFederal Information Security Modernization Act of 2014\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf\"\u003eOMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01\"\u003eBinding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\"\u003eOMB M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/10/M-22-01.pdf\"\u003eOMB\u0026nbsp;M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1d:T5768,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u0026nbsp;Introduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.\u003c/p\u003e\u003cp\u003eRisk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eoperation of an information system\u003c/a\u003e. Risk Management includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe conduct of a risk assessment;\u003c/li\u003e\u003cli\u003ethe implementation of a risk mitigation strategy; and\u003c/li\u003e\u003cli\u003ethe employment of techniques and procedures for continuous monitoring the security state of the information system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Purpose\u003c/h2\u003e\u003cp\u003eThe purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Risk Management Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined\u0026nbsp;(i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:\u003c/p\u003e\u003col\u003e\u003cli\u003eDevelop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (\u003cem\u003eRelates to: Risk Assessment)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDevelop metrics, dashboards, and reports to inform and prioritize remediation efforts. \u003cem\u003e(Relates to: Risk Mitigation\u003c/em\u003e\u003c/li\u003e\u003cli\u003eImplement capabilities and tools to support continuous assessment and ongoing authorization (OA). \u003cem\u003e(Relates to: Continuous Monitoring)\u003c/em\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.\u003c/p\u003e\u003ch2\u003eRisk Assessment\u003c/h2\u003e\u003cp\u003eRisk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.\u003c/p\u003e\u003cp\u003eThe following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:\u003c/p\u003e\u003ch3\u003eThreat Modeling\u003c/h3\u003e\u003cp\u003eThreat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.\u003c/p\u003e\u003ch3\u003eVulnerability Analysis Services\u003c/h3\u003e\u003cp\u003eCMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStatic Code Analysis \u003c/strong\u003e– provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNetwork Scanning \u003c/strong\u003e– provides tools allowing Users to automatically determine all active devices on the local network.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHost Scanning \u003c/strong\u003e– provides tools to automate the identification of vulnerabilities in an operating system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDatabase Scanning \u003c/strong\u003e– provides specialized tool used specifically to identify vulnerabilities in database applications.\u003c/p\u003e\u003ch3\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003eThe Adaptive Capabilities Testing (ACT) Program is now the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e. This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system’s security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Mitigation\u003c/h2\u003e\u003cp\u003eThe act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.\u003c/p\u003e\u003ch3\u003eOngoing Authorization (OA) Program Dashboard\u003c/h3\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM) Dashboards\u003c/h3\u003e\u003cp\u003eCMS maintains the following dashboards which support the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVULN\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerability Monitoring Dashboard – Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items\u003c/li\u003e\u003cli\u003eKnown Exploited Vulnerabilities Dashboard – Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHWAM\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset Details Dashboard – Provides comprehensive HWAM details for CMS System assets by datacenter\u003c/li\u003e\u003cli\u003eMaster Device Record – Provides high level overview of CMS assets\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThe terms ‘continuous’ and ‘ongoing’ in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eCyber Risk Report\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCMS Cyber Risk Report\u003c/a\u003e communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.\u003c/p\u003e\u003ch3\u003eHigh Risk Summary\u003c/h3\u003e\u003cp\u003eThe CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.\u003c/p\u003e\u003ch3\u003eCFACTS POA\u0026amp;M\u003c/h3\u003e\u003cp\u003eStakeholders must use \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e to identify, track, and manage all IT system weaknesses and associated \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003ePlans of Action and Milestones (POA\u0026amp;Ms) \u003c/a\u003eto closure for CMS information systems. The CFACTS POA\u0026amp;M User Guide provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system.\u003c/p\u003e\u003ch3\u003eContinuous Monitoring\u003c/h3\u003e\u003cp\u003eContinuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u003c/p\u003e\u003cp\u003eThe Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM Program\u003c/a\u003e provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReducing agency threat surface\u003c/li\u003e\u003cli\u003eIncreasing visibility into the federal cybersecurity posture\u003c/li\u003e\u003cli\u003eImproving federal cybersecurity response capabilities\u003c/li\u003e\u003cli\u003eStreamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:\u003cul\u003e\u003cli\u003eAsset Management | What is on the network?\u003c/li\u003e\u003cli\u003eIdentity and Access Management | Who is on the network?\u003c/li\u003e\u003cli\u003eNetwork Security Management | What is happening on the network? How is the network protected?\u003c/li\u003e\u003cli\u003eData Protection Management | How is data protected?\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHardware Asset Management (HWAM)\u003c/li\u003e\u003cli\u003eSoftware Asset Management (SWAM)\u003c/li\u003e\u003cli\u003eSoftware Vulnerability Management (VUL)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003ePenetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003ePenetration Testing \u003c/a\u003eis security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.\u003c/p\u003e\u003cp\u003eThe CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A system’s ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.\u003c/p\u003e\u003ch3\u003ebatCAVE\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://security.cms.gov/learn/batcave-infrastructure-service\"\u003ebatCAVE\u003c/a\u003e incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.\u003c/p\u003e\u003cp\u003eKey aspects of the batCAVE initiative:\u003c/p\u003e\u003col\u003e\u003cli\u003eReduce burden and obligations to Users\u003c/li\u003e\u003cli\u003eGive Users the knowledge necessary to make better security decisions\u003c/li\u003e\u003cli\u003eIncentivize behavior that strengthens the security posture of applications and CMS as a whole\u003c/li\u003e\u003cli\u003eIncrease transparency and empower distributed decision-making\u003c/li\u003e\u003cli\u003eMeasure, report, and champion the positive behavior rather than punish negative actions\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eCMS Security Automation Framework (SAF)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ACT team will accept security testing data from this framework.\u003c/li\u003e\u003cli\u003eDevelopers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u0026nbsp;Ongoing Authorization\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.\u003c/p\u003e\u003cp\u003eThere are two conditions for a system to participate in OA:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.\u003c/li\u003e\u003cli\u003eA robust ISCM program is in place that monitors all implemented controls:\u003cul\u003e\u003cli\u003eAt the appropriate frequencies,\u003c/li\u003e\u003cli\u003eWith the appropriate degree of rigor, and\u003c/li\u003e\u003cli\u003eIn accordance with the organization’s ISCM strategy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTime Driven Triggers \u003c/strong\u003e– controls are assessed at a discrete frequency as defined by the organization’s ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent Driven Triggers \u003c/strong\u003e– are defined by the organization. Examples include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncrease in defects from ISCM\u003c/li\u003e\u003cli\u003eChange in risk assessment findings\u003c/li\u003e\u003cli\u003eNew threat/vulnerability information\u003c/li\u003e\u003cli\u003eSignificant changes\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eCMS OA Initiative\u003c/h3\u003e\u003cp\u003eCMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.\u003c/p\u003e\u003cp\u003eCurrently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHave been granted initial \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e;\u003c/li\u003e\u003cli\u003eBe fully OIT AWS cloud hosted - no hybrids;\u003c/li\u003e\u003cli\u003eHave Security Hub enabled;\u003c/li\u003e\u003cli\u003eKey CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);\u003c/li\u003e\u003cli\u003eData needs to be integrated into requisite reporting mechanisms and made visible; and\u003c/li\u003e\u003cli\u003eMeet \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\"\u003eOA metrics baseline requirements.\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOnce placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.\u003c/p\u003e\u003ch2\u003eCMS Risk Management Program - Implementing the Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.\u003c/p\u003e\u003cp\u003eTo support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a\u0026nbsp;security context. Refer to Figure 1 to overview of the CMS Risk Management Program.\u003c/p\u003e\u003ch2\u003eAuthoritative Sources and References\u003c/h2\u003e\u003cp\u003eFederal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cyber Security Framework (CSF)\u003c/a\u003e. This Plan incorporates guidance from authoritative sources and initiatives including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDepartment of Health \u0026amp; Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eRisk Management Handbooks (RMH)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act\"\u003eFederal Information Security Modernization Act of 2014\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf\"\u003eOMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01\"\u003eBinding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\"\u003eOMB M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/10/M-22-01.pdf\"\u003eOMB\u0026nbsp;M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1e:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered – even if they are not required to implement – because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS’ information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS’ other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owner’s due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines – and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) – including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS’ information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS’ information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the system’s mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration – and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1f:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered – even if they are not required to implement – because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS’ information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS’ other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owner’s due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines – and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) – including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS’ information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS’ information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the system’s mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration – and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"22:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n21:{\"self\":\"$22\"}\n25:[\"menu_ui\",\"scheduler\"]\n24:{\"module\":\"$25\"}\n28:[]\n27:{\"available_menus\":\"$28\",\"parent\":\"\"}\n29:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n26:{\"menu_ui\":\"$27\",\"scheduler\":\"$29\"}\n23:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$24\",\"third_party_settings\":\"$26\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n20:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$21\",\"attributes\":\"$23\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/7e79c546-d123-46dd-9480-b7f2e7d81691\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"gollange\"}\n2a:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2f:{\"self\":\"$30\"}\n31:{\"display_name\":\"meg - retired\"}\n2e:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2f\",\"attributes\":\"$31\"}\n34:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}\n33:{\"self\":\"$34\"}\n36:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n35:{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\""])</script><script>self.__next_f.push([1,"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$36\"}\n3a:{\"drupal_internal__target_id\":\"resource_type\"}\n39:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$3a\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n38:{\"data\":\"$39\",\"links\":\"$3b\"}\n40:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"}\n41:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}\n3f:{\"related\":\"$40\",\"self\":\"$41\"}\n3e:{\"data\":null,\"links\":\"$3f\"}\n48:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n47:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$48\"}\n46:{\"help\":\"$47\"}\n45:{\"links\":\"$46\"}\n44:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$45\"}\n43:[\"$44\"]\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"}\n4b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}\n49:{\"related\":\"$4a\",\"self\":\"$4b\"}\n42:{\"data\":\"$43\",\"links\":\"$49\"}\n37:{\"vid\":\"$38\",\"revision_user\":\"$3e\",\"parent\":\"$42\"}\n32:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":\"$33\",\"attributes\":\"$35\",\"relationships\":\"$37\"}\n4e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}\n4d:{\"self\":\"$4e\"}\n50:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4f:{\"drupal_internal"])</script><script>self.__next_f.push([1,"__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$50\"}\n54:{\"drupal_internal__target_id\":\"topics\"}\n53:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$54\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n52:{\"data\":\"$53\",\"links\":\"$55\"}\n5a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"}\n5b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}\n59:{\"related\":\"$5a\",\"self\":\"$5b\"}\n58:{\"data\":null,\"links\":\"$59\"}\n62:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n61:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$62\"}\n60:{\"help\":\"$61\"}\n5f:{\"links\":\"$60\"}\n5e:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$5f\"}\n5d:[\"$5e\"]\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"}\n65:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}\n63:{\"related\":\"$64\",\"self\":\"$65\"}\n5c:{\"data\":\"$5d\",\"links\":\"$63\"}\n51:{\"vid\":\"$52\",\"revision_user\":\"$58\",\"parent\":\"$5c\"}\n4c:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":\"$4d\",\"attributes\":\"$4f\",\"relationships\":\"$51\"}\n68:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/to"])</script><script>self.__next_f.push([1,"pics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\n67:{\"self\":\"$68\"}\n6a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n69:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$6a\"}\n6e:{\"drupal_internal__target_id\":\"topics\"}\n6d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$6e\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6c:{\"data\":\"$6d\",\"links\":\"$6f\"}\n74:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\n75:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\n73:{\"related\":\"$74\",\"self\":\"$75\"}\n72:{\"data\":null,\"links\":\"$73\"}\n7c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n7b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7c\"}\n7a:{\"help\":\"$7b\"}\n79:{\"links\":\"$7a\"}\n78:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$79\"}\n77:[\"$78\"]\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\n7f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\n7d:{\"related\":\"$7e\",\"self\":\"$7f\"}\n76:{\"data\":\"$77\",\"links\":\"$7d\"}\n6b:{\"vid\":\"$6c\",\"revision_user\":\"$72\",\"parent\":\"$76\"}\n66:{\"type\":\"taxonomy_term--topics\",\"id\""])</script><script>self.__next_f.push([1,":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$67\",\"attributes\":\"$69\",\"relationships\":\"$6b\"}\n82:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef?resourceVersion=id%3A19506\"}\n81:{\"self\":\"$82\"}\n84:[]\n86:T18c5,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhat is the CMS Security Data Lake (SDL)?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe CMS Security Data Lake (SDL)\u0026nbsp;is a\u0026nbsp;centralized repository designed to store, process, maintain, secure, and govern large amounts of security data. Unlike most traditional databases and data warehouses, the CMS SDL can process all data types relevant to CMS's security posture including:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStructured data with standardized formatting\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSemi-structured data, markup languages, logs, telemetry, events, or other data sources.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL allows CMS to store this raw data from diverse sources and formats and enables security stakeholders to access, analyze, transform, and research the full body of available data in a cost effective way. Analyzing this data provides CMS with the ability to:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStrengthen our real-time visibility enterprise IT security posture with actionable intelligence and threat detection data\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTake a data-driven approach to scale security products and services that enable teams across CMS to achieve their goals quickly and safely.\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePromote cross-functional collaboration among various security stakeholders.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCreate, mature, and diffuse services among our partners that are shared, reusable and sustainable\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEasily add, remove, or replace tools as needed.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eIn addition to the abilities listed above, the CMS SDL directly responds to both CMS priorities and federal system security requirements designed to improve the security posture of all US government systems.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eGovernment priorities and requirements\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe White House has prioritized cybersecurity improvements, the adoption of best practices, and the implementation of innovative security tools across federal agencies.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order 14028:\u003c/a\u003e Executive Order on Improving the Nation’s Cybersecurity\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOffice of Management and Budget Memorandum M-22-18:\u003c/a\u003e Enhancing the Security of the Software Supply Chain through Secure Software Development Practices\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOffice of Management and Budget Memorandum M-21-31:\u0026nbsp;\u003c/a\u003eImproving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\"\u003eOffice of Management and Budget Memorandum M-22-09:\u0026nbsp;\u003c/a\u003eMoving the U.S. Government Toward Zero Trust Cybersecurity Principles\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eIn response, the CMS Information Security and Privacy Group (ISPG) has identified five organizational priorities that relate to cybersecurity at CMS. The CMS SDL addresses these priorities in the following ways:\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRisk-based program management\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL provides a centralized repository for storing and managing data from various sources. This makes it easier to implement data governance controls and monitor access to the data, as opposed to having data spread across multiple systems or silos. This helps teams make more informed risk-based decisions.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eInnovation unleashed through experimentation and adaptation\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eNot only is the CMS SDL an innovative product, but it helps teams review and scale other products, tools, and services quickly.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eResilient enterprise security posture\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBy aggregating and analyzing data from various sources within the SDL, CMS can perform advanced threat detection and security analytics. This can help identify unusual patterns or anomalies that may indicate security breaches.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eFirst-class integrations, using open standards, ease of automation.\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL can be integrated with other CMS security tools. The SDL is built with simplicity and open standards in mind. This allows for real-time monitoring, security incident alerting, and 3rd party tool integrations making it easier for CMS to promptly detect and respond to threats.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eAdvance CMS toward Zero Trust security\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL powers\u0026nbsp;CMS' \u003ca href=\"https://security.cms.gov/learn/zero-trust\"\u003eZero Trust\u003c/a\u003e maturity program by providing access to user and device behavior data, network traffic logs, and access control policies. Collecting and analyzing this data allows CMS to continuously monitor and verify access requests, detect anomalies, and mature the various Zero Trust pillars.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhy is CMS transitioning to the CMS SDL?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAs our Next Generation Reporting and CRM programs continue their maturation, DIR wanted to acknowledge the feedback from CMS’ cyber security stakeholders in the community (YOU) and build a data management strategy with a foundation that is flexible enough to meet our current and future requirements. In short, the shift towards the SDL was predicated on allowing security management teams to make better and faster decisions regarding CMS' systems.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eKey factors driving CMS to transition are:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eImproved reporting with additional data sources\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAggregation, normalization, and grouping of data to enhance analysis and reporting\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAllow CMS stakeholders to use the SDL as a self-service entity\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBuild your own reports/dashboards and add your own data\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnhance scalability and flexibility in data processing and data management\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBring additional security data from multiple sources into one feed (lessen data silos)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSet the groundwork for employing advanced analytics, machine learning, and artificial intelligence to improve threat detection and response times\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"87:T18c5,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhat is the CMS Security Data Lake (SDL)?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe CMS Security Data Lake (SDL)\u0026nbsp;is a\u0026nbsp;centralized repository designed to store, process, maintain, secure, and govern large amounts of security data. Unlike most traditional databases and data warehouses, the CMS SDL can process all data types relevant to CMS's security posture including:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStructured data with standardized formatting\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSemi-structured data, markup languages, logs, telemetry, events, or other data sources.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL allows CMS to store this raw data from diverse sources and formats and enables security stakeholders to access, analyze, transform, and research the full body of available data in a cost effective way. Analyzing this data provides CMS with the ability to:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eStrengthen our real-time visibility enterprise IT security posture with actionable intelligence and threat detection data\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTake a data-driven approach to scale security products and services that enable teams across CMS to achieve their goals quickly and safely.\u003c/li\u003e\u003cli dir=\"ltr\"\u003ePromote cross-functional collaboration among various security stakeholders.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCreate, mature, and diffuse services among our partners that are shared, reusable and sustainable\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEasily add, remove, or replace tools as needed.\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eIn addition to the abilities listed above, the CMS SDL directly responds to both CMS priorities and federal system security requirements designed to improve the security posture of all US government systems.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eGovernment priorities and requirements\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe White House has prioritized cybersecurity improvements, the adoption of best practices, and the implementation of innovative security tools across federal agencies.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\"\u003eExecutive Order 14028:\u003c/a\u003e Executive Order on Improving the Nation’s Cybersecurity\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOffice of Management and Budget Memorandum M-22-18:\u003c/a\u003e Enhancing the Security of the Software Supply Chain through Secure Software Development Practices\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf\"\u003eOffice of Management and Budget Memorandum M-21-31:\u0026nbsp;\u003c/a\u003eImproving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\"\u003eOffice of Management and Budget Memorandum M-22-09:\u0026nbsp;\u003c/a\u003eMoving the U.S. Government Toward Zero Trust Cybersecurity Principles\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eIn response, the CMS Information Security and Privacy Group (ISPG) has identified five organizational priorities that relate to cybersecurity at CMS. The CMS SDL addresses these priorities in the following ways:\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eRisk-based program management\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL provides a centralized repository for storing and managing data from various sources. This makes it easier to implement data governance controls and monitor access to the data, as opposed to having data spread across multiple systems or silos. This helps teams make more informed risk-based decisions.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eInnovation unleashed through experimentation and adaptation\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eNot only is the CMS SDL an innovative product, but it helps teams review and scale other products, tools, and services quickly.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eResilient enterprise security posture\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eBy aggregating and analyzing data from various sources within the SDL, CMS can perform advanced threat detection and security analytics. This can help identify unusual patterns or anomalies that may indicate security breaches.\u0026nbsp;\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eFirst-class integrations, using open standards, ease of automation.\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL can be integrated with other CMS security tools. The SDL is built with simplicity and open standards in mind. This allows for real-time monitoring, security incident alerting, and 3rd party tool integrations making it easier for CMS to promptly detect and respond to threats.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003cstrong\u003eAdvance CMS toward Zero Trust security\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL powers\u0026nbsp;CMS' \u003ca href=\"https://security.cms.gov/learn/zero-trust\"\u003eZero Trust\u003c/a\u003e maturity program by providing access to user and device behavior data, network traffic logs, and access control policies. Collecting and analyzing this data allows CMS to continuously monitor and verify access requests, detect anomalies, and mature the various Zero Trust pillars.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003e\u003cstrong\u003eWhy is CMS transitioning to the CMS SDL?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAs our Next Generation Reporting and CRM programs continue their maturation, DIR wanted to acknowledge the feedback from CMS’ cyber security stakeholders in the community (YOU) and build a data management strategy with a foundation that is flexible enough to meet our current and future requirements. In short, the shift towards the SDL was predicated on allowing security management teams to make better and faster decisions regarding CMS' systems.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eKey factors driving CMS to transition are:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eImproved reporting with additional data sources\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAggregation, normalization, and grouping of data to enhance analysis and reporting\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAllow CMS stakeholders to use the SDL as a self-service entity\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBuild your own reports/dashboards and add your own data\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEnhance scalability and flexibility in data processing and data management\u003c/li\u003e\u003cli dir=\"ltr\"\u003eBring additional security data from multiple sources into one feed (lessen data silos)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSet the groundwork for employing advanced analytics, machine learning, and artificial intelligence to improve threat detection and response times\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"85:{\"value\":\"$86\",\"format\":\"body_text\",\"processed\":\"$87\"}\n83:{\"drupal_internal__id\":3487,\"drupal_internal__revision_id\":19506,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:08:38+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$84\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$85\"}\n8b:{\"drupal_internal__target_id\":\"page_section\"}\n8a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$8b\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef/paragraph_type?resourceVersion=id%3A19506\"}\n8e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef/relationships/paragraph_type?resourceVersion=id%3A19506\"}\n8c:{\"related\":\"$8d\",\"self\":\"$8e\"}\n89:{\"data\":\"$8a\",\"links\":\"$8c\"}\n91:{\"target_revision_id\":19505,\"drupal_internal__target_id\":3493}\n90:{\"type\":\"paragraph--call_out_box\",\"id\":\"d33367a1-46bf-4b3c-9d32-5559dac28c9c\",\"meta\":\"$91\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef/field_specialty_item?resourceVersion=id%3A19506\"}\n94:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef/relationships/field_specialty_item?resourceVersion=id%3A19506\"}\n92:{\"related\":\"$93\",\"self\":\"$94\"}\n8f:{\"data\":\"$90\",\"links\":\"$92\"}\n88:{\"paragraph_type\":\"$89\",\"field_specialty_item\":\"$8f\"}\n80:{\"type\":\"paragraph--page_section\",\"id\":\"dfc07f21-a3f0-48e8-92ac-41f915d0b1ef\",\"links\":\"$81\",\"attributes\":\"$83\",\"relationships\":\"$88\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5?resourceVersion=id%3A19507\"}\n96:{\"self\":\"$97\"}\n99:[]\n9b:T1b4d,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWho can use the CMS SDL?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe open format of the CMS SDL provides a flexible and cost-effective solution for teams across the CMS enterprise to address the agency’s strategic security priorities. The CMS SDL is recommended for teams engaged in the following activities:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL is directly related to\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/a\u003e and the work that’s being done by the Cyber Risk Management (CRM) Team. The CMS SDL can help teams:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eManage configuration settings using data on asset compliance status, security policies, and severity of vulnerabilities\u003c/li\u003e\u003cli dir=\"ltr\"\u003eManage hardware assets using data on hardware assets, inventory of EC2 and managed instances, and AWS resource tags\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAssess and mitigate vulnerabilities using data on vulnerabilities, detection, and mitigation status\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSecurity Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL’s centralized data management enables robust\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-access-control-handbook\"\u003eaccess control\u003c/a\u003e, encryption, and audit capabilities. Additionally, the CMS SDL will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eEnable and improve collection, detection, triage, investigation, incident response and lessons learned\u003c/li\u003e\u003cli dir=\"ltr\"\u003eProvide more actionable intelligence, higher fidelity alerting to speed up triage and incident response\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUse AI tools to analyze low fidelity alerts for advanced attacks, analyze false positives to refine and tune existing detections / analytics, identify other patterns / trends\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOffer robust detection logic using detection-as-code, Python and community-driven and developed analytics will reduce cost, improve portability and avoid vendor lock-in\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImproved data will enhance purple and red teaming and tabletop testing\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCollection policies not limited by cost or storage constraints\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eThreat Intelligence\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL provides the context needed to feed all core functions of Security Operations including triage, investigation, and incident response. Additionally, the CMS SDL will offer better \"strategic and operational\" intelligence by enabling:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/threat-modeling\"\u003eThreat modeling\u003c/a\u003e exercises\u003c/li\u003e\u003cli dir=\"ltr\"\u003eQuantitative data analysis including loss exceedance curves and probabilistic estimation in real dollars\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInternally-sourced intelligence based on actual incident data that’s stored in the CMS SDL\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFulfilling CISO and CTI threat intelligence requirements\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eThreat Hunting\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThreat hunting is a proactive, data driven approach that is reliant on up-to-date, high quality, comprehensive data. Current threat hunting is heavily dependent on atomic indicators of compromise (IOCs). The CMS SDL will allow for:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eMore advanced threat hunting, such as anomaly-based and by specific threat actor groups\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGreater focus on riskiest stages in kill chain: post exploitation\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImproved analytics, detections, preventive controls, and incident response\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFaster Observe, Orient, Decide, Act (OODA) loops that will allow CMS to be more responsive to attacks\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSoftware and Container Security\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL is also used to test and validate tools and services that are currently used by CMS including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSnyk to scan and fix vulnerabilities and license violations in open-source dependencies and containers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSemgrep\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGrype\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGitLeaks\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOther DAST tools\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSoftware-as-a-Service (SaaS) Governance\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/saas-governance-saasg\"\u003eSaaS governance\u003c/a\u003e involves defining data ownership, access policies, and data lifecycle management rules. Implementing data governance practices within the CMS SDL helps re-enforce security policies and ensure compliance with current regulations and standards.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eUse AppOmni to monitor SaaS services, track issues, run scans, detail policies, and offer insight into associated risks\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUse BitSight to provide overview of company portfolio, company rating, product rating, product information, changes in ratings, details about potential security threats of product\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInclude SaaS Security and operational health into CMS’ risk-based security posture\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003eZeroTrust as a Security Model\u0026nbsp;\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/zero-trust\"\u003eZeroTrust\u003c/a\u003e is a security model that is built on continuous validation at every stage of digital interaction. The ZeroTrust (ZT) security model, also known as ZeroTrust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a ZeroTrust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. ZeroTrust is a security strategy that is ideal for SaaS applications because it can help mitigate risks associated with access to sensitive data, tracking user activity, security posture, and cyberattacks.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eUse Cases for ZeroTrust\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReplacing or augmenting VPNs: ZeroTrust can provide an extra layer of protection for organizations that are looking to replace or augment their VPNs.\u003c/li\u003e\u003cli\u003eImproving access control for the cloud: ZeroTrust can reduce the risk of unauthorized cloud-based access by verifying all requests.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow can I get help?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eDuring this period of transition, you may experience minor disruptions, unexpected issues, or notifications highlighting upcoming updates. The development team is proactively working on two primary issues during the transition period on our \"Current Issues\" list. Please visit our \u003ca href=\"https://confluenceent.cms.gov/display/ISPG/CRM+Data+Quality+Status+Tracker\"\u003eCRM Data Quality Ticket Status Tracker\u003c/a\u003e for the latest ticket updates.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS Cyber Risk Management (CRM) Team can help answer your questions and get your team onboarded to the CMS SDL. You can reach out to the team on CMS Slack in the #cyber-risk-management channel or via email at\u0026nbsp;\u003ca href=\"mailto:CRMPMO@cms.hhs.gov\"\u003eCRMPMO@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"9c:T1b4d,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWho can use the CMS SDL?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe open format of the CMS SDL provides a flexible and cost-effective solution for teams across the CMS enterprise to address the agency’s strategic security priorities. The CMS SDL is recommended for teams engaged in the following activities:\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL is directly related to\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Monitoring (CDM)\u003c/a\u003e and the work that’s being done by the Cyber Risk Management (CRM) Team. The CMS SDL can help teams:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eManage configuration settings using data on asset compliance status, security policies, and severity of vulnerabilities\u003c/li\u003e\u003cli dir=\"ltr\"\u003eManage hardware assets using data on hardware assets, inventory of EC2 and managed instances, and AWS resource tags\u003c/li\u003e\u003cli dir=\"ltr\"\u003eAssess and mitigate vulnerabilities using data on vulnerabilities, detection, and mitigation status\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSecurity Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL’s centralized data management enables robust\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-access-control-handbook\"\u003eaccess control\u003c/a\u003e, encryption, and audit capabilities. Additionally, the CMS SDL will:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eEnable and improve collection, detection, triage, investigation, incident response and lessons learned\u003c/li\u003e\u003cli dir=\"ltr\"\u003eProvide more actionable intelligence, higher fidelity alerting to speed up triage and incident response\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUse AI tools to analyze low fidelity alerts for advanced attacks, analyze false positives to refine and tune existing detections / analytics, identify other patterns / trends\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOffer robust detection logic using detection-as-code, Python and community-driven and developed analytics will reduce cost, improve portability and avoid vendor lock-in\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImproved data will enhance purple and red teaming and tabletop testing\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCollection policies not limited by cost or storage constraints\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eThreat Intelligence\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL provides the context needed to feed all core functions of Security Operations including triage, investigation, and incident response. Additionally, the CMS SDL will offer better \"strategic and operational\" intelligence by enabling:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/threat-modeling\"\u003eThreat modeling\u003c/a\u003e exercises\u003c/li\u003e\u003cli dir=\"ltr\"\u003eQuantitative data analysis including loss exceedance curves and probabilistic estimation in real dollars\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInternally-sourced intelligence based on actual incident data that’s stored in the CMS SDL\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFulfilling CISO and CTI threat intelligence requirements\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eThreat Hunting\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThreat hunting is a proactive, data driven approach that is reliant on up-to-date, high quality, comprehensive data. Current threat hunting is heavily dependent on atomic indicators of compromise (IOCs). The CMS SDL will allow for:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eMore advanced threat hunting, such as anomaly-based and by specific threat actor groups\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGreater focus on riskiest stages in kill chain: post exploitation\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eImproved analytics, detections, preventive controls, and incident response\u003c/li\u003e\u003cli dir=\"ltr\"\u003eFaster Observe, Orient, Decide, Act (OODA) loops that will allow CMS to be more responsive to attacks\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSoftware and Container Security\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eThe CMS SDL is also used to test and validate tools and services that are currently used by CMS including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eSnyk to scan and fix vulnerabilities and license violations in open-source dependencies and containers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSemgrep\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGrype\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGitLeaks\u003c/li\u003e\u003cli dir=\"ltr\"\u003eOther DAST tools\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSoftware-as-a-Service (SaaS) Governance\u003c/strong\u003e\u003c/h3\u003e\u003cp dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/saas-governance-saasg\"\u003eSaaS governance\u003c/a\u003e involves defining data ownership, access policies, and data lifecycle management rules. Implementing data governance practices within the CMS SDL helps re-enforce security policies and ensure compliance with current regulations and standards.\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eUse AppOmni to monitor SaaS services, track issues, run scans, detail policies, and offer insight into associated risks\u003c/li\u003e\u003cli dir=\"ltr\"\u003eUse BitSight to provide overview of company portfolio, company rating, product rating, product information, changes in ratings, details about potential security threats of product\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInclude SaaS Security and operational health into CMS’ risk-based security posture\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003eZeroTrust as a Security Model\u0026nbsp;\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/zero-trust\"\u003eZeroTrust\u003c/a\u003e is a security model that is built on continuous validation at every stage of digital interaction. The ZeroTrust (ZT) security model, also known as ZeroTrust Architecture (ZTA), maintains that no user or application should be trusted by default. As a result, organizations that implement a ZeroTrust model move from checking permissions only at initial sign-on to continuously checking permissions as users or devices move through a system. This constant validation provides enhanced security for systems, devices, and users. ZeroTrust is a security strategy that is ideal for SaaS applications because it can help mitigate risks associated with access to sensitive data, tracking user activity, security posture, and cyberattacks.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eUse Cases for ZeroTrust\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReplacing or augmenting VPNs: ZeroTrust can provide an extra layer of protection for organizations that are looking to replace or augment their VPNs.\u003c/li\u003e\u003cli\u003eImproving access control for the cloud: ZeroTrust can reduce the risk of unauthorized cloud-based access by verifying all requests.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eHow can I get help?\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eDuring this period of transition, you may experience minor disruptions, unexpected issues, or notifications highlighting upcoming updates. The development team is proactively working on two primary issues during the transition period on our \"Current Issues\" list. Please visit our \u003ca href=\"https://confluenceent.cms.gov/display/ISPG/CRM+Data+Quality+Status+Tracker\"\u003eCRM Data Quality Ticket Status Tracker\u003c/a\u003e for the latest ticket updates.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS Cyber Risk Management (CRM) Team can help answer your questions and get your team onboarded to the CMS SDL. You can reach out to the team on CMS Slack in the #cyber-risk-management channel or via email at\u0026nbsp;\u003ca href=\"mailto:CRMPMO@cms.hhs.gov\"\u003eCRMPMO@cms.hhs.gov\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"9a:{\"value\":\"$9b\",\"format\":\"body_text\",\"processed\":\"$9c\"}\n98:{\"drupal_internal__id\":3494,\"drupal_internal__revision_id\":19507,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:16:09+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$99\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$9a\"}\na0:{\"drupal_internal__target_id\":\"page_section\"}\n9f:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$a0\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5/paragraph_type?resourceVersion=id%3A19507\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5/relationships/paragraph_type?resourceVersion=id%3A19507\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\n9e:{\"data\":\"$9f\",\"links\":\"$a1\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5/field_specialty_item?resourceVersion=id%3A19507\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5/relationships/field_specialty_item?resourceVersion=id%3A19507\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na4:{\"data\":null,\"links\":\"$a5\"}\n9d:{\"paragraph_type\":\"$9e\",\"field_specialty_item\":\"$a4\"}\n95:{\"type\":\"paragraph--page_section\",\"id\":\"749bf025-6e11-4adc-8097-fe29609424c5\",\"links\":\"$96\",\"attributes\":\"$98\",\"relationships\":\"$9d\"}\naa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/d33367a1-46bf-4b3c-9d32-5559dac28c9c?resourceVersion=id%3A19505\"}\na9:{\"self\":\"$aa\"}\nac:[]\nae:[]\nad:{\"uri\":\"https://confluenceent.cms.gov/display/ISPG/Security+Data+Warehouse+Transition#84394e3c-3d44-4e17-99d9-fac271da7bc3-568895703\",\"title\":\"\",\"options\":\"$ae\",\"url\":\"https://confluenceent.cms.gov/display/ISPG/Security+Data+Warehouse+Transition#84394e3c-3d44-4e17-99d9-fac271da7bc3-568895703\"}\naf:{\"value\":\"Learn more about our transition from our \\\"Legacy\\\" Data Warehouse"])</script><script>self.__next_f.push([1," (LDW) to the more efficient Security Data Lake (SDL). \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn more about our transition from our \u0026quot;Legacy\u0026quot; Data Warehouse (LDW) to the more efficient Security Data Lake (SDL).\u003c/p\u003e\\n\"}\nab:{\"drupal_internal__id\":3493,\"drupal_internal__revision_id\":19505,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:12:04+00:00\",\"parent_id\":\"3487\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$ac\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$ad\",\"field_call_out_link_text\":\"Learn more about the CMS SDL\",\"field_call_out_text\":\"$af\",\"field_header\":\"CMS CRM DW on Confluence \"}\nb3:{\"drupal_internal__target_id\":\"call_out_box\"}\nb2:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$b3\"}\nb5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/d33367a1-46bf-4b3c-9d32-5559dac28c9c/paragraph_type?resourceVersion=id%3A19505\"}\nb6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/d33367a1-46bf-4b3c-9d32-5559dac28c9c/relationships/paragraph_type?resourceVersion=id%3A19505\"}\nb4:{\"related\":\"$b5\",\"self\":\"$b6\"}\nb1:{\"data\":\"$b2\",\"links\":\"$b4\"}\nb0:{\"paragraph_type\":\"$b1\"}\na8:{\"type\":\"paragraph--call_out_box\",\"id\":\"d33367a1-46bf-4b3c-9d32-5559dac28c9c\",\"links\":\"$a9\",\"attributes\":\"$ab\",\"relationships\":\"$b0\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76?resourceVersion=id%3A19508\"}\nb8:{\"self\":\"$b9\"}\nbb:[]\nba:{\"drupal_internal__id\":3488,\"drupal_internal__revision_id\":19508,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:08:38+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$bb\",\"default_langcode\":true,\"revision_translation_affected\":true}\nbf:{\"drupal_internal__target_id\":\"internal_link\"}\nbe:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$bf\"}\nc1:{\"href\":\"https://cybe"])</script><script>self.__next_f.push([1,"rgeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76/paragraph_type?resourceVersion=id%3A19508\"}\nc2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76/relationships/paragraph_type?resourceVersion=id%3A19508\"}\nc0:{\"related\":\"$c1\",\"self\":\"$c2\"}\nbd:{\"data\":\"$be\",\"links\":\"$c0\"}\nc5:{\"drupal_internal__target_id\":991}\nc4:{\"type\":\"node--library\",\"id\":\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\",\"meta\":\"$c5\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76/field_link?resourceVersion=id%3A19508\"}\nc8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76/relationships/field_link?resourceVersion=id%3A19508\"}\nc6:{\"related\":\"$c7\",\"self\":\"$c8\"}\nc3:{\"data\":\"$c4\",\"links\":\"$c6\"}\nbc:{\"paragraph_type\":\"$bd\",\"field_link\":\"$c3\"}\nb7:{\"type\":\"paragraph--internal_link\",\"id\":\"56fe1469-28fd-40c4-89f0-6a2033d81d76\",\"links\":\"$b8\",\"attributes\":\"$ba\",\"relationships\":\"$bc\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1?resourceVersion=id%3A19509\"}\nca:{\"self\":\"$cb\"}\ncd:[]\ncc:{\"drupal_internal__id\":3489,\"drupal_internal__revision_id\":19509,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:08:44+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$cd\",\"default_langcode\":true,\"revision_translation_affected\":true}\nd1:{\"drupal_internal__target_id\":\"internal_link\"}\nd0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$d1\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1/paragraph_type?resourceVersion=id%3A19509\"}\nd4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1/relationships/paragraph_type?resourceVersion=id%3A19509\"}\nd2:{\"related\":\"$d3\",\"self\":\"$d4\"}\ncf:{\"data\":\"$d0\",\"links\":\"$d2\"}\nd"])</script><script>self.__next_f.push([1,"7:{\"drupal_internal__target_id\":276}\nd6:{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"meta\":\"$d7\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1/field_link?resourceVersion=id%3A19509\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1/relationships/field_link?resourceVersion=id%3A19509\"}\nd8:{\"related\":\"$d9\",\"self\":\"$da\"}\nd5:{\"data\":\"$d6\",\"links\":\"$d8\"}\nce:{\"paragraph_type\":\"$cf\",\"field_link\":\"$d5\"}\nc9:{\"type\":\"paragraph--internal_link\",\"id\":\"abca5f65-f7dc-4eef-9a06-27e97fed2ab1\",\"links\":\"$ca\",\"attributes\":\"$cc\",\"relationships\":\"$ce\"}\ndd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c?resourceVersion=id%3A19510\"}\ndc:{\"self\":\"$dd\"}\ndf:[]\nde:{\"drupal_internal__id\":3490,\"drupal_internal__revision_id\":19510,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:08:58+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$df\",\"default_langcode\":true,\"revision_translation_affected\":true}\ne3:{\"drupal_internal__target_id\":\"internal_link\"}\ne2:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$e3\"}\ne5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c/paragraph_type?resourceVersion=id%3A19510\"}\ne6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c/relationships/paragraph_type?resourceVersion=id%3A19510\"}\ne4:{\"related\":\"$e5\",\"self\":\"$e6\"}\ne1:{\"data\":\"$e2\",\"links\":\"$e4\"}\ne9:{\"drupal_internal__target_id\":676}\ne8:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":\"$e9\"}\neb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c/field_link?resourceVersion=id%3A19510\"}\nec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-44"])</script><script>self.__next_f.push([1,"3b-9fba-eb1deaec924c/relationships/field_link?resourceVersion=id%3A19510\"}\nea:{\"related\":\"$eb\",\"self\":\"$ec\"}\ne7:{\"data\":\"$e8\",\"links\":\"$ea\"}\ne0:{\"paragraph_type\":\"$e1\",\"field_link\":\"$e7\"}\ndb:{\"type\":\"paragraph--internal_link\",\"id\":\"b9a8eb5d-5793-443b-9fba-eb1deaec924c\",\"links\":\"$dc\",\"attributes\":\"$de\",\"relationships\":\"$e0\"}\nef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1?resourceVersion=id%3A19511\"}\nee:{\"self\":\"$ef\"}\nf1:[]\nf0:{\"drupal_internal__id\":3491,\"drupal_internal__revision_id\":19511,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:09:02+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$f1\",\"default_langcode\":true,\"revision_translation_affected\":true}\nf5:{\"drupal_internal__target_id\":\"internal_link\"}\nf4:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$f5\"}\nf7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1/paragraph_type?resourceVersion=id%3A19511\"}\nf8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1/relationships/paragraph_type?resourceVersion=id%3A19511\"}\nf6:{\"related\":\"$f7\",\"self\":\"$f8\"}\nf3:{\"data\":\"$f4\",\"links\":\"$f6\"}\nfb:{\"drupal_internal__target_id\":631}\nfa:{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"meta\":\"$fb\"}\nfd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1/field_link?resourceVersion=id%3A19511\"}\nfe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1/relationships/field_link?resourceVersion=id%3A19511\"}\nfc:{\"related\":\"$fd\",\"self\":\"$fe\"}\nf9:{\"data\":\"$fa\",\"links\":\"$fc\"}\nf2:{\"paragraph_type\":\"$f3\",\"field_link\":\"$f9\"}\ned:{\"type\":\"paragraph--internal_link\",\"id\":\"12a352b7-69e0-4b22-80f0-395676d39cc1\",\"links\":\"$ee\",\"attributes\":\"$f0\",\"relationships\":\"$f2\"}\n101:{\"href\":\"https://cybergeek.cm"])</script><script>self.__next_f.push([1,"s.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404?resourceVersion=id%3A19512\"}\n100:{\"self\":\"$101\"}\n103:[]\n102:{\"drupal_internal__id\":3492,\"drupal_internal__revision_id\":19512,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:09:46+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$103\",\"default_langcode\":true,\"revision_translation_affected\":true}\n107:{\"drupal_internal__target_id\":\"internal_link\"}\n106:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$107\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404/paragraph_type?resourceVersion=id%3A19512\"}\n10a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404/relationships/paragraph_type?resourceVersion=id%3A19512\"}\n108:{\"related\":\"$109\",\"self\":\"$10a\"}\n105:{\"data\":\"$106\",\"links\":\"$108\"}\n10d:{\"drupal_internal__target_id\":671}\n10c:{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"meta\":\"$10d\"}\n10f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404/field_link?resourceVersion=id%3A19512\"}\n110:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404/relationships/field_link?resourceVersion=id%3A19512\"}\n10e:{\"related\":\"$10f\",\"self\":\"$110\"}\n10b:{\"data\":\"$10c\",\"links\":\"$10e\"}\n104:{\"paragraph_type\":\"$105\",\"field_link\":\"$10b\"}\nff:{\"type\":\"paragraph--internal_link\",\"id\":\"ef41f9d2-9239-47f4-a7fe-d2353b62d404\",\"links\":\"$100\",\"attributes\":\"$102\",\"relationships\":\"$104\"}\n113:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7?resourceVersion=id%3A5858\"}\n112:{\"self\":\"$113\"}\n115:{\"alias\":\"/policy-guidance/cms-cyber-risk-management-plan-crmp\",\"pid\":846,\"langcode\":\"en\"}\n117:T5768,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u0026nbsp;Introduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.\u003c/p\u003e\u003cp\u003eRisk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eoperation of an information system\u003c/a\u003e. Risk Management includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe conduct of a risk assessment;\u003c/li\u003e\u003cli\u003ethe implementation of a risk mitigation strategy; and\u003c/li\u003e\u003cli\u003ethe employment of techniques and procedures for continuous monitoring the security state of the information system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Purpose\u003c/h2\u003e\u003cp\u003eThe purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Risk Management Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined\u0026nbsp;(i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:\u003c/p\u003e\u003col\u003e\u003cli\u003eDevelop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (\u003cem\u003eRelates to: Risk Assessment)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDevelop metrics, dashboards, and reports to inform and prioritize remediation efforts. \u003cem\u003e(Relates to: Risk Mitigation\u003c/em\u003e\u003c/li\u003e\u003cli\u003eImplement capabilities and tools to support continuous assessment and ongoing authorization (OA). \u003cem\u003e(Relates to: Continuous Monitoring)\u003c/em\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.\u003c/p\u003e\u003ch2\u003eRisk Assessment\u003c/h2\u003e\u003cp\u003eRisk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.\u003c/p\u003e\u003cp\u003eThe following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:\u003c/p\u003e\u003ch3\u003eThreat Modeling\u003c/h3\u003e\u003cp\u003eThreat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.\u003c/p\u003e\u003ch3\u003eVulnerability Analysis Services\u003c/h3\u003e\u003cp\u003eCMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStatic Code Analysis \u003c/strong\u003e– provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNetwork Scanning \u003c/strong\u003e– provides tools allowing Users to automatically determine all active devices on the local network.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHost Scanning \u003c/strong\u003e– provides tools to automate the identification of vulnerabilities in an operating system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDatabase Scanning \u003c/strong\u003e– provides specialized tool used specifically to identify vulnerabilities in database applications.\u003c/p\u003e\u003ch3\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003eThe Adaptive Capabilities Testing (ACT) Program is now the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e. This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system’s security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Mitigation\u003c/h2\u003e\u003cp\u003eThe act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.\u003c/p\u003e\u003ch3\u003eOngoing Authorization (OA) Program Dashboard\u003c/h3\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM) Dashboards\u003c/h3\u003e\u003cp\u003eCMS maintains the following dashboards which support the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVULN\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerability Monitoring Dashboard – Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items\u003c/li\u003e\u003cli\u003eKnown Exploited Vulnerabilities Dashboard – Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHWAM\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset Details Dashboard – Provides comprehensive HWAM details for CMS System assets by datacenter\u003c/li\u003e\u003cli\u003eMaster Device Record – Provides high level overview of CMS assets\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThe terms ‘continuous’ and ‘ongoing’ in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eCyber Risk Report\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCMS Cyber Risk Report\u003c/a\u003e communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.\u003c/p\u003e\u003ch3\u003eHigh Risk Summary\u003c/h3\u003e\u003cp\u003eThe CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.\u003c/p\u003e\u003ch3\u003eCFACTS POA\u0026amp;M\u003c/h3\u003e\u003cp\u003eStakeholders must use \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e to identify, track, and manage all IT system weaknesses and associated \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003ePlans of Action and Milestones (POA\u0026amp;Ms) \u003c/a\u003eto closure for CMS information systems. The CFACTS POA\u0026amp;M User Guide provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system.\u003c/p\u003e\u003ch3\u003eContinuous Monitoring\u003c/h3\u003e\u003cp\u003eContinuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u003c/p\u003e\u003cp\u003eThe Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM Program\u003c/a\u003e provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReducing agency threat surface\u003c/li\u003e\u003cli\u003eIncreasing visibility into the federal cybersecurity posture\u003c/li\u003e\u003cli\u003eImproving federal cybersecurity response capabilities\u003c/li\u003e\u003cli\u003eStreamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:\u003cul\u003e\u003cli\u003eAsset Management | What is on the network?\u003c/li\u003e\u003cli\u003eIdentity and Access Management | Who is on the network?\u003c/li\u003e\u003cli\u003eNetwork Security Management | What is happening on the network? How is the network protected?\u003c/li\u003e\u003cli\u003eData Protection Management | How is data protected?\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHardware Asset Management (HWAM)\u003c/li\u003e\u003cli\u003eSoftware Asset Management (SWAM)\u003c/li\u003e\u003cli\u003eSoftware Vulnerability Management (VUL)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003ePenetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003ePenetration Testing \u003c/a\u003eis security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.\u003c/p\u003e\u003cp\u003eThe CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A system’s ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.\u003c/p\u003e\u003ch3\u003ebatCAVE\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://security.cms.gov/learn/batcave-infrastructure-service\"\u003ebatCAVE\u003c/a\u003e incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.\u003c/p\u003e\u003cp\u003eKey aspects of the batCAVE initiative:\u003c/p\u003e\u003col\u003e\u003cli\u003eReduce burden and obligations to Users\u003c/li\u003e\u003cli\u003eGive Users the knowledge necessary to make better security decisions\u003c/li\u003e\u003cli\u003eIncentivize behavior that strengthens the security posture of applications and CMS as a whole\u003c/li\u003e\u003cli\u003eIncrease transparency and empower distributed decision-making\u003c/li\u003e\u003cli\u003eMeasure, report, and champion the positive behavior rather than punish negative actions\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eCMS Security Automation Framework (SAF)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ACT team will accept security testing data from this framework.\u003c/li\u003e\u003cli\u003eDevelopers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u0026nbsp;Ongoing Authorization\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.\u003c/p\u003e\u003cp\u003eThere are two conditions for a system to participate in OA:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.\u003c/li\u003e\u003cli\u003eA robust ISCM program is in place that monitors all implemented controls:\u003cul\u003e\u003cli\u003eAt the appropriate frequencies,\u003c/li\u003e\u003cli\u003eWith the appropriate degree of rigor, and\u003c/li\u003e\u003cli\u003eIn accordance with the organization’s ISCM strategy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTime Driven Triggers \u003c/strong\u003e– controls are assessed at a discrete frequency as defined by the organization’s ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent Driven Triggers \u003c/strong\u003e– are defined by the organization. Examples include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncrease in defects from ISCM\u003c/li\u003e\u003cli\u003eChange in risk assessment findings\u003c/li\u003e\u003cli\u003eNew threat/vulnerability information\u003c/li\u003e\u003cli\u003eSignificant changes\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eCMS OA Initiative\u003c/h3\u003e\u003cp\u003eCMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.\u003c/p\u003e\u003cp\u003eCurrently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHave been granted initial \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e;\u003c/li\u003e\u003cli\u003eBe fully OIT AWS cloud hosted - no hybrids;\u003c/li\u003e\u003cli\u003eHave Security Hub enabled;\u003c/li\u003e\u003cli\u003eKey CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);\u003c/li\u003e\u003cli\u003eData needs to be integrated into requisite reporting mechanisms and made visible; and\u003c/li\u003e\u003cli\u003eMeet \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\"\u003eOA metrics baseline requirements.\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOnce placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.\u003c/p\u003e\u003ch2\u003eCMS Risk Management Program - Implementing the Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.\u003c/p\u003e\u003cp\u003eTo support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a\u0026nbsp;security context. Refer to Figure 1 to overview of the CMS Risk Management Program.\u003c/p\u003e\u003ch2\u003eAuthoritative Sources and References\u003c/h2\u003e\u003cp\u003eFederal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cyber Security Framework (CSF)\u003c/a\u003e. This Plan incorporates guidance from authoritative sources and initiatives including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDepartment of Health \u0026amp; Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eRisk Management Handbooks (RMH)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act\"\u003eFederal Information Security Modernization Act of 2014\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf\"\u003eOMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01\"\u003eBinding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\"\u003eOMB M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/10/M-22-01.pdf\"\u003eOMB\u0026nbsp;M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"118:T5768,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u0026nbsp;Introduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.\u003c/p\u003e\u003cp\u003eRisk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf\"\u003eoperation of an information system\u003c/a\u003e. Risk Management includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe conduct of a risk assessment;\u003c/li\u003e\u003cli\u003ethe implementation of a risk mitigation strategy; and\u003c/li\u003e\u003cli\u003ethe employment of techniques and procedures for continuous monitoring the security state of the information system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Purpose\u003c/h2\u003e\u003cp\u003eThe purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.\u003c/p\u003e\u003ch2\u003e\u0026nbsp;Risk Management Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined\u0026nbsp;(i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:\u003c/p\u003e\u003col\u003e\u003cli\u003eDevelop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (\u003cem\u003eRelates to: Risk Assessment)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDevelop metrics, dashboards, and reports to inform and prioritize remediation efforts. \u003cem\u003e(Relates to: Risk Mitigation\u003c/em\u003e\u003c/li\u003e\u003cli\u003eImplement capabilities and tools to support continuous assessment and ongoing authorization (OA). \u003cem\u003e(Relates to: Continuous Monitoring)\u003c/em\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.\u003c/p\u003e\u003ch2\u003eRisk Assessment\u003c/h2\u003e\u003cp\u003eRisk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.\u003c/p\u003e\u003cp\u003eThe following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:\u003c/p\u003e\u003ch3\u003eThreat Modeling\u003c/h3\u003e\u003cp\u003eThreat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.\u003c/p\u003e\u003ch3\u003eVulnerability Analysis Services\u003c/h3\u003e\u003cp\u003eCMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStatic Code Analysis \u003c/strong\u003e– provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNetwork Scanning \u003c/strong\u003e– provides tools allowing Users to automatically determine all active devices on the local network.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHost Scanning \u003c/strong\u003e– provides tools to automate the identification of vulnerabilities in an operating system.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDatabase Scanning \u003c/strong\u003e– provides specialized tool used specifically to identify vulnerabilities in database applications.\u003c/p\u003e\u003ch3\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003eThe Adaptive Capabilities Testing (ACT) Program is now the \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e. This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eCSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system’s security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the \u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see \u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCybersecurity and Risk Assessment Program Handbook\u003c/a\u003e.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Mitigation\u003c/h2\u003e\u003cp\u003eThe act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.\u003c/p\u003e\u003ch3\u003eOngoing Authorization (OA) Program Dashboard\u003c/h3\u003e\u003cp\u003eThe CMS \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM) Dashboards\u003c/h3\u003e\u003cp\u003eCMS maintains the following dashboards which support the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM\u003c/a\u003e Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVULN\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVulnerability Monitoring Dashboard – Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items\u003c/li\u003e\u003cli\u003eKnown Exploited Vulnerabilities Dashboard – Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHWAM\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAsset Details Dashboard – Provides comprehensive HWAM details for CMS System assets by datacenter\u003c/li\u003e\u003cli\u003eMaster Device Record – Provides high level overview of CMS assets\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eNote: \u003c/strong\u003eThe terms ‘continuous’ and ‘ongoing’ in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003eCyber Risk Report\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/cyber-risk-reports\"\u003eCMS Cyber Risk Report\u003c/a\u003e communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.\u003c/p\u003e\u003ch3\u003eHigh Risk Summary\u003c/h3\u003e\u003cp\u003eThe CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.\u003c/p\u003e\u003ch3\u003eCFACTS POA\u0026amp;M\u003c/h3\u003e\u003cp\u003eStakeholders must use \u003ca href=\"https://security.cms.gov/learn/cms-fisma-continuous-tracking-system-cfacts\"\u003eCFACTS\u003c/a\u003e to identify, track, and manage all IT system weaknesses and associated \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003ePlans of Action and Milestones (POA\u0026amp;Ms) \u003c/a\u003eto closure for CMS information systems. The CFACTS POA\u0026amp;M User Guide provides detailed instructions for processing POA\u0026amp;M actions in the CFACTS tracking system.\u003c/p\u003e\u003ch3\u003eContinuous Monitoring\u003c/h3\u003e\u003cp\u003eContinuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.\u003c/p\u003e\u003cp\u003eThe Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.\u003c/p\u003e\u003ch3\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eCDM Program\u003c/a\u003e provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReducing agency threat surface\u003c/li\u003e\u003cli\u003eIncreasing visibility into the federal cybersecurity posture\u003c/li\u003e\u003cli\u003eImproving federal cybersecurity response capabilities\u003c/li\u003e\u003cli\u003eStreamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:\u003cul\u003e\u003cli\u003eAsset Management | What is on the network?\u003c/li\u003e\u003cli\u003eIdentity and Access Management | Who is on the network?\u003c/li\u003e\u003cli\u003eNetwork Security Management | What is happening on the network? How is the network protected?\u003c/li\u003e\u003cli\u003eData Protection Management | How is data protected?\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHardware Asset Management (HWAM)\u003c/li\u003e\u003cli\u003eSoftware Asset Management (SWAM)\u003c/li\u003e\u003cli\u003eSoftware Vulnerability Management (VUL)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003ePenetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003ePenetration Testing \u003c/a\u003eis security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.\u003c/p\u003e\u003cp\u003eThe CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A system’s ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.\u003c/p\u003e\u003ch3\u003ebatCAVE\u003c/h3\u003e\u003cp\u003e\u003ca href=\"http://security.cms.gov/learn/batcave-infrastructure-service\"\u003ebatCAVE\u003c/a\u003e incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.\u003c/p\u003e\u003cp\u003eKey aspects of the batCAVE initiative:\u003c/p\u003e\u003col\u003e\u003cli\u003eReduce burden and obligations to Users\u003c/li\u003e\u003cli\u003eGive Users the knowledge necessary to make better security decisions\u003c/li\u003e\u003cli\u003eIncentivize behavior that strengthens the security posture of applications and CMS as a whole\u003c/li\u003e\u003cli\u003eIncrease transparency and empower distributed decision-making\u003c/li\u003e\u003cli\u003eMeasure, report, and champion the positive behavior rather than punish negative actions\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eCMS Security Automation Framework (SAF)\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ACT team will accept security testing data from this framework.\u003c/li\u003e\u003cli\u003eDevelopers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u0026nbsp;Ongoing Authorization\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.\u003c/p\u003e\u003cp\u003eThere are two conditions for a system to participate in OA:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.\u003c/li\u003e\u003cli\u003eA robust ISCM program is in place that monitors all implemented controls:\u003cul\u003e\u003cli\u003eAt the appropriate frequencies,\u003c/li\u003e\u003cli\u003eWith the appropriate degree of rigor, and\u003c/li\u003e\u003cli\u003eIn accordance with the organization’s ISCM strategy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eTime Driven Triggers \u003c/strong\u003e– controls are assessed at a discrete frequency as defined by the organization’s ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eEvent Driven Triggers \u003c/strong\u003e– are defined by the organization. Examples include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncrease in defects from ISCM\u003c/li\u003e\u003cli\u003eChange in risk assessment findings\u003c/li\u003e\u003cli\u003eNew threat/vulnerability information\u003c/li\u003e\u003cli\u003eSignificant changes\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eCMS OA Initiative\u003c/h3\u003e\u003cp\u003eCMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.\u003c/p\u003e\u003cp\u003eCurrently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:\u003c/p\u003e\u003cul\u003e\u003cli\u003eHave been granted initial \u003ca href=\"https://security.cms.gov/learn/authorization-operate-ato\"\u003eATO\u003c/a\u003e;\u003c/li\u003e\u003cli\u003eBe fully OIT AWS cloud hosted - no hybrids;\u003c/li\u003e\u003cli\u003eHave Security Hub enabled;\u003c/li\u003e\u003cli\u003eKey CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);\u003c/li\u003e\u003cli\u003eData needs to be integrated into requisite reporting mechanisms and made visible; and\u003c/li\u003e\u003cli\u003eMeet \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\"\u003eOA metrics baseline requirements.\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eOnce placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.\u003c/p\u003e\u003ch2\u003eCMS Risk Management Program - Implementing the Strategy\u003c/h2\u003e\u003cp\u003eThe CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.\u003c/p\u003e\u003cp\u003eTo support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a\u0026nbsp;security context. Refer to Figure 1 to overview of the CMS Risk Management Program.\u003c/p\u003e\u003ch2\u003eAuthoritative Sources and References\u003c/h2\u003e\u003cp\u003eFederal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the \u003ca href=\"https://www.nist.gov/cyberframework\"\u003eNIST Cyber Security Framework (CSF)\u003c/a\u003e. This Plan incorporates guidance from authoritative sources and initiatives including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDepartment of Health \u0026amp; Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) and \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cms-security-and-privacy-handbooks\"\u003eRisk Management Handbooks (RMH)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act\"\u003eFederal Information Security Modernization Act of 2014\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\"\u003eOMB Circular A-130, Managing Information as a Strategic Resource\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf\"\u003eOMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf\"\u003eOMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01\"\u003eBinding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf\"\u003eOMB M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2021/10/M-22-01.pdf\"\u003eOMB\u0026nbsp;M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"116:{\"value\":\"$117\",\"format\":\"body_text\",\"processed\":\"$118\",\"summary\":\"\"}\n11b:[]\n11a:{\"uri\":\"entity:node/676\",\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"options\":\"$11b\",\"url\":\"/learn/continuous-diagnostics-and-mitigation-cdm\"}\n11d:[]\n11c:{\"uri\":\"entity:node/771\",\"title\":\"Ongoing Authorization (OA)\",\"options\":\"$11d\",\"url\":\"/learn/ongoing-authorization-oa\"}\n11f:[]\n11e:{\"uri\":\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026modificationDate=1711993052415\u0026api=v2\",\"title\":\" Cybersecurity and Risk Assessment Program Handbook\",\"options\":\"$11f\",\"url\":\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026modificationDate=1711993052415\u0026api=v2\"}\n119:[\"$11a\",\"$11c\",\"$11e\"]\n120:{\"value\":\"A plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems. \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems.\u003c/p\u003e\\n\"}\n114:{\"drupal_internal__nid\":991,\"drupal_internal__vid\":5858,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-07T17:01:12+00:00\",\"status\":true,\"title\":\"CMS Cyber Risk Management Plan (CRMP)\",\"created\":\"2023-05-26T13:14:59+00:00\",\"changed\":\"2024-06-04T15:18:21+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$115\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$116\",\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_last_reviewed\":\"2023-03-27\",\"field_related_resources\":\"$119\",\"field_short_description\":\"$120\"}\n124:{\"drupal_internal__target_id\":\"library\"}\n123:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$124\"}\n126:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-"])</script><script>self.__next_f.push([1,"fcd3b96df2d7/node_type?resourceVersion=id%3A5858\"}\n127:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/node_type?resourceVersion=id%3A5858\"}\n125:{\"related\":\"$126\",\"self\":\"$127\"}\n122:{\"data\":\"$123\",\"links\":\"$125\"}\n12a:{\"drupal_internal__target_id\":107}\n129:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$12a\"}\n12c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/revision_uid?resourceVersion=id%3A5858\"}\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/revision_uid?resourceVersion=id%3A5858\"}\n12b:{\"related\":\"$12c\",\"self\":\"$12d\"}\n128:{\"data\":\"$129\",\"links\":\"$12b\"}\n130:{\"drupal_internal__target_id\":26}\n12f:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$130\"}\n132:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/uid?resourceVersion=id%3A5858\"}\n133:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/uid?resourceVersion=id%3A5858\"}\n131:{\"related\":\"$132\",\"self\":\"$133\"}\n12e:{\"data\":\"$12f\",\"links\":\"$131\"}\n136:{\"drupal_internal__target_id\":96}\n135:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":\"$136\"}\n138:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_resource_type?resourceVersion=id%3A5858\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_resource_type?resourceVersion=id%3A5858\"}\n137:{\"related\":\"$138\",\"self\":\"$139\"}\n134:{\"data\":\"$135\",\"links\":\"$137\"}\n13d:{\"drupal_internal__target_id\":66}\n13c:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$13d\"}\n13f:{\"drupal_internal__target_id\":81}\n13e:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$13f\"}\n141:{\"drupal_internal__target_id\":61}\n140:{\"t"])</script><script>self.__next_f.push([1,"ype\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$141\"}\n143:{\"drupal_internal__target_id\":76}\n142:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$143\"}\n13b:[\"$13c\",\"$13e\",\"$140\",\"$142\"]\n145:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_roles?resourceVersion=id%3A5858\"}\n146:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_roles?resourceVersion=id%3A5858\"}\n144:{\"related\":\"$145\",\"self\":\"$146\"}\n13a:{\"data\":\"$13b\",\"links\":\"$144\"}\n14a:{\"drupal_internal__target_id\":16}\n149:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$14a\"}\n14c:{\"drupal_internal__target_id\":36}\n14b:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$14c\"}\n148:[\"$149\",\"$14b\"]\n14e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_topics?resourceVersion=id%3A5858\"}\n14f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_topics?resourceVersion=id%3A5858\"}\n14d:{\"related\":\"$14e\",\"self\":\"$14f\"}\n147:{\"data\":\"$148\",\"links\":\"$14d\"}\n121:{\"node_type\":\"$122\",\"revision_uid\":\"$128\",\"uid\":\"$12e\",\"field_resource_type\":\"$134\",\"field_roles\":\"$13a\",\"field_topics\":\"$147\"}\n111:{\"type\":\"node--library\",\"id\":\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\",\"links\":\"$112\",\"attributes\":\"$114\",\"relationships\":\"$121\"}\n152:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee?resourceVersion=id%3A6081\"}\n151:{\"self\":\"$152\"}\n154:{\"alias\":\"/learn/cyber-risk-reports\",\"pid\":266,\"langcode\":\"en\"}\n155:{\"value\":\"Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protec"])</script><script>self.__next_f.push([1,"t sensitive data from cyber threats\u003c/p\u003e\\n\"}\n156:[\"#cyber-risk-management\"]\n153:{\"drupal_internal__nid\":276,\"drupal_internal__vid\":6081,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T19:24:02+00:00\",\"status\":true,\"title\":\"Cyber Risk Reports (CRR)\",\"created\":\"2022-08-26T15:05:42+00:00\",\"changed\":\"2025-01-14T20:34:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$154\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_short_description\":\"$155\",\"field_slack_channel\":\"$156\"}\n15a:{\"drupal_internal__target_id\":\"explainer\"}\n159:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$15a\"}\n15c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/node_type?resourceVersion=id%3A6081\"}\n15d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/node_type?resourceVersion=id%3A6081\"}\n15b:{\"related\":\"$15c\",\"self\":\"$15d\"}\n158:{\"data\":\"$159\",\"links\":\"$15b\"}\n160:{\"drupal_internal__target_id\":107}\n15f:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$160\"}\n162:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/revision_uid?resourceVersion=id%3A6081\"}\n163:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/revision_uid?resourceVersion=id%3A6081\"}\n161:{\"related\":\"$162\",\"self\":\"$163\"}\n15e:{\"data\":\"$15f\",\"links\":\"$161\"}\n166:{\"drupal_internal__target_id\":26}\n165:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$166\"}\n168:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/uid?resourceVersion=id%3A6081\"}\n169:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/expl"])</script><script>self.__next_f.push([1,"ainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/uid?resourceVersion=id%3A6081\"}\n167:{\"related\":\"$168\",\"self\":\"$169\"}\n164:{\"data\":\"$165\",\"links\":\"$167\"}\n16d:{\"target_revision_id\":19976,\"drupal_internal__target_id\":1041}\n16c:{\"type\":\"paragraph--page_section\",\"id\":\"99eb2a67-6873-48f2-9027-a58a87a1ef43\",\"meta\":\"$16d\"}\n16f:{\"target_revision_id\":19981,\"drupal_internal__target_id\":1051}\n16e:{\"type\":\"paragraph--page_section\",\"id\":\"55411c7e-d16e-4e24-9ec0-e61d07f1aaab\",\"meta\":\"$16f\"}\n171:{\"target_revision_id\":19986,\"drupal_internal__target_id\":1061}\n170:{\"type\":\"paragraph--page_section\",\"id\":\"1ed92f8d-8be4-41a2-bc9c-e012801a98bf\",\"meta\":\"$171\"}\n173:{\"target_revision_id\":19996,\"drupal_internal__target_id\":1071}\n172:{\"type\":\"paragraph--page_section\",\"id\":\"9ab563ca-90a0-4ff0-a86c-2b0de01421c2\",\"meta\":\"$173\"}\n175:{\"target_revision_id\":20006,\"drupal_internal__target_id\":1091}\n174:{\"type\":\"paragraph--page_section\",\"id\":\"d2de38a5-dc24-41cd-9344-bb7d2240b7f4\",\"meta\":\"$175\"}\n177:{\"target_revision_id\":20016,\"drupal_internal__target_id\":1101}\n176:{\"type\":\"paragraph--page_section\",\"id\":\"8383a3b3-7807-40a8-96f7-0197052ff373\",\"meta\":\"$177\"}\n16b:[\"$16c\",\"$16e\",\"$170\",\"$172\",\"$174\",\"$176\"]\n179:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_page_section?resourceVersion=id%3A6081\"}\n17a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_page_section?resourceVersion=id%3A6081\"}\n178:{\"related\":\"$179\",\"self\":\"$17a\"}\n16a:{\"data\":\"$16b\",\"links\":\"$178\"}\n17e:{\"target_revision_id\":20021,\"drupal_internal__target_id\":1911}\n17d:{\"type\":\"paragraph--internal_link\",\"id\":\"b0c313be-306b-48cd-b0bf-8a70f2bae7fb\",\"meta\":\"$17e\"}\n180:{\"target_revision_id\":20026,\"drupal_internal__target_id\":1916}\n17f:{\"type\":\"paragraph--internal_link\",\"id\":\"32ab944d-d8c2-480b-b01e-85fa1a7eaf17\",\"meta\":\"$180\"}\n182:{\"target_revision_id\":20031,\"drupal_internal__target_id\":3386}\n181:{\"type\":\"paragraph--internal_link\",\"id\":\"21220e28-a46b-469f-9033-3e3482d07b4"])</script><script>self.__next_f.push([1,"e\",\"meta\":\"$182\"}\n184:{\"target_revision_id\":20036,\"drupal_internal__target_id\":3387}\n183:{\"type\":\"paragraph--internal_link\",\"id\":\"1dc73a64-e5a5-419e-9363-9e91887427be\",\"meta\":\"$184\"}\n17c:[\"$17d\",\"$17f\",\"$181\",\"$183\"]\n186:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_related_collection?resourceVersion=id%3A6081\"}\n187:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_related_collection?resourceVersion=id%3A6081\"}\n185:{\"related\":\"$186\",\"self\":\"$187\"}\n17b:{\"data\":\"$17c\",\"links\":\"$185\"}\n18a:{\"drupal_internal__target_id\":121}\n189:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$18a\"}\n18c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_resource_type?resourceVersion=id%3A6081\"}\n18d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_resource_type?resourceVersion=id%3A6081\"}\n18b:{\"related\":\"$18c\",\"self\":\"$18d\"}\n188:{\"data\":\"$189\",\"links\":\"$18b\"}\n191:{\"drupal_internal__target_id\":66}\n190:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$191\"}\n193:{\"drupal_internal__target_id\":61}\n192:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$193\"}\n195:{\"drupal_internal__target_id\":76}\n194:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$195\"}\n197:{\"drupal_internal__target_id\":71}\n196:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$197\"}\n18f:[\"$190\",\"$192\",\"$194\",\"$196\"]\n199:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_roles?resourceVersion=id%3A6081\"}\n19a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_roles?resourceVersion=id%3A6081\"}\n198:{\"related\":\"$199\",\"self\":\"$19a\"}\n18e:{\"data\":\"$18f\",\"links\":\"$"])</script><script>self.__next_f.push([1,"198\"}\n19e:{\"drupal_internal__target_id\":36}\n19d:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$19e\"}\n19c:[\"$19d\"]\n1a0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_topics?resourceVersion=id%3A6081\"}\n1a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_topics?resourceVersion=id%3A6081\"}\n19f:{\"related\":\"$1a0\",\"self\":\"$1a1\"}\n19b:{\"data\":\"$19c\",\"links\":\"$19f\"}\n157:{\"node_type\":\"$158\",\"revision_uid\":\"$15e\",\"uid\":\"$164\",\"field_page_section\":\"$16a\",\"field_related_collection\":\"$17b\",\"field_resource_type\":\"$188\",\"field_roles\":\"$18e\",\"field_topics\":\"$19b\"}\n150:{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"links\":\"$151\",\"attributes\":\"$153\",\"relationships\":\"$157\"}\n1a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}\n1a3:{\"self\":\"$1a4\"}\n1a6:{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"}\n1a7:{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"}\n1a8:[\"#cyber-risk-management\"]\n1a5:{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1a6\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":\"$1a7\",\"field_slack_channel\":\"$"])</script><script>self.__next_f.push([1,"1a8\"}\n1ac:{\"drupal_internal__target_id\":\"explainer\"}\n1ab:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1ac\"}\n1ae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"}\n1af:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}\n1ad:{\"related\":\"$1ae\",\"self\":\"$1af\"}\n1aa:{\"data\":\"$1ab\",\"links\":\"$1ad\"}\n1b2:{\"drupal_internal__target_id\":107}\n1b1:{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":\"$1b2\"}\n1b4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"}\n1b5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}\n1b3:{\"related\":\"$1b4\",\"self\":\"$1b5\"}\n1b0:{\"data\":\"$1b1\",\"links\":\"$1b3\"}\n1b8:{\"drupal_internal__target_id\":6}\n1b7:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1b8\"}\n1ba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"}\n1bb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}\n1b9:{\"related\":\"$1ba\",\"self\":\"$1bb\"}\n1b6:{\"data\":\"$1b7\",\"links\":\"$1b9\"}\n1bf:{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}\n1be:{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":\"$1bf\"}\n1c1:{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}\n1c0:{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":\"$1c1\"}\n1bd:[\"$1be\",\"$1c0\"]\n1c3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"}\n1c4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc"])</script><script>self.__next_f.push([1,"9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}\n1c2:{\"related\":\"$1c3\",\"self\":\"$1c4\"}\n1bc:{\"data\":\"$1bd\",\"links\":\"$1c2\"}\n1c8:{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}\n1c7:{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":\"$1c8\"}\n1ca:{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}\n1c9:{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":\"$1ca\"}\n1cc:{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}\n1cb:{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":\"$1cc\"}\n1c6:[\"$1c7\",\"$1c9\",\"$1cb\"]\n1ce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"}\n1cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}\n1cd:{\"related\":\"$1ce\",\"self\":\"$1cf\"}\n1c5:{\"data\":\"$1c6\",\"links\":\"$1cd\"}\n1d2:{\"drupal_internal__target_id\":121}\n1d1:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$1d2\"}\n1d4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"}\n1d5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}\n1d3:{\"related\":\"$1d4\",\"self\":\"$1d5\"}\n1d0:{\"data\":\"$1d1\",\"links\":\"$1d3\"}\n1d9:{\"drupal_internal__target_id\":61}\n1d8:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1d9\"}\n1db:{\"drupal_internal__target_id\":76}\n1da:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1db\"}\n1d7:[\"$1d8\",\"$1da\"]\n1dd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"}\n1de:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node"])</script><script>self.__next_f.push([1,"/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}\n1dc:{\"related\":\"$1dd\",\"self\":\"$1de\"}\n1d6:{\"data\":\"$1d7\",\"links\":\"$1dc\"}\n1e2:{\"drupal_internal__target_id\":36}\n1e1:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$1e2\"}\n1e4:{\"drupal_internal__target_id\":11}\n1e3:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$1e4\"}\n1e0:[\"$1e1\",\"$1e3\"]\n1e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"}\n1e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}\n1e5:{\"related\":\"$1e6\",\"self\":\"$1e7\"}\n1df:{\"data\":\"$1e0\",\"links\":\"$1e5\"}\n1a9:{\"node_type\":\"$1aa\",\"revision_uid\":\"$1b0\",\"uid\":\"$1b6\",\"field_page_section\":\"$1bc\",\"field_related_collection\":\"$1c5\",\"field_resource_type\":\"$1d0\",\"field_roles\":\"$1d6\",\"field_topics\":\"$1df\"}\n1a2:{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":\"$1a3\",\"attributes\":\"$1a5\",\"relationships\":\"$1a9\"}\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb?resourceVersion=id%3A5771\"}\n1e9:{\"self\":\"$1ea\"}\n1ec:{\"alias\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"pid\":621,\"langcode\":\"en\"}\n1ee:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered – even if they are not required to implement – because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS’ information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS’ other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owner’s due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines – and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) – including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS’ information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS’ information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the system’s mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration – and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1ef:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered – even if they are not required to implement – because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS’ information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS’ other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owner’s due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines – and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) – including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS’ information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS’ information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the system’s mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration – and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1ed:{\"value\":\"$1ee\",\"format\":\"body_text\",\"processed\":\"$1ef\",\"summary\":\"\"}\n1f2:[]\n1f1:{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2) \",\"options\":\"$1f2\",\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}\n1f4:[]\n1f3:{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks\",\"options\":\"$1f4\",\"url\":\"/learn/cms-security-and-privacy-handbooks\"}\n1f0:[\"$1f1\",\"$1f3\"]\n1f5:{\"value\":\"Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eStandards for the minimum security and privacy controls required to mitigate risk for CMS information systems\u003c/p\u003e\\n\"}\n1eb:{\"drupal_internal__nid\":631,\"drupal_internal__vid\":5771,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:58+00:00\",\"status\":true,\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"created\":\"2023-01-17T18:18:03+00:00\",\"changed\":\"2024-08-05T16:01:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1ec\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$1ed\",\"field_contact_email\":\"CISO@cms.hhs.org\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-04-22\",\"field_related_resources\":\"$1f0\",\"field_short_description\":\"$1f5\"}\n1f9:{\"drupal_internal__target_id\":\"library\"}\n1f8:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$1f9\"}\n1fb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/node_type?resourceVersion=id%3A5771\"}\n1fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/node_type?resourceVersion=id%3A5771\"}\n1fa:{\"related\":\"$1fb\",\"self\":\"$1fc\"}\n1f7:{\"data\":\"$1f8\",\"links\":\"$1fa\"}\n1ff:{\"drupal_internal__target_id\":159}\n1fe:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8"])</script><script>self.__next_f.push([1,"d-5bd1329e5e64\",\"meta\":\"$1ff\"}\n201:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/revision_uid?resourceVersion=id%3A5771\"}\n202:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/revision_uid?resourceVersion=id%3A5771\"}\n200:{\"related\":\"$201\",\"self\":\"$202\"}\n1fd:{\"data\":\"$1fe\",\"links\":\"$200\"}\n205:{\"drupal_internal__target_id\":6}\n204:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$205\"}\n207:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/uid?resourceVersion=id%3A5771\"}\n208:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/uid?resourceVersion=id%3A5771\"}\n206:{\"related\":\"$207\",\"self\":\"$208\"}\n203:{\"data\":\"$204\",\"links\":\"$206\"}\n20b:{\"drupal_internal__target_id\":96}\n20a:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":\"$20b\"}\n20d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_resource_type?resourceVersion=id%3A5771\"}\n20e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_resource_type?resourceVersion=id%3A5771\"}\n20c:{\"related\":\"$20d\",\"self\":\"$20e\"}\n209:{\"data\":\"$20a\",\"links\":\"$20c\"}\n212:{\"drupal_internal__target_id\":66}\n211:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$212\"}\n214:{\"drupal_internal__target_id\":81}\n213:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$214\"}\n216:{\"drupal_internal__target_id\":61}\n215:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$216\"}\n218:{\"drupal_internal__target_id\":76}\n217:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$218\"}\n21a:{\"drupal_internal__target_id\":71}\n219:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$21a\"}\n210:[\"$211\",\"$"])</script><script>self.__next_f.push([1,"213\",\"$215\",\"$217\",\"$219\"]\n21c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_roles?resourceVersion=id%3A5771\"}\n21d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_roles?resourceVersion=id%3A5771\"}\n21b:{\"related\":\"$21c\",\"self\":\"$21d\"}\n20f:{\"data\":\"$210\",\"links\":\"$21b\"}\n221:{\"drupal_internal__target_id\":16}\n220:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$221\"}\n223:{\"drupal_internal__target_id\":36}\n222:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$223\"}\n21f:[\"$220\",\"$222\"]\n225:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_topics?resourceVersion=id%3A5771\"}\n226:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_topics?resourceVersion=id%3A5771\"}\n224:{\"related\":\"$225\",\"self\":\"$226\"}\n21e:{\"data\":\"$21f\",\"links\":\"$224\"}\n1f6:{\"node_type\":\"$1f7\",\"revision_uid\":\"$1fd\",\"uid\":\"$203\",\"field_resource_type\":\"$209\",\"field_roles\":\"$20f\",\"field_topics\":\"$21e\"}\n1e8:{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"links\":\"$1e9\",\"attributes\":\"$1eb\",\"relationships\":\"$1f6\"}\n229:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf?resourceVersion=id%3A6076\"}\n228:{\"self\":\"$229\"}\n22b:{\"alias\":\"/learn/zero-trust\",\"pid\":661,\"langcode\":\"en\"}\n22c:{\"value\":\"Security paradigm that requires the continuous verification of system users to promote system security\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSecurity paradigm that requires the continuous verification of system users to promote system security\u003c/p\u003e\\n\"}\n22d:[\"#cms-zero-trust\"]\n22a:{\"drupal_internal__nid\":671,\"drupal_internal__vid\":6076,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T16:28:16+00:00\",\"status\":true,\"title\":\"Zero Trust \",\"created\":\"2023-02-02T19:12:26+00:00\",\"changed\":\"2025-01-15T16:28:16+00:00\",\"promote\":false"])</script><script>self.__next_f.push([1,",\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$22b\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPGZeroTrust@cms.hhs.gov\",\"field_contact_name\":\"Zero Trust Team\",\"field_short_description\":\"$22c\",\"field_slack_channel\":\"$22d\"}\n231:{\"drupal_internal__target_id\":\"explainer\"}\n230:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$231\"}\n233:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/node_type?resourceVersion=id%3A6076\"}\n234:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/node_type?resourceVersion=id%3A6076\"}\n232:{\"related\":\"$233\",\"self\":\"$234\"}\n22f:{\"data\":\"$230\",\"links\":\"$232\"}\n237:{\"drupal_internal__target_id\":138}\n236:{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":\"$237\"}\n239:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/revision_uid?resourceVersion=id%3A6076\"}\n23a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/revision_uid?resourceVersion=id%3A6076\"}\n238:{\"related\":\"$239\",\"self\":\"$23a\"}\n235:{\"data\":\"$236\",\"links\":\"$238\"}\n23d:{\"drupal_internal__target_id\":26}\n23c:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$23d\"}\n23f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/uid?resourceVersion=id%3A6076\"}\n240:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/uid?resourceVersion=id%3A6076\"}\n23e:{\"related\":\"$23f\",\"self\":\"$240\"}\n23b:{\"data\":\"$23c\",\"links\":\"$23e\"}\n244:{\"target_revision_id\":19936,\"drupal_internal__target_id\":536}\n243:{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"meta\":\"$244\"}\n24"])</script><script>self.__next_f.push([1,"2:[\"$243\"]\n246:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_page_section?resourceVersion=id%3A6076\"}\n247:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_page_section?resourceVersion=id%3A6076\"}\n245:{\"related\":\"$246\",\"self\":\"$247\"}\n241:{\"data\":\"$242\",\"links\":\"$245\"}\n24b:{\"target_revision_id\":19941,\"drupal_internal__target_id\":3398}\n24a:{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"meta\":\"$24b\"}\n24d:{\"target_revision_id\":19946,\"drupal_internal__target_id\":1616}\n24c:{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"meta\":\"$24d\"}\n24f:{\"target_revision_id\":19951,\"drupal_internal__target_id\":3499}\n24e:{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"meta\":\"$24f\"}\n251:{\"target_revision_id\":19956,\"drupal_internal__target_id\":1611}\n250:{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\",\"meta\":\"$251\"}\n253:{\"target_revision_id\":19961,\"drupal_internal__target_id\":1621}\n252:{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"meta\":\"$253\"}\n255:{\"target_revision_id\":19966,\"drupal_internal__target_id\":1626}\n254:{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"meta\":\"$255\"}\n249:[\"$24a\",\"$24c\",\"$24e\",\"$250\",\"$252\",\"$254\"]\n257:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_related_collection?resourceVersion=id%3A6076\"}\n258:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_related_collection?resourceVersion=id%3A6076\"}\n256:{\"related\":\"$257\",\"self\":\"$258\"}\n248:{\"data\":\"$249\",\"links\":\"$256\"}\n25b:{\"drupal_internal__target_id\":131}\n25a:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$25b\"}\n25d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab"])</script><script>self.__next_f.push([1,"2faf97cf/field_resource_type?resourceVersion=id%3A6076\"}\n25e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_resource_type?resourceVersion=id%3A6076\"}\n25c:{\"related\":\"$25d\",\"self\":\"$25e\"}\n259:{\"data\":\"$25a\",\"links\":\"$25c\"}\n262:{\"drupal_internal__target_id\":66}\n261:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$262\"}\n264:{\"drupal_internal__target_id\":61}\n263:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$264\"}\n266:{\"drupal_internal__target_id\":76}\n265:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$266\"}\n260:[\"$261\",\"$263\",\"$265\"]\n268:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_roles?resourceVersion=id%3A6076\"}\n269:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_roles?resourceVersion=id%3A6076\"}\n267:{\"related\":\"$268\",\"self\":\"$269\"}\n25f:{\"data\":\"$260\",\"links\":\"$267\"}\n26d:{\"drupal_internal__target_id\":21}\n26c:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$26d\"}\n26b:[\"$26c\"]\n26f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_topics?resourceVersion=id%3A6076\"}\n270:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_topics?resourceVersion=id%3A6076\"}\n26e:{\"related\":\"$26f\",\"self\":\"$270\"}\n26a:{\"data\":\"$26b\",\"links\":\"$26e\"}\n22e:{\"node_type\":\"$22f\",\"revision_uid\":\"$235\",\"uid\":\"$23b\",\"field_page_section\":\"$241\",\"field_related_collection\":\"$248\",\"field_resource_type\":\"$259\",\"field_roles\":\"$25f\",\"field_topics\":\"$26a\"}\n227:{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"links\":\"$228\",\"attributes\":\"$22a\",\"relationships\":\"$22e\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"b65d06ad-d018-4cf4-b6f3-5d1415b3351b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b?resourceVersion=id%3A5962\"}},\"attributes\":{\"drupal_internal__nid\":1167,\"drupal_internal__vid\":5962,\"langcode\":\"en\",\"revision_timestamp\":\"2024-11-08T17:36:58+00:00\",\"status\":true,\"title\":\"CMS Security Data Lake (SDL)\",\"created\":\"2023-12-20T15:30:40+00:00\",\"changed\":\"2024-11-07T19:15:07+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-security-data-lake-sdl\",\"pid\":1163,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_short_description\":{\"value\":\"A centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#security-datalake\",\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/node_type?resourceVersion=id%3A5962\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/relationships/node_type?resourceVersion=id%3A5962\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/revision_uid?resourceVersion=id%3A5962\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/relationships/revision_uid?resourceVersion=id%3A5962\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/uid?resourceVersion=id%3A5962\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/relationships/uid?resourceVersion=id%3A5962\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"dfc07f21-a3f0-48e8-92ac-41f915d0b1ef\",\"meta\":{\"target_revision_id\":19506,\"drupal_internal__target_id\":3487}},{\"type\":\"paragraph--page_section\",\"id\":\"749bf025-6e11-4adc-8097-fe29609424c5\",\"meta\":{\"target_revision_id\":19507,\"drupal_internal__target_id\":3494}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/field_page_section?resourceVersion=id%3A5962\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/relationships/field_page_section?resourceVersion=id%3A5962\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"56fe1469-28fd-40c4-89f0-6a2033d81d76\",\"meta\":{\"target_revision_id\":19508,\"drupal_internal__target_id\":3488}},{\"type\":\"paragraph--internal_link\",\"id\":\"abca5f65-f7dc-4eef-9a06-27e97fed2ab1\",\"meta\":{\"target_revision_id\":19509,\"drupal_internal__target_id\":3489}},{\"type\":\"paragraph--internal_link\",\"id\":\"b9a8eb5d-5793-443b-9fba-eb1deaec924c\",\"meta\":{\"target_revision_id\":19510,\"drupal_internal__target_id\":3490}},{\"type\":\"paragraph--internal_link\",\"id\":\"12a352b7-69e0-4b22-80f0-395676d39cc1\",\"meta\":{\"target_revision_id\":19511,\"drupal_internal__target_id\":3491}},{\"type\":\"paragraph--internal_link\",\"id\":\"ef41f9d2-9239-47f4-a7fe-d2353b62d404\",\"meta\":{\"target_revision_id\":19512,\"drupal_internal__target_id\":3492}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/field_related_collection?resourceVersion=id%3A5962\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/relationships/field_related_collection?resourceVersion=id%3A5962\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/field_resource_type?resourceVersion=id%3A5962\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/relationships/field_resource_type?resourceVersion=id%3A5962\"}}},\"field_roles\":{\"data\":[],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/field_roles?resourceVersion=id%3A5962\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/relationships/field_roles?resourceVersion=id%3A5962\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/field_topics?resourceVersion=id%3A5962\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/b65d06ad-d018-4cf4-b6f3-5d1415b3351b/relationships/field_topics?resourceVersion=id%3A5962\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/7e79c546-d123-46dd-9480-b7f2e7d81691\"}},\"attributes\":{\"display_name\":\"gollange\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}},\"attributes\":{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}},\"attributes\":{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"dfc07f21-a3f0-48e8-92ac-41f915d0b1ef\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef?resourceVersion=id%3A19506\"}},\"attributes\":{\"drupal_internal__id\":3487,\"drupal_internal__revision_id\":19506,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:08:38+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef/paragraph_type?resourceVersion=id%3A19506\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef/relationships/paragraph_type?resourceVersion=id%3A19506\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"d33367a1-46bf-4b3c-9d32-5559dac28c9c\",\"meta\":{\"target_revision_id\":19505,\"drupal_internal__target_id\":3493}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef/field_specialty_item?resourceVersion=id%3A19506\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/dfc07f21-a3f0-48e8-92ac-41f915d0b1ef/relationships/field_specialty_item?resourceVersion=id%3A19506\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"749bf025-6e11-4adc-8097-fe29609424c5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5?resourceVersion=id%3A19507\"}},\"attributes\":{\"drupal_internal__id\":3494,\"drupal_internal__revision_id\":19507,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:16:09+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5/paragraph_type?resourceVersion=id%3A19507\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5/relationships/paragraph_type?resourceVersion=id%3A19507\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5/field_specialty_item?resourceVersion=id%3A19507\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/749bf025-6e11-4adc-8097-fe29609424c5/relationships/field_specialty_item?resourceVersion=id%3A19507\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"d33367a1-46bf-4b3c-9d32-5559dac28c9c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/d33367a1-46bf-4b3c-9d32-5559dac28c9c?resourceVersion=id%3A19505\"}},\"attributes\":{\"drupal_internal__id\":3493,\"drupal_internal__revision_id\":19505,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:12:04+00:00\",\"parent_id\":\"3487\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"https://confluenceent.cms.gov/display/ISPG/Security+Data+Warehouse+Transition#84394e3c-3d44-4e17-99d9-fac271da7bc3-568895703\",\"title\":\"\",\"options\":[],\"url\":\"https://confluenceent.cms.gov/display/ISPG/Security+Data+Warehouse+Transition#84394e3c-3d44-4e17-99d9-fac271da7bc3-568895703\"},\"field_call_out_link_text\":\"Learn more about the CMS SDL\",\"field_call_out_text\":{\"value\":\"Learn more about our transition from our \\\"Legacy\\\" Data Warehouse (LDW) to the more efficient Security Data Lake (SDL). \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn more about our transition from our \u0026quot;Legacy\u0026quot; Data Warehouse (LDW) to the more efficient Security Data Lake (SDL).\u003c/p\u003e\\n\"},\"field_header\":\"CMS CRM DW on Confluence \"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/d33367a1-46bf-4b3c-9d32-5559dac28c9c/paragraph_type?resourceVersion=id%3A19505\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/d33367a1-46bf-4b3c-9d32-5559dac28c9c/relationships/paragraph_type?resourceVersion=id%3A19505\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"56fe1469-28fd-40c4-89f0-6a2033d81d76\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76?resourceVersion=id%3A19508\"}},\"attributes\":{\"drupal_internal__id\":3488,\"drupal_internal__revision_id\":19508,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:08:38+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76/paragraph_type?resourceVersion=id%3A19508\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76/relationships/paragraph_type?resourceVersion=id%3A19508\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\",\"meta\":{\"drupal_internal__target_id\":991}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76/field_link?resourceVersion=id%3A19508\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/56fe1469-28fd-40c4-89f0-6a2033d81d76/relationships/field_link?resourceVersion=id%3A19508\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"abca5f65-f7dc-4eef-9a06-27e97fed2ab1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1?resourceVersion=id%3A19509\"}},\"attributes\":{\"drupal_internal__id\":3489,\"drupal_internal__revision_id\":19509,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:08:44+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1/paragraph_type?resourceVersion=id%3A19509\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1/relationships/paragraph_type?resourceVersion=id%3A19509\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"meta\":{\"drupal_internal__target_id\":276}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1/field_link?resourceVersion=id%3A19509\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/abca5f65-f7dc-4eef-9a06-27e97fed2ab1/relationships/field_link?resourceVersion=id%3A19509\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"b9a8eb5d-5793-443b-9fba-eb1deaec924c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c?resourceVersion=id%3A19510\"}},\"attributes\":{\"drupal_internal__id\":3490,\"drupal_internal__revision_id\":19510,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:08:58+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c/paragraph_type?resourceVersion=id%3A19510\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c/relationships/paragraph_type?resourceVersion=id%3A19510\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"meta\":{\"drupal_internal__target_id\":676}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c/field_link?resourceVersion=id%3A19510\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b9a8eb5d-5793-443b-9fba-eb1deaec924c/relationships/field_link?resourceVersion=id%3A19510\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"12a352b7-69e0-4b22-80f0-395676d39cc1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1?resourceVersion=id%3A19511\"}},\"attributes\":{\"drupal_internal__id\":3491,\"drupal_internal__revision_id\":19511,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:09:02+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1/paragraph_type?resourceVersion=id%3A19511\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1/relationships/paragraph_type?resourceVersion=id%3A19511\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"meta\":{\"drupal_internal__target_id\":631}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1/field_link?resourceVersion=id%3A19511\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/12a352b7-69e0-4b22-80f0-395676d39cc1/relationships/field_link?resourceVersion=id%3A19511\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"ef41f9d2-9239-47f4-a7fe-d2353b62d404\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404?resourceVersion=id%3A19512\"}},\"attributes\":{\"drupal_internal__id\":3492,\"drupal_internal__revision_id\":19512,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-20T16:09:46+00:00\",\"parent_id\":\"1167\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404/paragraph_type?resourceVersion=id%3A19512\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404/relationships/paragraph_type?resourceVersion=id%3A19512\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"meta\":{\"drupal_internal__target_id\":671}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404/field_link?resourceVersion=id%3A19512\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ef41f9d2-9239-47f4-a7fe-d2353b62d404/relationships/field_link?resourceVersion=id%3A19512\"}}}}},{\"type\":\"node--library\",\"id\":\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7?resourceVersion=id%3A5858\"}},\"attributes\":{\"drupal_internal__nid\":991,\"drupal_internal__vid\":5858,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-07T17:01:12+00:00\",\"status\":true,\"title\":\"CMS Cyber Risk Management Plan (CRMP)\",\"created\":\"2023-05-26T13:14:59+00:00\",\"changed\":\"2024-06-04T15:18:21+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-cyber-risk-management-plan-crmp\",\"pid\":846,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_last_reviewed\":\"2023-03-27\",\"field_related_resources\":[{\"uri\":\"entity:node/676\",\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"options\":[],\"url\":\"/learn/continuous-diagnostics-and-mitigation-cdm\"},{\"uri\":\"entity:node/771\",\"title\":\"Ongoing Authorization (OA)\",\"options\":[],\"url\":\"/learn/ongoing-authorization-oa\"},{\"uri\":\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026modificationDate=1711993052415\u0026api=v2\",\"title\":\" Cybersecurity and Risk Assessment Program Handbook\",\"options\":[],\"url\":\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026modificationDate=1711993052415\u0026api=v2\"}],\"field_short_description\":{\"value\":\"A plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems. \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems.\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/node_type?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/node_type?resourceVersion=id%3A5858\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/revision_uid?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/revision_uid?resourceVersion=id%3A5858\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/uid?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/uid?resourceVersion=id%3A5858\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":{\"drupal_internal__target_id\":96}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_resource_type?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_resource_type?resourceVersion=id%3A5858\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_roles?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_roles?resourceVersion=id%3A5858\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/field_topics?resourceVersion=id%3A5858\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/ccc8540c-c385-44e3-8788-fcd3b96df2d7/relationships/field_topics?resourceVersion=id%3A5858\"}}}}},{\"type\":\"node--explainer\",\"id\":\"2bfd3478-c381-432c-a7ec-53fa803668ee\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee?resourceVersion=id%3A6081\"}},\"attributes\":{\"drupal_internal__nid\":276,\"drupal_internal__vid\":6081,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T19:24:02+00:00\",\"status\":true,\"title\":\"Cyber Risk Reports (CRR)\",\"created\":\"2022-08-26T15:05:42+00:00\",\"changed\":\"2025-01-14T20:34:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cyber-risk-reports\",\"pid\":266,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CRMPMO@cms.hhs.gov\",\"field_contact_name\":\"CRM Team\",\"field_short_description\":{\"value\":\"Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eReports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/node_type?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/node_type?resourceVersion=id%3A6081\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/revision_uid?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/revision_uid?resourceVersion=id%3A6081\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/uid?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/uid?resourceVersion=id%3A6081\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"99eb2a67-6873-48f2-9027-a58a87a1ef43\",\"meta\":{\"target_revision_id\":19976,\"drupal_internal__target_id\":1041}},{\"type\":\"paragraph--page_section\",\"id\":\"55411c7e-d16e-4e24-9ec0-e61d07f1aaab\",\"meta\":{\"target_revision_id\":19981,\"drupal_internal__target_id\":1051}},{\"type\":\"paragraph--page_section\",\"id\":\"1ed92f8d-8be4-41a2-bc9c-e012801a98bf\",\"meta\":{\"target_revision_id\":19986,\"drupal_internal__target_id\":1061}},{\"type\":\"paragraph--page_section\",\"id\":\"9ab563ca-90a0-4ff0-a86c-2b0de01421c2\",\"meta\":{\"target_revision_id\":19996,\"drupal_internal__target_id\":1071}},{\"type\":\"paragraph--page_section\",\"id\":\"d2de38a5-dc24-41cd-9344-bb7d2240b7f4\",\"meta\":{\"target_revision_id\":20006,\"drupal_internal__target_id\":1091}},{\"type\":\"paragraph--page_section\",\"id\":\"8383a3b3-7807-40a8-96f7-0197052ff373\",\"meta\":{\"target_revision_id\":20016,\"drupal_internal__target_id\":1101}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_page_section?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_page_section?resourceVersion=id%3A6081\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"b0c313be-306b-48cd-b0bf-8a70f2bae7fb\",\"meta\":{\"target_revision_id\":20021,\"drupal_internal__target_id\":1911}},{\"type\":\"paragraph--internal_link\",\"id\":\"32ab944d-d8c2-480b-b01e-85fa1a7eaf17\",\"meta\":{\"target_revision_id\":20026,\"drupal_internal__target_id\":1916}},{\"type\":\"paragraph--internal_link\",\"id\":\"21220e28-a46b-469f-9033-3e3482d07b4e\",\"meta\":{\"target_revision_id\":20031,\"drupal_internal__target_id\":3386}},{\"type\":\"paragraph--internal_link\",\"id\":\"1dc73a64-e5a5-419e-9363-9e91887427be\",\"meta\":{\"target_revision_id\":20036,\"drupal_internal__target_id\":3387}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_related_collection?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_related_collection?resourceVersion=id%3A6081\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_resource_type?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_resource_type?resourceVersion=id%3A6081\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_roles?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_roles?resourceVersion=id%3A6081\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/field_topics?resourceVersion=id%3A6081\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/2bfd3478-c381-432c-a7ec-53fa803668ee/relationships/field_topics?resourceVersion=id%3A6081\"}}}}},{\"type\":\"node--explainer\",\"id\":\"1f32f891-d557-40ae-84b5-2cecc9300e08\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08?resourceVersion=id%3A5525\"}},\"attributes\":{\"drupal_internal__nid\":676,\"drupal_internal__vid\":5525,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-04T17:13:19+00:00\",\"status\":true,\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"created\":\"2023-02-04T14:55:07+00:00\",\"changed\":\"2024-06-04T17:13:19+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"pid\":666,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CDMPMO@cms.hhs.gov\",\"field_contact_name\":\"CDM team\",\"field_short_description\":{\"value\":\"Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eAutomated scanning and risk analysis to strengthen the security posture of CMS FISMA systems\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cyber-risk-management\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/node_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/node_type?resourceVersion=id%3A5525\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"7e79c546-d123-46dd-9480-b7f2e7d81691\",\"meta\":{\"drupal_internal__target_id\":107}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/revision_uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/revision_uid?resourceVersion=id%3A5525\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/uid?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/uid?resourceVersion=id%3A5525\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8b7bda2b-e3dc-4760-9901-27255f14ff41\",\"meta\":{\"target_revision_id\":17929,\"drupal_internal__target_id\":546}},{\"type\":\"paragraph--page_section\",\"id\":\"8e76f588-fd94-4439-b7e3-73c8b83e3500\",\"meta\":{\"target_revision_id\":17930,\"drupal_internal__target_id\":551}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_page_section?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_page_section?resourceVersion=id%3A5525\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"bc285af3-dba7-4a12-8881-a8fed446dded\",\"meta\":{\"target_revision_id\":17931,\"drupal_internal__target_id\":1891}},{\"type\":\"paragraph--internal_link\",\"id\":\"1bc4b03f-652f-4fbf-8024-43e830b4b0a3\",\"meta\":{\"target_revision_id\":17932,\"drupal_internal__target_id\":1896}},{\"type\":\"paragraph--internal_link\",\"id\":\"05f865ef-4960-439b-9fca-9e7d70dfbe39\",\"meta\":{\"target_revision_id\":17933,\"drupal_internal__target_id\":1906}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_related_collection?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_related_collection?resourceVersion=id%3A5525\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_resource_type?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_resource_type?resourceVersion=id%3A5525\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_roles?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_roles?resourceVersion=id%3A5525\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/field_topics?resourceVersion=id%3A5525\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1f32f891-d557-40ae-84b5-2cecc9300e08/relationships/field_topics?resourceVersion=id%3A5525\"}}}}},{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb?resourceVersion=id%3A5771\"}},\"attributes\":{\"drupal_internal__nid\":631,\"drupal_internal__vid\":5771,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:58+00:00\",\"status\":true,\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"created\":\"2023-01-17T18:18:03+00:00\",\"changed\":\"2024-08-05T16:01:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"pid\":621,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1e\",\"format\":\"body_text\",\"processed\":\"$1f\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.org\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-04-22\",\"field_related_resources\":[{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2) \",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks\",\"options\":[],\"url\":\"/learn/cms-security-and-privacy-handbooks\"}],\"field_short_description\":{\"value\":\"Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eStandards for the minimum security and privacy controls required to mitigate risk for CMS information systems\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/node_type?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/node_type?resourceVersion=id%3A5771\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/revision_uid?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/revision_uid?resourceVersion=id%3A5771\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/uid?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/uid?resourceVersion=id%3A5771\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":{\"drupal_internal__target_id\":96}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_resource_type?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_resource_type?resourceVersion=id%3A5771\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_roles?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_roles?resourceVersion=id%3A5771\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_topics?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_topics?resourceVersion=id%3A5771\"}}}}},{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf?resourceVersion=id%3A6076\"}},\"attributes\":{\"drupal_internal__nid\":671,\"drupal_internal__vid\":6076,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T16:28:16+00:00\",\"status\":true,\"title\":\"Zero Trust \",\"created\":\"2023-02-02T19:12:26+00:00\",\"changed\":\"2025-01-15T16:28:16+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/zero-trust\",\"pid\":661,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPGZeroTrust@cms.hhs.gov\",\"field_contact_name\":\"Zero Trust Team\",\"field_short_description\":{\"value\":\"Security paradigm that requires the continuous verification of system users to promote system security\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSecurity paradigm that requires the continuous verification of system users to promote system security\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-zero-trust\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/node_type?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/node_type?resourceVersion=id%3A6076\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":{\"drupal_internal__target_id\":138}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/revision_uid?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/revision_uid?resourceVersion=id%3A6076\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/uid?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/uid?resourceVersion=id%3A6076\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"meta\":{\"target_revision_id\":19936,\"drupal_internal__target_id\":536}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_page_section?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_page_section?resourceVersion=id%3A6076\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"meta\":{\"target_revision_id\":19941,\"drupal_internal__target_id\":3398}},{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"meta\":{\"target_revision_id\":19946,\"drupal_internal__target_id\":1616}},{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"meta\":{\"target_revision_id\":19951,\"drupal_internal__target_id\":3499}},{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\",\"meta\":{\"target_revision_id\":19956,\"drupal_internal__target_id\":1611}},{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"meta\":{\"target_revision_id\":19961,\"drupal_internal__target_id\":1621}},{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"meta\":{\"target_revision_id\":19966,\"drupal_internal__target_id\":1626}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_related_collection?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_related_collection?resourceVersion=id%3A6076\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_resource_type?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_resource_type?resourceVersion=id%3A6076\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_roles?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_roles?resourceVersion=id%3A6076\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_topics?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_topics?resourceVersion=id%3A6076\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$20\",\"7e79c546-d123-46dd-9480-b7f2e7d81691\":\"$2a\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2e\",\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\":\"$32\",\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\":\"$4c\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$66\",\"dfc07f21-a3f0-48e8-92ac-41f915d0b1ef\":\"$80\",\"749bf025-6e11-4adc-8097-fe29609424c5\":\"$95\",\"d33367a1-46bf-4b3c-9d32-5559dac28c9c\":\"$a8\",\"56fe1469-28fd-40c4-89f0-6a2033d81d76\":\"$b7\",\"abca5f65-f7dc-4eef-9a06-27e97fed2ab1\":\"$c9\",\"b9a8eb5d-5793-443b-9fba-eb1deaec924c\":\"$db\",\"12a352b7-69e0-4b22-80f0-395676d39cc1\":\"$ed\",\"ef41f9d2-9239-47f4-a7fe-d2353b62d404\":\"$ff\",\"ccc8540c-c385-44e3-8788-fcd3b96df2d7\":\"$111\",\"2bfd3478-c381-432c-a7ec-53fa803668ee\":\"$150\",\"1f32f891-d557-40ae-84b5-2cecc9300e08\":\"$1a2\",\"5077403d-f7aa-4bc8-b274-7af05e7134bb\":\"$1e8\",\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\":\"$227\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Security Data Lake (SDL) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"A centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities \"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Security Data Lake (SDL) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"A centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities \"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Security Data Lake (SDL) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"A centralized repository for security data created to improve CMS’s security posture and support threat detection and threat hunting activities \"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html> |