publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/cms-technical-reference-architecture-tra
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
450 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>CMS Technical Reference Architecture (TRA) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency"/><link rel="canonical" href="https://security.cms.gov/learn/cms-technical-reference-architecture-tra"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="CMS Technical Reference Architecture (TRA) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency"/><meta property="og:url" content="https://security.cms.gov/learn/cms-technical-reference-architecture-tra"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/cms-technical-reference-architecture-tra/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="CMS Technical Reference Architecture (TRA) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/cms-technical-reference-architecture-tra/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">CMS Technical Reference Architecture (TRA)</h1><p class="hero__description">The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">TRA Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:tra-admin@cms.hhs.gov">tra-admin@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#cms-it-governance</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is the TRA?</h2><p>The CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. Having a common set of technical architecture standards helps us ensure the secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners.</p><p>The CMS TRA represents our policy guidance to all Agency business partners wishing to develop, transition, and maintain information systems that interact with the CMS Processing Environments. The CMS TRA is approved and authorized by the CMS Chief Information Officer (CIO) and Chief Technology Officer (CTO).</p><h2>How does the TRA benefit us?</h2><p>By requiring all CMS and project teams adhere to the common set of technical architecture standards provided by the TRA, we can:</p><ul><li>Ensure an effective, standardized operating environment</li><li>Establish sound and consistent security practices</li><li>Promote compliance with CMS decisions in future CMS task orders and acquisitions</li><li>Enable interoperability and encourage reuse/shared infrastructure</li><li>Provide a consistent set of architectural best practices for use throughout CMS</li></ul><h2>TRA compliance requirements</h2><p>Several major releases to the TRA are published annually. New systems are expected to be compliant with the current version of the TRA. For existing systems, compliance with new TRA updates is required within 24 months of publication.</p><h2>Access the TRA</h2><p>The current and complete version of the TRA is posted on the <a href="https://tra.cloud.cms.gov/">CMS TRA website</a>. This is only accessible from the internal CMS network and requires EUA authentication.</p><p>External contractors needing access to the TRA can access the <a href="https://www.cms.gov/tra">public version of the TRA here</a>.</p><p>The public version has most of the TRA content, but sensitive information has been redacted. Contractors needing access to the restricted material can request it via their contracting officer's representative (COR).</p><h2>Contact</h2><p>For questions or assistance with the TRA, you can reach the TRA team via email: <a href="mailto:tra-admin@cms.hhs.gov">tra-admin@cms.hhs.gov</a></p><p>But if you have a specific technical question, you may want to check first with the CMS Technical Review Board (TRB), which provides technical guidance and advises project teams on their&nbsp;IT efforts, enabling successful integration&nbsp;within the&nbsp;CMS&nbsp;IT environment. You can reach the TRB via email: <a href="mailto:cms-trb@cms.hhs.gov">cms-trb@cms.hhs.gov</a>&nbsp;</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing and documenting system security and compliance to gain approval to operate the system at CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/ispg/system-authorization">System Authorization</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Information about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-cloud-services">CMS Cloud Services</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Platform-As-A-Service with tools, security, and support services designed specifically for CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/saas-governance-saasg">SaaS Governance (SaaSG)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Considerations and guidelines for CMS business units wanting to use SaaS applications</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-security-and-privacy-handbooks">CMS Security and Privacy Handbooks</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cms-technical-reference-architecture-tra\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"cms-technical-reference-architecture-tra\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-technical-reference-architecture-tra\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cms-technical-reference-architecture-tra\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:Taa7,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is the TRA?\u003c/h2\u003e\u003cp\u003eThe CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. Having a common set of technical architecture standards helps us ensure the secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners.\u003c/p\u003e\u003cp\u003eThe CMS TRA represents our policy guidance to all Agency business partners wishing to develop, transition, and maintain information systems that interact with the CMS Processing Environments. The CMS TRA is approved and authorized by the CMS Chief Information Officer (CIO) and Chief Technology Officer (CTO).\u003c/p\u003e\u003ch2\u003eHow does the TRA benefit us?\u003c/h2\u003e\u003cp\u003eBy requiring all CMS and project teams adhere to the common set of technical architecture standards provided by the TRA, we can:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure an effective, standardized operating environment\u003c/li\u003e\u003cli\u003eEstablish sound and consistent security practices\u003c/li\u003e\u003cli\u003ePromote compliance with CMS decisions in future CMS task orders and acquisitions\u003c/li\u003e\u003cli\u003eEnable interoperability and encourage reuse/shared infrastructure\u003c/li\u003e\u003cli\u003eProvide a consistent set of architectural best practices for use throughout CMS\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eTRA compliance requirements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSeveral major releases to the TRA are published annually. New systems are expected to be compliant with the current version of the TRA. For existing systems, compliance with new TRA updates is required within 24 months of publication.\u003c/p\u003e\u003ch2\u003eAccess the TRA\u003c/h2\u003e\u003cp\u003eThe current and complete version of the TRA is posted on the \u003ca href=\"https://tra.cloud.cms.gov/\" target=\"_blank\"\u003eCMS TRA website\u003c/a\u003e. This is only accessible from the internal CMS network and requires EUA authentication.\u003c/p\u003e\u003cp\u003eExternal contractors needing access to the TRA can access the \u003ca href=\"https://www.cms.gov/tra\"\u003epublic version of the TRA here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe public version has most of the TRA content, but sensitive information has been redacted. Contractors needing access to the restricted material can request it via their contracting officer's representative (COR).\u003c/p\u003e\u003ch2\u003eContact\u003c/h2\u003e\u003cp\u003eFor questions or assistance with the TRA, you can reach the TRA team via email: \u003ca href=\"mailto:tra-admin@cms.hhs.gov\"\u003etra-admin@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eBut if you have a specific technical question, you may want to check first with the CMS Technical Review Board (TRB), which provides technical guidance and advises project teams on their\u0026nbsp;IT efforts, enabling successful integration\u0026nbsp;within the\u0026nbsp;CMS\u0026nbsp;IT environment. You can reach the TRB via email: \u003ca href=\"mailto:cms-trb@cms.hhs.gov\"\u003ecms-trb@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Taa7,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is the TRA?\u003c/h2\u003e\u003cp\u003eThe CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. Having a common set of technical architecture standards helps us ensure the secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners.\u003c/p\u003e\u003cp\u003eThe CMS TRA represents our policy guidance to all Agency business partners wishing to develop, transition, and maintain information systems that interact with the CMS Processing Environments. The CMS TRA is approved and authorized by the CMS Chief Information Officer (CIO) and Chief Technology Officer (CTO).\u003c/p\u003e\u003ch2\u003eHow does the TRA benefit us?\u003c/h2\u003e\u003cp\u003eBy requiring all CMS and project teams adhere to the common set of technical architecture standards provided by the TRA, we can:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure an effective, standardized operating environment\u003c/li\u003e\u003cli\u003eEstablish sound and consistent security practices\u003c/li\u003e\u003cli\u003ePromote compliance with CMS decisions in future CMS task orders and acquisitions\u003c/li\u003e\u003cli\u003eEnable interoperability and encourage reuse/shared infrastructure\u003c/li\u003e\u003cli\u003eProvide a consistent set of architectural best practices for use throughout CMS\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eTRA compliance requirements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSeveral major releases to the TRA are published annually. New systems are expected to be compliant with the current version of the TRA. For existing systems, compliance with new TRA updates is required within 24 months of publication.\u003c/p\u003e\u003ch2\u003eAccess the TRA\u003c/h2\u003e\u003cp\u003eThe current and complete version of the TRA is posted on the \u003ca href=\"https://tra.cloud.cms.gov/\" target=\"_blank\"\u003eCMS TRA website\u003c/a\u003e. This is only accessible from the internal CMS network and requires EUA authentication.\u003c/p\u003e\u003cp\u003eExternal contractors needing access to the TRA can access the \u003ca href=\"https://www.cms.gov/tra\"\u003epublic version of the TRA here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe public version has most of the TRA content, but sensitive information has been redacted. Contractors needing access to the restricted material can request it via their contracting officer's representative (COR).\u003c/p\u003e\u003ch2\u003eContact\u003c/h2\u003e\u003cp\u003eFor questions or assistance with the TRA, you can reach the TRA team via email: \u003ca href=\"mailto:tra-admin@cms.hhs.gov\"\u003etra-admin@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eBut if you have a specific technical question, you may want to check first with the CMS Technical Review Board (TRB), which provides technical guidance and advises project teams on their\u0026nbsp;IT efforts, enabling successful integration\u0026nbsp;within the\u0026nbsp;CMS\u0026nbsp;IT environment. You can reach the TRB via email: \u003ca href=\"mailto:cms-trb@cms.hhs.gov\"\u003ecms-trb@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1b:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"1e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1d:{\"self\":\"$1e\"}\n21:[\"menu_ui\",\"scheduler\"]\n20:{\"module\":\"$21\"}\n24:[]\n23:{\"available_menus\":\"$24\",\"parent\":\"\"}\n25:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n22:{\"menu_ui\":\"$23\",\"scheduler\":\"$25\"}\n1f:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$20\",\"third_party_settings\":\"$22\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1d\",\"attributes\":\"$1f\"}\n28:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/663db243-0ec9-4d3f-9589-5a0ed308fbbc\"}\n27:{\"self\":\"$28\"}\n29:{\"display_name\":\"alex.kerr\"}\n26:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"links\":\"$27\",\"attributes\":\"$29\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"mburgess\"}\n2a:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n2f:{\"self\":\"$30\"}\n32:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n31:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"d"])</script><script>self.__next_f.push([1,"efault_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$32\"}\n36:{\"drupal_internal__target_id\":\"resource_type\"}\n35:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$36\"}\n38:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n39:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n37:{\"related\":\"$38\",\"self\":\"$39\"}\n34:{\"data\":\"$35\",\"links\":\"$37\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n3a:{\"data\":null,\"links\":\"$3b\"}\n44:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n43:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$44\"}\n42:{\"help\":\"$43\"}\n41:{\"links\":\"$42\"}\n40:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$41\"}\n3f:[\"$40\"]\n46:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n47:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n45:{\"related\":\"$46\",\"self\":\"$47\"}\n3e:{\"data\":\"$3f\",\"links\":\"$45\"}\n33:{\"vid\":\"$34\",\"revision_user\":\"$3a\",\"parent\":\"$3e\"}\n2e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$2f\",\"attributes\":\"$31\",\"relationships\":\"$33\"}\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n49:{\"self\":\"$4a\"}\n4c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4b:{\"drupal_internal__"])</script><script>self.__next_f.push([1,"tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4c\"}\n50:{\"drupal_internal__target_id\":\"roles\"}\n4f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$50\"}\n52:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n53:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n51:{\"related\":\"$52\",\"self\":\"$53\"}\n4e:{\"data\":\"$4f\",\"links\":\"$51\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n54:{\"data\":null,\"links\":\"$55\"}\n5e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5e\"}\n5c:{\"help\":\"$5d\"}\n5b:{\"links\":\"$5c\"}\n5a:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5b\"}\n59:[\"$5a\"]\n60:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n61:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n5f:{\"related\":\"$60\",\"self\":\"$61\"}\n58:{\"data\":\"$59\",\"links\":\"$5f\"}\n4d:{\"vid\":\"$4e\",\"revision_user\":\"$54\",\"parent\":\"$58\"}\n48:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$49\",\"attributes\":\"$4b\",\"relationships\":\"$4d\"}\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxon"])</script><script>self.__next_f.push([1,"omy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n63:{\"self\":\"$64\"}\n66:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n65:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$66\"}\n6a:{\"drupal_internal__target_id\":\"roles\"}\n69:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6a\"}\n6c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n6d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n6b:{\"related\":\"$6c\",\"self\":\"$6d\"}\n68:{\"data\":\"$69\",\"links\":\"$6b\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6e:{\"data\":null,\"links\":\"$6f\"}\n78:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n77:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$78\"}\n76:{\"help\":\"$77\"}\n75:{\"links\":\"$76\"}\n74:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$75\"}\n73:[\"$74\"]\n7a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n7b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n79:{\"related\":\"$7a\",\"self\":\"$7b\"}\n72:{\"data\":\"$73\",\"links\":\"$79\"}\n67:{\"vid\":\"$68\",\"revision_user\":\"$6e\",\"parent\":\"$72\"}\n62:{\"type\":\"taxonomy_term--roles\",\"id\":\"f"])</script><script>self.__next_f.push([1,"591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$63\",\"attributes\":\"$65\",\"relationships\":\"$67\"}\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n7d:{\"self\":\"$7e\"}\n80:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7f:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$80\"}\n84:{\"drupal_internal__target_id\":\"roles\"}\n83:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$84\"}\n86:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\n87:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\n85:{\"related\":\"$86\",\"self\":\"$87\"}\n82:{\"data\":\"$83\",\"links\":\"$85\"}\n8a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\n8b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\n89:{\"related\":\"$8a\",\"self\":\"$8b\"}\n88:{\"data\":null,\"links\":\"$89\"}\n92:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n91:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$92\"}\n90:{\"help\":\"$91\"}\n8f:{\"links\":\"$90\"}\n8e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8f\"}\n8d:[\"$8e\"]\n94:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\n95:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\n93:{\"related\":\"$94\",\"self\":\""])</script><script>self.__next_f.push([1,"$95\"}\n8c:{\"data\":\"$8d\",\"links\":\"$93\"}\n81:{\"vid\":\"$82\",\"revision_user\":\"$88\",\"parent\":\"$8c\"}\n7c:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$7d\",\"attributes\":\"$7f\",\"relationships\":\"$81\"}\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\n97:{\"self\":\"$98\"}\n9a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n99:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9a\"}\n9e:{\"drupal_internal__target_id\":\"topics\"}\n9d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$9e\"}\na0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\na1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\n9f:{\"related\":\"$a0\",\"self\":\"$a1\"}\n9c:{\"data\":\"$9d\",\"links\":\"$9f\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\na3:{\"related\":\"$a4\",\"self\":\"$a5\"}\na2:{\"data\":null,\"links\":\"$a3\"}\nac:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nab:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ac\"}\naa:{\"help\":\"$ab\"}\na9:{\"links\":\"$aa\"}\na8:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$a9\"}\na7:[\"$a8\"]\nae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\naf:{\"href\":\"https://cybergee"])</script><script>self.__next_f.push([1,"k.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\nad:{\"related\":\"$ae\",\"self\":\"$af\"}\na6:{\"data\":\"$a7\",\"links\":\"$ad\"}\n9b:{\"vid\":\"$9c\",\"revision_user\":\"$a2\",\"parent\":\"$a6\"}\n96:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$97\",\"attributes\":\"$99\",\"relationships\":\"$9b\"}\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}\nb1:{\"self\":\"$b2\"}\nb4:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb3:{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b4\"}\nb8:{\"drupal_internal__target_id\":\"topics\"}\nb7:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$b8\"}\nba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"}\nbb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}\nb9:{\"related\":\"$ba\",\"self\":\"$bb\"}\nb6:{\"data\":\"$b7\",\"links\":\"$b9\"}\nbe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"}\nbf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}\nbd:{\"related\":\"$be\",\"self\":\"$bf\"}\nbc:{\"data\":null,\"links\":\"$bd\"}\nc6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c6\"}\nc4:{\"help\":\"$c5\"}\nc3:{\"links\":\"$c4\"}\nc2:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c3\"}\nc1:[\"$c2\"]\nc8:{\"href\":\"ht"])</script><script>self.__next_f.push([1,"tps://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"}\nc9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}\nc7:{\"related\":\"$c8\",\"self\":\"$c9\"}\nc0:{\"data\":\"$c1\",\"links\":\"$c7\"}\nb5:{\"vid\":\"$b6\",\"revision_user\":\"$bc\",\"parent\":\"$c0\"}\nb0:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":\"$b1\",\"attributes\":\"$b3\",\"relationships\":\"$b5\"}\ncc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1?resourceVersion=id%3A16265\"}\ncb:{\"self\":\"$cc\"}\nce:[]\nd0:Taa7,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is the TRA?\u003c/h2\u003e\u003cp\u003eThe CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. Having a common set of technical architecture standards helps us ensure the secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners.\u003c/p\u003e\u003cp\u003eThe CMS TRA represents our policy guidance to all Agency business partners wishing to develop, transition, and maintain information systems that interact with the CMS Processing Environments. The CMS TRA is approved and authorized by the CMS Chief Information Officer (CIO) and Chief Technology Officer (CTO).\u003c/p\u003e\u003ch2\u003eHow does the TRA benefit us?\u003c/h2\u003e\u003cp\u003eBy requiring all CMS and project teams adhere to the common set of technical architecture standards provided by the TRA, we can:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure an effective, standardized operating environment\u003c/li\u003e\u003cli\u003eEstablish sound and consistent security practices\u003c/li\u003e\u003cli\u003ePromote compliance with CMS decisions in future CMS task orders and acquisitions\u003c/li\u003e\u003cli\u003eEnable interoperability and encourage reuse/shared infrastructure\u003c/li\u003e\u003cli\u003eProvide a consistent set of architectural best practices for use throughout CMS\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eTRA compliance requirements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSeveral major releases to the TRA are published annually. New systems are expected to be compliant with the current version of the TRA. For existing systems, compliance with new TRA updates is required within 24 months of publication.\u003c/p\u003e\u003ch2\u003eAccess the TRA\u003c/h2\u003e\u003cp\u003eThe current and complete version of the TRA is posted on the \u003ca href=\"https://tra.cloud.cms.gov/\" target=\"_blank\"\u003eCMS TRA website\u003c/a\u003e. This is only accessible from the internal CMS network and requires EUA authentication.\u003c/p\u003e\u003cp\u003eExternal contractors needing access to the TRA can access the \u003ca href=\"https://www.cms.gov/tra\"\u003epublic version of the TRA here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe public version has most of the TRA content, but sensitive information has been redacted. Contractors needing access to the restricted material can request it via their contracting officer's representative (COR).\u003c/p\u003e\u003ch2\u003eContact\u003c/h2\u003e\u003cp\u003eFor questions or assistance with the TRA, you can reach the TRA team via email: \u003ca href=\"mailto:tra-admin@cms.hhs.gov\"\u003etra-admin@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eBut if you have a specific technical question, you may want to check first with the CMS Technical Review Board (TRB), which provides technical guidance and advises project teams on their\u0026nbsp;IT efforts, enabling successful integration\u0026nbsp;within the\u0026nbsp;CMS\u0026nbsp;IT environment. You can reach the TRB via email: \u003ca href=\"mailto:cms-trb@cms.hhs.gov\"\u003ecms-trb@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"d1:Taa7,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eWhat is the TRA?\u003c/h2\u003e\u003cp\u003eThe CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. Having a common set of technical architecture standards helps us ensure the secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners.\u003c/p\u003e\u003cp\u003eThe CMS TRA represents our policy guidance to all Agency business partners wishing to develop, transition, and maintain information systems that interact with the CMS Processing Environments. The CMS TRA is approved and authorized by the CMS Chief Information Officer (CIO) and Chief Technology Officer (CTO).\u003c/p\u003e\u003ch2\u003eHow does the TRA benefit us?\u003c/h2\u003e\u003cp\u003eBy requiring all CMS and project teams adhere to the common set of technical architecture standards provided by the TRA, we can:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure an effective, standardized operating environment\u003c/li\u003e\u003cli\u003eEstablish sound and consistent security practices\u003c/li\u003e\u003cli\u003ePromote compliance with CMS decisions in future CMS task orders and acquisitions\u003c/li\u003e\u003cli\u003eEnable interoperability and encourage reuse/shared infrastructure\u003c/li\u003e\u003cli\u003eProvide a consistent set of architectural best practices for use throughout CMS\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eTRA compliance requirements\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSeveral major releases to the TRA are published annually. New systems are expected to be compliant with the current version of the TRA. For existing systems, compliance with new TRA updates is required within 24 months of publication.\u003c/p\u003e\u003ch2\u003eAccess the TRA\u003c/h2\u003e\u003cp\u003eThe current and complete version of the TRA is posted on the \u003ca href=\"https://tra.cloud.cms.gov/\" target=\"_blank\"\u003eCMS TRA website\u003c/a\u003e. This is only accessible from the internal CMS network and requires EUA authentication.\u003c/p\u003e\u003cp\u003eExternal contractors needing access to the TRA can access the \u003ca href=\"https://www.cms.gov/tra\"\u003epublic version of the TRA here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe public version has most of the TRA content, but sensitive information has been redacted. Contractors needing access to the restricted material can request it via their contracting officer's representative (COR).\u003c/p\u003e\u003ch2\u003eContact\u003c/h2\u003e\u003cp\u003eFor questions or assistance with the TRA, you can reach the TRA team via email: \u003ca href=\"mailto:tra-admin@cms.hhs.gov\"\u003etra-admin@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eBut if you have a specific technical question, you may want to check first with the CMS Technical Review Board (TRB), which provides technical guidance and advises project teams on their\u0026nbsp;IT efforts, enabling successful integration\u0026nbsp;within the\u0026nbsp;CMS\u0026nbsp;IT environment. You can reach the TRB via email: \u003ca href=\"mailto:cms-trb@cms.hhs.gov\"\u003ecms-trb@cms.hhs.gov\u003c/a\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"cf:{\"value\":\"$d0\",\"format\":\"body_text\",\"processed\":\"$d1\"}\ncd:{\"drupal_internal__id\":3416,\"drupal_internal__revision_id\":16265,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:24:15+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$ce\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$cf\"}\nd5:{\"drupal_internal__target_id\":\"page_section\"}\nd4:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$d5\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1/paragraph_type?resourceVersion=id%3A16265\"}\nd8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1/relationships/paragraph_type?resourceVersion=id%3A16265\"}\nd6:{\"related\":\"$d7\",\"self\":\"$d8\"}\nd3:{\"data\":\"$d4\",\"links\":\"$d6\"}\ndb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1/field_specialty_item?resourceVersion=id%3A16265\"}\ndc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1/relationships/field_specialty_item?resourceVersion=id%3A16265\"}\nda:{\"related\":\"$db\",\"self\":\"$dc\"}\nd9:{\"data\":null,\"links\":\"$da\"}\nd2:{\"paragraph_type\":\"$d3\",\"field_specialty_item\":\"$d9\"}\nca:{\"type\":\"paragraph--page_section\",\"id\":\"69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1\",\"links\":\"$cb\",\"attributes\":\"$cd\",\"relationships\":\"$d2\"}\ndf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414?resourceVersion=id%3A16266\"}\nde:{\"self\":\"$df\"}\ne1:[]\ne0:{\"drupal_internal__id\":3417,\"drupal_internal__revision_id\":16266,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:24:15+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$e1\",\"default_langcode\":true,\"revision_translation_affected\":true}\ne5:{\"drupal_internal__target_id\":\"internal_link\"}\ne4:{\"type\":\"paragraph"])</script><script>self.__next_f.push([1,"s_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$e5\"}\ne7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414/paragraph_type?resourceVersion=id%3A16266\"}\ne8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414/relationships/paragraph_type?resourceVersion=id%3A16266\"}\ne6:{\"related\":\"$e7\",\"self\":\"$e8\"}\ne3:{\"data\":\"$e4\",\"links\":\"$e6\"}\neb:{\"drupal_internal__target_id\":631}\nea:{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"meta\":\"$eb\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414/field_link?resourceVersion=id%3A16266\"}\nee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414/relationships/field_link?resourceVersion=id%3A16266\"}\nec:{\"related\":\"$ed\",\"self\":\"$ee\"}\ne9:{\"data\":\"$ea\",\"links\":\"$ec\"}\ne2:{\"paragraph_type\":\"$e3\",\"field_link\":\"$e9\"}\ndd:{\"type\":\"paragraph--internal_link\",\"id\":\"a39bcbf9-8522-4dcf-b5fe-49bfc2c77414\",\"links\":\"$de\",\"attributes\":\"$e0\",\"relationships\":\"$e2\"}\nf1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77?resourceVersion=id%3A16267\"}\nf0:{\"self\":\"$f1\"}\nf3:[]\nf2:{\"drupal_internal__id\":3418,\"drupal_internal__revision_id\":16267,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:24:28+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$f3\",\"default_langcode\":true,\"revision_translation_affected\":true}\nf7:{\"drupal_internal__target_id\":\"internal_link\"}\nf6:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$f7\"}\nf9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77/paragraph_type?resourceVersion=id%3A16267\"}\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77/relationships/para"])</script><script>self.__next_f.push([1,"graph_type?resourceVersion=id%3A16267\"}\nf8:{\"related\":\"$f9\",\"self\":\"$fa\"}\nf5:{\"data\":\"$f6\",\"links\":\"$f8\"}\nfd:{\"drupal_internal__target_id\":206}\nfc:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":\"$fd\"}\nff:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77/field_link?resourceVersion=id%3A16267\"}\n100:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77/relationships/field_link?resourceVersion=id%3A16267\"}\nfe:{\"related\":\"$ff\",\"self\":\"$100\"}\nfb:{\"data\":\"$fc\",\"links\":\"$fe\"}\nf4:{\"paragraph_type\":\"$f5\",\"field_link\":\"$fb\"}\nef:{\"type\":\"paragraph--internal_link\",\"id\":\"f41c8404-7b78-4975-a0ff-fff1409d6a77\",\"links\":\"$f0\",\"attributes\":\"$f2\",\"relationships\":\"$f4\"}\n103:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29?resourceVersion=id%3A16268\"}\n102:{\"self\":\"$103\"}\n105:[]\n104:{\"drupal_internal__id\":3419,\"drupal_internal__revision_id\":16268,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:24:36+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$105\",\"default_langcode\":true,\"revision_translation_affected\":true}\n109:{\"drupal_internal__target_id\":\"internal_link\"}\n108:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$109\"}\n10b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29/paragraph_type?resourceVersion=id%3A16268\"}\n10c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29/relationships/paragraph_type?resourceVersion=id%3A16268\"}\n10a:{\"related\":\"$10b\",\"self\":\"$10c\"}\n107:{\"data\":\"$108\",\"links\":\"$10a\"}\n10f:{\"drupal_internal__target_id\":756}\n10e:{\"type\":\"node--landing\",\"id\":\"4610aa6a-34fd-46a7-b9d8-22cfc166433d\",\"meta\":\"$10f\"}\n111:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f2"])</script><script>self.__next_f.push([1,"9/field_link?resourceVersion=id%3A16268\"}\n112:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29/relationships/field_link?resourceVersion=id%3A16268\"}\n110:{\"related\":\"$111\",\"self\":\"$112\"}\n10d:{\"data\":\"$10e\",\"links\":\"$110\"}\n106:{\"paragraph_type\":\"$107\",\"field_link\":\"$10d\"}\n101:{\"type\":\"paragraph--internal_link\",\"id\":\"669ee575-5a38-48c7-87cc-033627065f29\",\"links\":\"$102\",\"attributes\":\"$104\",\"relationships\":\"$106\"}\n115:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61?resourceVersion=id%3A16269\"}\n114:{\"self\":\"$115\"}\n117:[]\n116:{\"drupal_internal__id\":3420,\"drupal_internal__revision_id\":16269,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:43:37+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$117\",\"default_langcode\":true,\"revision_translation_affected\":true}\n11b:{\"drupal_internal__target_id\":\"internal_link\"}\n11a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$11b\"}\n11d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61/paragraph_type?resourceVersion=id%3A16269\"}\n11e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61/relationships/paragraph_type?resourceVersion=id%3A16269\"}\n11c:{\"related\":\"$11d\",\"self\":\"$11e\"}\n119:{\"data\":\"$11a\",\"links\":\"$11c\"}\n121:{\"drupal_internal__target_id\":246}\n120:{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"meta\":\"$121\"}\n123:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61/field_link?resourceVersion=id%3A16269\"}\n124:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61/relationships/field_link?resourceVersion=id%3A16269\"}\n122:{\"related\":\"$123\",\"self\":\"$124\"}\n11f:{\"data\":\"$120\",\"links\":\"$122\"}\n118:{\"paragraph_type\":\"$119\",\"field_link\":\"$11"])</script><script>self.__next_f.push([1,"f\"}\n113:{\"type\":\"paragraph--internal_link\",\"id\":\"b298ff2d-1fb1-485e-84aa-92c94e581f61\",\"links\":\"$114\",\"attributes\":\"$116\",\"relationships\":\"$118\"}\n127:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61?resourceVersion=id%3A16270\"}\n126:{\"self\":\"$127\"}\n129:[]\n128:{\"drupal_internal__id\":3421,\"drupal_internal__revision_id\":16270,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:43:47+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$129\",\"default_langcode\":true,\"revision_translation_affected\":true}\n12d:{\"drupal_internal__target_id\":\"internal_link\"}\n12c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$12d\"}\n12f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61/paragraph_type?resourceVersion=id%3A16270\"}\n130:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61/relationships/paragraph_type?resourceVersion=id%3A16270\"}\n12e:{\"related\":\"$12f\",\"self\":\"$130\"}\n12b:{\"data\":\"$12c\",\"links\":\"$12e\"}\n133:{\"drupal_internal__target_id\":736}\n132:{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"meta\":\"$133\"}\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61/field_link?resourceVersion=id%3A16270\"}\n136:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61/relationships/field_link?resourceVersion=id%3A16270\"}\n134:{\"related\":\"$135\",\"self\":\"$136\"}\n131:{\"data\":\"$132\",\"links\":\"$134\"}\n12a:{\"paragraph_type\":\"$12b\",\"field_link\":\"$131\"}\n125:{\"type\":\"paragraph--internal_link\",\"id\":\"64cbbefb-4c79-4a51-a519-de08bd054e61\",\"links\":\"$126\",\"attributes\":\"$128\",\"relationships\":\"$12a\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1?resourceVersion=id%3A16271\"}\n138:{\"self\":\"$139\"}\n13b:[]\n13a:{\"drupal"])</script><script>self.__next_f.push([1,"_internal__id\":3443,\"drupal_internal__revision_id\":16271,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-21T14:11:03+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$13b\",\"default_langcode\":true,\"revision_translation_affected\":true}\n13f:{\"drupal_internal__target_id\":\"internal_link\"}\n13e:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$13f\"}\n141:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1/paragraph_type?resourceVersion=id%3A16271\"}\n142:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1/relationships/paragraph_type?resourceVersion=id%3A16271\"}\n140:{\"related\":\"$141\",\"self\":\"$142\"}\n13d:{\"data\":\"$13e\",\"links\":\"$140\"}\n145:{\"drupal_internal__target_id\":681}\n144:{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"meta\":\"$145\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1/field_link?resourceVersion=id%3A16271\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1/relationships/field_link?resourceVersion=id%3A16271\"}\n146:{\"related\":\"$147\",\"self\":\"$148\"}\n143:{\"data\":\"$144\",\"links\":\"$146\"}\n13c:{\"paragraph_type\":\"$13d\",\"field_link\":\"$143\"}\n137:{\"type\":\"paragraph--internal_link\",\"id\":\"14136e73-8c9c-4b8e-be4e-64b3ed5487a1\",\"links\":\"$138\",\"attributes\":\"$13a\",\"relationships\":\"$13c\"}\n14b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb?resourceVersion=id%3A5771\"}\n14a:{\"self\":\"$14b\"}\n14d:{\"alias\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"pid\":621,\"langcode\":\"en\"}\n14f:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"150:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"14e:{\"value\":\"$14f\",\"format\":\"body_text\",\"processed\":\"$150\",\"summary\":\"\"}\n153:[]\n152:{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2) \",\"options\":\"$153\",\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}\n155:[]\n154:{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks\",\"options\":\"$155\",\"url\":\"/learn/cms-security-and-privacy-handbooks\"}\n151:[\"$152\",\"$154\"]\n156:{\"value\":\"Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eStandards for the minimum security and privacy controls required to mitigate risk for CMS information systems\u003c/p\u003e\\n\"}\n14c:{\"drupal_internal__nid\":631,\"drupal_internal__vid\":5771,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:58+00:00\",\"status\":true,\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"created\":\"2023-01-17T18:18:03+00:00\",\"changed\":\"2024-08-05T16:01:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$14d\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$14e\",\"field_contact_email\":\"CISO@cms.hhs.org\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-04-22\",\"field_related_resources\":\"$151\",\"field_short_description\":\"$156\"}\n15a:{\"drupal_internal__target_id\":\"library\"}\n159:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$15a\"}\n15c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/node_type?resourceVersion=id%3A5771\"}\n15d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/node_type?resourceVersion=id%3A5771\"}\n15b:{\"related\":\"$15c\",\"self\":\"$15d\"}\n158:{\"data\":\"$159\",\"links\":\"$15b\"}\n160:{\"drupal_internal__target_id\":159}\n15f:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8"])</script><script>self.__next_f.push([1,"d-5bd1329e5e64\",\"meta\":\"$160\"}\n162:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/revision_uid?resourceVersion=id%3A5771\"}\n163:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/revision_uid?resourceVersion=id%3A5771\"}\n161:{\"related\":\"$162\",\"self\":\"$163\"}\n15e:{\"data\":\"$15f\",\"links\":\"$161\"}\n166:{\"drupal_internal__target_id\":6}\n165:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$166\"}\n168:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/uid?resourceVersion=id%3A5771\"}\n169:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/uid?resourceVersion=id%3A5771\"}\n167:{\"related\":\"$168\",\"self\":\"$169\"}\n164:{\"data\":\"$165\",\"links\":\"$167\"}\n16c:{\"drupal_internal__target_id\":96}\n16b:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":\"$16c\"}\n16e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_resource_type?resourceVersion=id%3A5771\"}\n16f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_resource_type?resourceVersion=id%3A5771\"}\n16d:{\"related\":\"$16e\",\"self\":\"$16f\"}\n16a:{\"data\":\"$16b\",\"links\":\"$16d\"}\n173:{\"drupal_internal__target_id\":66}\n172:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$173\"}\n175:{\"drupal_internal__target_id\":81}\n174:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$175\"}\n177:{\"drupal_internal__target_id\":61}\n176:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$177\"}\n179:{\"drupal_internal__target_id\":76}\n178:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$179\"}\n17b:{\"drupal_internal__target_id\":71}\n17a:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$17b\"}\n171:[\"$172\",\"$"])</script><script>self.__next_f.push([1,"174\",\"$176\",\"$178\",\"$17a\"]\n17d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_roles?resourceVersion=id%3A5771\"}\n17e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_roles?resourceVersion=id%3A5771\"}\n17c:{\"related\":\"$17d\",\"self\":\"$17e\"}\n170:{\"data\":\"$171\",\"links\":\"$17c\"}\n182:{\"drupal_internal__target_id\":16}\n181:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$182\"}\n184:{\"drupal_internal__target_id\":36}\n183:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$184\"}\n180:[\"$181\",\"$183\"]\n186:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_topics?resourceVersion=id%3A5771\"}\n187:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_topics?resourceVersion=id%3A5771\"}\n185:{\"related\":\"$186\",\"self\":\"$187\"}\n17f:{\"data\":\"$180\",\"links\":\"$185\"}\n157:{\"node_type\":\"$158\",\"revision_uid\":\"$15e\",\"uid\":\"$164\",\"field_resource_type\":\"$16a\",\"field_roles\":\"$170\",\"field_topics\":\"$17f\"}\n149:{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"links\":\"$14a\",\"attributes\":\"$14c\",\"relationships\":\"$157\"}\n18a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}\n189:{\"self\":\"$18a\"}\n18c:{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"}\n18d:{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"}\n18e:[\"#cra-help\"]\n18b:{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:4"])</script><script>self.__next_f.push([1,"8+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$18c\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$18d\",\"field_slack_channel\":\"$18e\"}\n192:{\"drupal_internal__target_id\":\"explainer\"}\n191:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$192\"}\n194:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"}\n195:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}\n193:{\"related\":\"$194\",\"self\":\"$195\"}\n190:{\"data\":\"$191\",\"links\":\"$193\"}\n198:{\"drupal_internal__target_id\":6}\n197:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$198\"}\n19a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"}\n19b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}\n199:{\"related\":\"$19a\",\"self\":\"$19b\"}\n196:{\"data\":\"$197\",\"links\":\"$199\"}\n19e:{\"drupal_internal__target_id\":26}\n19d:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$19e\"}\n1a0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"}\n1a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}\n19f:{\"related\":\"$1a0\",\"self\":\"$1a1\"}\n19c:{\"data\":\"$19d\",\"links\":\"$19f\"}\n1a5:{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}\n1a4:{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"me"])</script><script>self.__next_f.push([1,"ta\":\"$1a5\"}\n1a7:{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}\n1a6:{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":\"$1a7\"}\n1a3:[\"$1a4\",\"$1a6\"]\n1a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"}\n1aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}\n1a8:{\"related\":\"$1a9\",\"self\":\"$1aa\"}\n1a2:{\"data\":\"$1a3\",\"links\":\"$1a8\"}\n1ae:{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}\n1ad:{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":\"$1ae\"}\n1b0:{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}\n1af:{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":\"$1b0\"}\n1b2:{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}\n1b1:{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":\"$1b2\"}\n1b4:{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}\n1b3:{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":\"$1b4\"}\n1b6:{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}\n1b5:{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":\"$1b6\"}\n1ac:[\"$1ad\",\"$1af\",\"$1b1\",\"$1b3\",\"$1b5\"]\n1b8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"}\n1b9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}\n1b7:{\"related\":\"$1b8\",\"self\":\"$1b9\"}\n1ab:{\"data\":\"$1ac\",\"links\":\"$1b7\"}\n1bc:{\"drupal_internal__target_id\":131}\n1bb:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$1bc\"}\n1be:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4b"])</script><script>self.__next_f.push([1,"bd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"}\n1bf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}\n1bd:{\"related\":\"$1be\",\"self\":\"$1bf\"}\n1ba:{\"data\":\"$1bb\",\"links\":\"$1bd\"}\n1c3:{\"drupal_internal__target_id\":66}\n1c2:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1c3\"}\n1c5:{\"drupal_internal__target_id\":61}\n1c4:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1c5\"}\n1c7:{\"drupal_internal__target_id\":76}\n1c6:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1c7\"}\n1c1:[\"$1c2\",\"$1c4\",\"$1c6\"]\n1c9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"}\n1ca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}\n1c8:{\"related\":\"$1c9\",\"self\":\"$1ca\"}\n1c0:{\"data\":\"$1c1\",\"links\":\"$1c8\"}\n1ce:{\"drupal_internal__target_id\":11}\n1cd:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$1ce\"}\n1cc:[\"$1cd\"]\n1d0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"}\n1d1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}\n1cf:{\"related\":\"$1d0\",\"self\":\"$1d1\"}\n1cb:{\"data\":\"$1cc\",\"links\":\"$1cf\"}\n18f:{\"node_type\":\"$190\",\"revision_uid\":\"$196\",\"uid\":\"$19c\",\"field_page_section\":\"$1a2\",\"field_related_collection\":\"$1ab\",\"field_resource_type\":\"$1ba\",\"field_roles\":\"$1c0\",\"field_topics\":\"$1cb\"}\n188:{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":\"$189\",\"attributes\":\"$18b\",\"relationships\":\"$18f\"}\n1d4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d?resourceVersion=id%3A52"])</script><script>self.__next_f.push([1,"00\"}\n1d3:{\"self\":\"$1d4\"}\n1d6:{\"alias\":\"/ispg/system-authorization\",\"pid\":736,\"langcode\":\"en\"}\n1d7:{\"value\":\"Information about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate\u003c/p\u003e\\n\"}\n1d8:[\"#cra-help\",\"#security-community\"]\n1d5:{\"drupal_internal__nid\":756,\"drupal_internal__vid\":5200,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T18:14:15+00:00\",\"status\":true,\"title\":\"System Authorization\",\"created\":\"2023-03-01T15:36:53+00:00\",\"changed\":\"2024-01-05T18:14:15+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1d6\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"CISO Team\",\"field_short_description\":\"$1d7\",\"field_slack_channel\":\"$1d8\"}\n1dc:{\"drupal_internal__target_id\":\"landing\"}\n1db:{\"type\":\"node_type--node_type\",\"id\":\"ac6ed7cc-09c7-4ce7-8f9e-9fb35373d2d7\",\"meta\":\"$1dc\"}\n1de:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/node_type?resourceVersion=id%3A5200\"}\n1df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/node_type?resourceVersion=id%3A5200\"}\n1dd:{\"related\":\"$1de\",\"self\":\"$1df\"}\n1da:{\"data\":\"$1db\",\"links\":\"$1dd\"}\n1e2:{\"drupal_internal__target_id\":36}\n1e1:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":\"$1e2\"}\n1e4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/revision_uid?resourceVersion=id%3A5200\"}\n1e5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/revision_uid?resourceVersion"])</script><script>self.__next_f.push([1,"=id%3A5200\"}\n1e3:{\"related\":\"$1e4\",\"self\":\"$1e5\"}\n1e0:{\"data\":\"$1e1\",\"links\":\"$1e3\"}\n1e8:{\"drupal_internal__target_id\":6}\n1e7:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1e8\"}\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/uid?resourceVersion=id%3A5200\"}\n1eb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/uid?resourceVersion=id%3A5200\"}\n1e9:{\"related\":\"$1ea\",\"self\":\"$1eb\"}\n1e6:{\"data\":\"$1e7\",\"links\":\"$1e9\"}\n1ee:{\"target_revision_id\":16760,\"drupal_internal__target_id\":2226}\n1ed:{\"type\":\"paragraph--text_block\",\"id\":\"eee26e03-5dab-4133-b5be-f0a063a62b52\",\"meta\":\"$1ee\"}\n1f0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/field_content?resourceVersion=id%3A5200\"}\n1f1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/field_content?resourceVersion=id%3A5200\"}\n1ef:{\"related\":\"$1f0\",\"self\":\"$1f1\"}\n1ec:{\"data\":\"$1ed\",\"links\":\"$1ef\"}\n1f5:{\"target_revision_id\":16761,\"drupal_internal__target_id\":3292}\n1f4:{\"type\":\"paragraph--internal_link\",\"id\":\"e4ed5315-a691-4d69-9698-5385d9c6e63e\",\"meta\":\"$1f5\"}\n1f7:{\"target_revision_id\":16762,\"drupal_internal__target_id\":3293}\n1f6:{\"type\":\"paragraph--internal_link\",\"id\":\"72df51c6-c0df-46bc-a901-076d7cd3f9a6\",\"meta\":\"$1f7\"}\n1f9:{\"target_revision_id\":16763,\"drupal_internal__target_id\":3294}\n1f8:{\"type\":\"paragraph--internal_link\",\"id\":\"0054e954-1b0f-4a73-8ec4-59bf4f1088fe\",\"meta\":\"$1f9\"}\n1fb:{\"target_revision_id\":16764,\"drupal_internal__target_id\":3295}\n1fa:{\"type\":\"paragraph--internal_link\",\"id\":\"994ff88f-3d2f-4128-a649-d3e7f8aa7c42\",\"meta\":\"$1fb\"}\n1fd:{\"target_revision_id\":16765,\"drupal_internal__target_id\":3296}\n1fc:{\"type\":\"paragraph--internal_link\",\"id\":\"cf58b858-f552-4913-8d7c-6ac1f91c1728\",\"meta\":\"$1fd\"}\n1ff:{\"target_revision_id\":16766,\"drupal_internal__target_id\":3297}\n1fe:{\"type\":\"paragraph--internal_link\",\"id\":\"8b52104f-ada3-4cbe-b503-6b188c9c5fd"])</script><script>self.__next_f.push([1,"7\",\"meta\":\"$1ff\"}\n201:{\"target_revision_id\":16767,\"drupal_internal__target_id\":3298}\n200:{\"type\":\"paragraph--internal_link\",\"id\":\"be3ecc39-f0c9-405a-b5ff-862115870314\",\"meta\":\"$201\"}\n203:{\"target_revision_id\":16768,\"drupal_internal__target_id\":3299}\n202:{\"type\":\"paragraph--internal_link\",\"id\":\"d13c15f6-afe7-4d23-bb35-9b248f178220\",\"meta\":\"$203\"}\n205:{\"target_revision_id\":16769,\"drupal_internal__target_id\":3300}\n204:{\"type\":\"paragraph--internal_link\",\"id\":\"75ad8713-9fdb-4d38-84db-1bffd3972312\",\"meta\":\"$205\"}\n1f3:[\"$1f4\",\"$1f6\",\"$1f8\",\"$1fa\",\"$1fc\",\"$1fe\",\"$200\",\"$202\",\"$204\"]\n207:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/field_resource_collection?resourceVersion=id%3A5200\"}\n208:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/field_resource_collection?resourceVersion=id%3A5200\"}\n206:{\"related\":\"$207\",\"self\":\"$208\"}\n1f2:{\"data\":\"$1f3\",\"links\":\"$206\"}\n20a:[]\n20c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/field_roles?resourceVersion=id%3A5200\"}\n20d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/field_roles?resourceVersion=id%3A5200\"}\n20b:{\"related\":\"$20c\",\"self\":\"$20d\"}\n209:{\"data\":\"$20a\",\"links\":\"$20b\"}\n211:{\"drupal_internal__target_id\":11}\n210:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$211\"}\n20f:[\"$210\"]\n213:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/field_topics?resourceVersion=id%3A5200\"}\n214:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/field_topics?resourceVersion=id%3A5200\"}\n212:{\"related\":\"$213\",\"self\":\"$214\"}\n20e:{\"data\":\"$20f\",\"links\":\"$212\"}\n1d9:{\"node_type\":\"$1da\",\"revision_uid\":\"$1e0\",\"uid\":\"$1e6\",\"field_content\":\"$1ec\",\"field_resource_collection\":\"$1f2\",\"field_roles\":\"$209\",\"field_topics\":\"$20e\"}\n1d2:{\"type\":\"node--landing\",\"id\":\"4610aa6a"])</script><script>self.__next_f.push([1,"-34fd-46a7-b9d8-22cfc166433d\",\"links\":\"$1d3\",\"attributes\":\"$1d5\",\"relationships\":\"$1d9\"}\n217:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58?resourceVersion=id%3A5668\"}\n216:{\"self\":\"$217\"}\n219:{\"alias\":\"/learn/cms-cloud-services\",\"pid\":236,\"langcode\":\"en\"}\n21a:{\"value\":\"Platform-As-A-Service with tools, security, and support services designed specifically for CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003ePlatform-As-A-Service with tools, security, and support services designed specifically for CMS\u003c/p\u003e\\n\"}\n21b:[\"#cms-cloud-security-forum\"]\n218:{\"drupal_internal__nid\":246,\"drupal_internal__vid\":5668,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-12T15:23:53+00:00\",\"status\":true,\"title\":\"CMS Cloud Services\",\"created\":\"2022-08-26T14:47:12+00:00\",\"changed\":\"2024-07-12T15:23:53+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$219\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cloudsupport@cms.hhs.gov\",\"field_contact_name\":\"CMS Cloud Support\",\"field_short_description\":\"$21a\",\"field_slack_channel\":\"$21b\"}\n21f:{\"drupal_internal__target_id\":\"explainer\"}\n21e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$21f\"}\n221:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/node_type?resourceVersion=id%3A5668\"}\n222:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/node_type?resourceVersion=id%3A5668\"}\n220:{\"related\":\"$221\",\"self\":\"$222\"}\n21d:{\"data\":\"$21e\",\"links\":\"$220\"}\n225:{\"drupal_internal__target_id\":6}\n224:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$225\"}\n227:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/revision_uid?resourceVersion=id%3A5668\"}\n228:{\"href\":\"h"])</script><script>self.__next_f.push([1,"ttps://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/revision_uid?resourceVersion=id%3A5668\"}\n226:{\"related\":\"$227\",\"self\":\"$228\"}\n223:{\"data\":\"$224\",\"links\":\"$226\"}\n22b:{\"drupal_internal__target_id\":26}\n22a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$22b\"}\n22d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/uid?resourceVersion=id%3A5668\"}\n22e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/uid?resourceVersion=id%3A5668\"}\n22c:{\"related\":\"$22d\",\"self\":\"$22e\"}\n229:{\"data\":\"$22a\",\"links\":\"$22c\"}\n232:{\"target_revision_id\":18519,\"drupal_internal__target_id\":1371}\n231:{\"type\":\"paragraph--page_section\",\"id\":\"15f8e7ab-00f6-4c17-b433-659267271131\",\"meta\":\"$232\"}\n230:[\"$231\"]\n234:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_page_section?resourceVersion=id%3A5668\"}\n235:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_page_section?resourceVersion=id%3A5668\"}\n233:{\"related\":\"$234\",\"self\":\"$235\"}\n22f:{\"data\":\"$230\",\"links\":\"$233\"}\n239:{\"target_revision_id\":18520,\"drupal_internal__target_id\":1376}\n238:{\"type\":\"paragraph--internal_link\",\"id\":\"b48e2348-59b0-42a6-9f44-62af8a94ddf1\",\"meta\":\"$239\"}\n23b:{\"target_revision_id\":18521,\"drupal_internal__target_id\":1381}\n23a:{\"type\":\"paragraph--internal_link\",\"id\":\"17ea04ed-0987-43ea-b494-7c051ddfcd28\",\"meta\":\"$23b\"}\n23d:{\"target_revision_id\":18522,\"drupal_internal__target_id\":1391}\n23c:{\"type\":\"paragraph--internal_link\",\"id\":\"ae49a5b4-3922-4f8d-bbe5-624b243b4637\",\"meta\":\"$23d\"}\n23f:{\"target_revision_id\":18523,\"drupal_internal__target_id\":1396}\n23e:{\"type\":\"paragraph--internal_link\",\"id\":\"3ebbf63a-35a8-4c15-8002-2b41f7ef528a\",\"meta\":\"$23f\"}\n237:[\"$238\",\"$23a\",\"$23c\",\"$23e\"]\n241:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_related_coll"])</script><script>self.__next_f.push([1,"ection?resourceVersion=id%3A5668\"}\n242:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_related_collection?resourceVersion=id%3A5668\"}\n240:{\"related\":\"$241\",\"self\":\"$242\"}\n236:{\"data\":\"$237\",\"links\":\"$240\"}\n245:{\"drupal_internal__target_id\":121}\n244:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$245\"}\n247:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_resource_type?resourceVersion=id%3A5668\"}\n248:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_resource_type?resourceVersion=id%3A5668\"}\n246:{\"related\":\"$247\",\"self\":\"$248\"}\n243:{\"data\":\"$244\",\"links\":\"$246\"}\n24c:{\"drupal_internal__target_id\":76}\n24b:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$24c\"}\n24e:{\"drupal_internal__target_id\":71}\n24d:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$24e\"}\n24a:[\"$24b\",\"$24d\"]\n250:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_roles?resourceVersion=id%3A5668\"}\n251:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_roles?resourceVersion=id%3A5668\"}\n24f:{\"related\":\"$250\",\"self\":\"$251\"}\n249:{\"data\":\"$24a\",\"links\":\"$24f\"}\n255:{\"drupal_internal__target_id\":41}\n254:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$255\"}\n257:{\"drupal_internal__target_id\":11}\n256:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$257\"}\n253:[\"$254\",\"$256\"]\n259:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_topics?resourceVersion=id%3A5668\"}\n25a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_topics?resourceVersion=id%3A5668\"}\n258:{\"related\":\"$259\",\"sel"])</script><script>self.__next_f.push([1,"f\":\"$25a\"}\n252:{\"data\":\"$253\",\"links\":\"$258\"}\n21c:{\"node_type\":\"$21d\",\"revision_uid\":\"$223\",\"uid\":\"$229\",\"field_page_section\":\"$22f\",\"field_related_collection\":\"$236\",\"field_resource_type\":\"$243\",\"field_roles\":\"$249\",\"field_topics\":\"$252\"}\n215:{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"links\":\"$216\",\"attributes\":\"$218\",\"relationships\":\"$21c\"}\n25d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=id%3A5934\"}\n25e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=rel%3Aworking-copy\"}\n25c:{\"self\":\"$25d\",\"working-copy\":\"$25e\"}\n260:{\"alias\":\"/learn/saas-governance-saasg\",\"pid\":726,\"langcode\":\"en\"}\n261:{\"value\":\"Considerations and guidelines for CMS business units wanting to use SaaS applications\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eConsiderations and guidelines for CMS business units wanting to use SaaS applications\u003c/p\u003e\\n\"}\n262:[\"#ispg-saas-governance\"]\n25f:{\"drupal_internal__nid\":736,\"drupal_internal__vid\":5934,\"langcode\":\"en\",\"revision_timestamp\":\"2024-09-28T13:01:56+00:00\",\"status\":true,\"title\":\"SaaS Governance (SaaSG)\",\"created\":\"2023-02-13T19:52:17+00:00\",\"changed\":\"2024-09-28T13:01:56+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$260\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"saasg@cms.hhs.gov\",\"field_contact_name\":\"SaaSG Team\",\"field_short_description\":\"$261\",\"field_slack_channel\":\"$262\"}\n266:{\"drupal_internal__target_id\":\"explainer\"}\n265:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$266\"}\n268:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/node_type?resourceVersion=id%3A5934\"}\n269:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a1"])</script><script>self.__next_f.push([1,"8-8e35dc2c1e2a/relationships/node_type?resourceVersion=id%3A5934\"}\n267:{\"related\":\"$268\",\"self\":\"$269\"}\n264:{\"data\":\"$265\",\"links\":\"$267\"}\n26c:{\"drupal_internal__target_id\":6}\n26b:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$26c\"}\n26e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/revision_uid?resourceVersion=id%3A5934\"}\n26f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/revision_uid?resourceVersion=id%3A5934\"}\n26d:{\"related\":\"$26e\",\"self\":\"$26f\"}\n26a:{\"data\":\"$26b\",\"links\":\"$26d\"}\n272:{\"drupal_internal__target_id\":6}\n271:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$272\"}\n274:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/uid?resourceVersion=id%3A5934\"}\n275:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/uid?resourceVersion=id%3A5934\"}\n273:{\"related\":\"$274\",\"self\":\"$275\"}\n270:{\"data\":\"$271\",\"links\":\"$273\"}\n279:{\"target_revision_id\":19389,\"drupal_internal__target_id\":1446}\n278:{\"type\":\"paragraph--page_section\",\"id\":\"32796f74-9a4b-49be-b101-133dce4c4568\",\"meta\":\"$279\"}\n27b:{\"target_revision_id\":19396,\"drupal_internal__target_id\":3528}\n27a:{\"type\":\"paragraph--page_section\",\"id\":\"23cc1637-59ba-448f-8e17-e5aed202cb74\",\"meta\":\"$27b\"}\n27d:{\"target_revision_id\":19397,\"drupal_internal__target_id\":3529}\n27c:{\"type\":\"paragraph--page_section\",\"id\":\"53da5747-8514-4ea5-9f3d-2905f9a61edb\",\"meta\":\"$27d\"}\n27f:{\"target_revision_id\":19398,\"drupal_internal__target_id\":1451}\n27e:{\"type\":\"paragraph--page_section\",\"id\":\"c1fc448a-a41f-4061-9bc9-59b74374d79a\",\"meta\":\"$27f\"}\n277:[\"$278\",\"$27a\",\"$27c\",\"$27e\"]\n281:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_page_section?resourceVersion=id%3A5934\"}\n282:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/fiel"])</script><script>self.__next_f.push([1,"d_page_section?resourceVersion=id%3A5934\"}\n280:{\"related\":\"$281\",\"self\":\"$282\"}\n276:{\"data\":\"$277\",\"links\":\"$280\"}\n286:{\"target_revision_id\":19399,\"drupal_internal__target_id\":1671}\n285:{\"type\":\"paragraph--internal_link\",\"id\":\"e0d07bf6-c606-4a38-ba34-9521f9e77733\",\"meta\":\"$286\"}\n288:{\"target_revision_id\":19400,\"drupal_internal__target_id\":1676}\n287:{\"type\":\"paragraph--internal_link\",\"id\":\"be5c8dd0-860f-4570-bf13-358733b392ca\",\"meta\":\"$288\"}\n28a:{\"target_revision_id\":19401,\"drupal_internal__target_id\":1681}\n289:{\"type\":\"paragraph--internal_link\",\"id\":\"10abb234-5289-40da-9df3-f4e6e9c06a80\",\"meta\":\"$28a\"}\n284:[\"$285\",\"$287\",\"$289\"]\n28c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_related_collection?resourceVersion=id%3A5934\"}\n28d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_related_collection?resourceVersion=id%3A5934\"}\n28b:{\"related\":\"$28c\",\"self\":\"$28d\"}\n283:{\"data\":\"$284\",\"links\":\"$28b\"}\n290:{\"drupal_internal__target_id\":121}\n28f:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$290\"}\n292:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_resource_type?resourceVersion=id%3A5934\"}\n293:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_resource_type?resourceVersion=id%3A5934\"}\n291:{\"related\":\"$292\",\"self\":\"$293\"}\n28e:{\"data\":\"$28f\",\"links\":\"$291\"}\n297:{\"drupal_internal__target_id\":61}\n296:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$297\"}\n299:{\"drupal_internal__target_id\":76}\n298:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$299\"}\n295:[\"$296\",\"$298\"]\n29b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_roles?resourceVersion=id%3A5934\"}\n29c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-4"])</script><script>self.__next_f.push([1,"2ae-9a18-8e35dc2c1e2a/relationships/field_roles?resourceVersion=id%3A5934\"}\n29a:{\"related\":\"$29b\",\"self\":\"$29c\"}\n294:{\"data\":\"$295\",\"links\":\"$29a\"}\n2a0:{\"drupal_internal__target_id\":41}\n29f:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$2a0\"}\n2a2:{\"drupal_internal__target_id\":16}\n2a1:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$2a2\"}\n29e:[\"$29f\",\"$2a1\"]\n2a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_topics?resourceVersion=id%3A5934\"}\n2a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_topics?resourceVersion=id%3A5934\"}\n2a3:{\"related\":\"$2a4\",\"self\":\"$2a5\"}\n29d:{\"data\":\"$29e\",\"links\":\"$2a3\"}\n263:{\"node_type\":\"$264\",\"revision_uid\":\"$26a\",\"uid\":\"$270\",\"field_page_section\":\"$276\",\"field_related_collection\":\"$283\",\"field_resource_type\":\"$28e\",\"field_roles\":\"$294\",\"field_topics\":\"$29d\"}\n25b:{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"links\":\"$25c\",\"attributes\":\"$25f\",\"relationships\":\"$263\"}\n2a8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675?resourceVersion=id%3A5970\"}\n2a7:{\"self\":\"$2a8\"}\n2aa:{\"alias\":\"/learn/cms-security-and-privacy-handbooks\",\"pid\":671,\"langcode\":\"en\"}\n2ab:{\"value\":\"Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\u003c/p\u003e\\n\"}\n2ac:[\"#ispg-sec_privacy-policy\"]\n2a9:{\"drupal_internal__nid\":681,\"drupal_internal__vid\":5970,\"langcode\":\"en\",\"revision_timestamp\":\"2024-11-21T20:30:37+00:00\",\"status\":true,\"title\":\"CMS Security and Privacy Handbooks\",\"created\":\"2023-02-04T16:50:42+00:00\",\"changed\":\"2024-11-21T20:30:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":tru"])</script><script>self.__next_f.push([1,"e,\"moderation_state\":\"published\",\"path\":\"$2aa\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$2ab\",\"field_slack_channel\":\"$2ac\"}\n2b0:{\"drupal_internal__target_id\":\"explainer\"}\n2af:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2b0\"}\n2b2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/node_type?resourceVersion=id%3A5970\"}\n2b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/node_type?resourceVersion=id%3A5970\"}\n2b1:{\"related\":\"$2b2\",\"self\":\"$2b3\"}\n2ae:{\"data\":\"$2af\",\"links\":\"$2b1\"}\n2b6:{\"drupal_internal__target_id\":6}\n2b5:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$2b6\"}\n2b8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/revision_uid?resourceVersion=id%3A5970\"}\n2b9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/revision_uid?resourceVersion=id%3A5970\"}\n2b7:{\"related\":\"$2b8\",\"self\":\"$2b9\"}\n2b4:{\"data\":\"$2b5\",\"links\":\"$2b7\"}\n2bc:{\"drupal_internal__target_id\":6}\n2bb:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$2bc\"}\n2be:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/uid?resourceVersion=id%3A5970\"}\n2bf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/uid?resourceVersion=id%3A5970\"}\n2bd:{\"related\":\"$2be\",\"self\":\"$2bf\"}\n2ba:{\"data\":\"$2bb\",\"links\":\"$2bd\"}\n2c3:{\"target_revision_id\":19550,\"drupal_internal__target_id\":556}\n2c2:{\"type\":\"paragraph--page_section\",\"id\":\"6348291e-48d1-4a0e-9a57-ac86d40af43e\",\"meta\":\"$2c3\"}\n2c5:{\"target_revision_id\":19551,\"drupal_internal__target_id\":1031}\n2c4:{\"type\":\"paragrap"])</script><script>self.__next_f.push([1,"h--page_section\",\"id\":\"f5048b9a-b22a-4e67-abde-e964ff928b22\",\"meta\":\"$2c5\"}\n2c1:[\"$2c2\",\"$2c4\"]\n2c7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_page_section?resourceVersion=id%3A5970\"}\n2c8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_page_section?resourceVersion=id%3A5970\"}\n2c6:{\"related\":\"$2c7\",\"self\":\"$2c8\"}\n2c0:{\"data\":\"$2c1\",\"links\":\"$2c6\"}\n2cc:{\"target_revision_id\":19552,\"drupal_internal__target_id\":566}\n2cb:{\"type\":\"paragraph--internal_link\",\"id\":\"0f74c41a-2461-4cf5-b11e-ff7ce0b96f66\",\"meta\":\"$2cc\"}\n2ce:{\"target_revision_id\":19553,\"drupal_internal__target_id\":571}\n2cd:{\"type\":\"paragraph--internal_link\",\"id\":\"fe6656d7-9b88-4a4c-a27f-e41c610ab068\",\"meta\":\"$2ce\"}\n2d0:{\"target_revision_id\":19554,\"drupal_internal__target_id\":576}\n2cf:{\"type\":\"paragraph--internal_link\",\"id\":\"80d4e83c-5a1f-466b-9518-5400af425d7f\",\"meta\":\"$2d0\"}\n2d2:{\"target_revision_id\":19555,\"drupal_internal__target_id\":2776}\n2d1:{\"type\":\"paragraph--internal_link\",\"id\":\"9967f006-5e08-4568-b636-63e8e8050a8f\",\"meta\":\"$2d2\"}\n2d4:{\"target_revision_id\":19556,\"drupal_internal__target_id\":1871}\n2d3:{\"type\":\"paragraph--internal_link\",\"id\":\"e0709a54-90c1-4f0d-b02a-5e8dce6acc17\",\"meta\":\"$2d4\"}\n2d6:{\"target_revision_id\":19557,\"drupal_internal__target_id\":3512}\n2d5:{\"type\":\"paragraph--internal_link\",\"id\":\"9c79715c-bf72-4433-9d27-f6a64a297c18\",\"meta\":\"$2d6\"}\n2ca:[\"$2cb\",\"$2cd\",\"$2cf\",\"$2d1\",\"$2d3\",\"$2d5\"]\n2d8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_related_collection?resourceVersion=id%3A5970\"}\n2d9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_related_collection?resourceVersion=id%3A5970\"}\n2d7:{\"related\":\"$2d8\",\"self\":\"$2d9\"}\n2c9:{\"data\":\"$2ca\",\"links\":\"$2d7\"}\n2dc:{\"drupal_internal__target_id\":131}\n2db:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$2dc\"}\n2de:{\"hr"])</script><script>self.__next_f.push([1,"ef\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_resource_type?resourceVersion=id%3A5970\"}\n2df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_resource_type?resourceVersion=id%3A5970\"}\n2dd:{\"related\":\"$2de\",\"self\":\"$2df\"}\n2da:{\"data\":\"$2db\",\"links\":\"$2dd\"}\n2e3:{\"drupal_internal__target_id\":66}\n2e2:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2e3\"}\n2e5:{\"drupal_internal__target_id\":81}\n2e4:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$2e5\"}\n2e7:{\"drupal_internal__target_id\":61}\n2e6:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2e7\"}\n2e9:{\"drupal_internal__target_id\":76}\n2e8:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2e9\"}\n2eb:{\"drupal_internal__target_id\":71}\n2ea:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$2eb\"}\n2e1:[\"$2e2\",\"$2e4\",\"$2e6\",\"$2e8\",\"$2ea\"]\n2ed:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_roles?resourceVersion=id%3A5970\"}\n2ee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_roles?resourceVersion=id%3A5970\"}\n2ec:{\"related\":\"$2ed\",\"self\":\"$2ee\"}\n2e0:{\"data\":\"$2e1\",\"links\":\"$2ec\"}\n2f2:{\"drupal_internal__target_id\":16}\n2f1:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$2f2\"}\n2f0:[\"$2f1\"]\n2f4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_topics?resourceVersion=id%3A5970\"}\n2f5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_topics?resourceVersion=id%3A5970\"}\n2f3:{\"related\":\"$2f4\",\"self\":\"$2f5\"}\n2ef:{\"data\":\"$2f0\",\"links\":\"$2f3\"}\n2ad:{\"node_type\":\"$2ae\",\"revision_uid\":\"$2b4\",\"uid\":\"$2ba\",\"field_page_section\":\"$2c0\",\"field_relat"])</script><script>self.__next_f.push([1,"ed_collection\":\"$2c9\",\"field_resource_type\":\"$2da\",\"field_roles\":\"$2e0\",\"field_topics\":\"$2ef\"}\n2a6:{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"links\":\"$2a7\",\"attributes\":\"$2a9\",\"relationships\":\"$2ad\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"629f4bb3-7fe0-4e63-92e0-467c0325a9bd\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd?resourceVersion=id%3A5714\"}},\"attributes\":{\"drupal_internal__nid\":1148,\"drupal_internal__vid\":5714,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T17:45:12+00:00\",\"status\":true,\"title\":\"CMS Technical Reference Architecture (TRA)\",\"created\":\"2023-09-18T12:44:53+00:00\",\"changed\":\"2024-01-05T17:45:12+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":null,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-technical-reference-architecture-tra\",\"pid\":1000,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"tra-admin@cms.hhs.gov\",\"field_contact_name\":\"TRA Team\",\"field_short_description\":{\"value\":\"The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-it-governance\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/node_type?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/node_type?resourceVersion=id%3A5714\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/revision_uid?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/revision_uid?resourceVersion=id%3A5714\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/uid?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/uid?resourceVersion=id%3A5714\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1\",\"meta\":{\"target_revision_id\":16265,\"drupal_internal__target_id\":3416}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_page_section?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_page_section?resourceVersion=id%3A5714\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"a39bcbf9-8522-4dcf-b5fe-49bfc2c77414\",\"meta\":{\"target_revision_id\":16266,\"drupal_internal__target_id\":3417}},{\"type\":\"paragraph--internal_link\",\"id\":\"f41c8404-7b78-4975-a0ff-fff1409d6a77\",\"meta\":{\"target_revision_id\":16267,\"drupal_internal__target_id\":3418}},{\"type\":\"paragraph--internal_link\",\"id\":\"669ee575-5a38-48c7-87cc-033627065f29\",\"meta\":{\"target_revision_id\":16268,\"drupal_internal__target_id\":3419}},{\"type\":\"paragraph--internal_link\",\"id\":\"b298ff2d-1fb1-485e-84aa-92c94e581f61\",\"meta\":{\"target_revision_id\":16269,\"drupal_internal__target_id\":3420}},{\"type\":\"paragraph--internal_link\",\"id\":\"64cbbefb-4c79-4a51-a519-de08bd054e61\",\"meta\":{\"target_revision_id\":16270,\"drupal_internal__target_id\":3421}},{\"type\":\"paragraph--internal_link\",\"id\":\"14136e73-8c9c-4b8e-be4e-64b3ed5487a1\",\"meta\":{\"target_revision_id\":16271,\"drupal_internal__target_id\":3443}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_related_collection?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_related_collection?resourceVersion=id%3A5714\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_resource_type?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_resource_type?resourceVersion=id%3A5714\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_roles?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_roles?resourceVersion=id%3A5714\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_topics?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_topics?resourceVersion=id%3A5714\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/663db243-0ec9-4d3f-9589-5a0ed308fbbc\"}},\"attributes\":{\"display_name\":\"alex.kerr\"}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}},\"attributes\":{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1?resourceVersion=id%3A16265\"}},\"attributes\":{\"drupal_internal__id\":3416,\"drupal_internal__revision_id\":16265,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:24:15+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1/paragraph_type?resourceVersion=id%3A16265\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1/relationships/paragraph_type?resourceVersion=id%3A16265\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1/field_specialty_item?resourceVersion=id%3A16265\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1/relationships/field_specialty_item?resourceVersion=id%3A16265\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"a39bcbf9-8522-4dcf-b5fe-49bfc2c77414\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414?resourceVersion=id%3A16266\"}},\"attributes\":{\"drupal_internal__id\":3417,\"drupal_internal__revision_id\":16266,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:24:15+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414/paragraph_type?resourceVersion=id%3A16266\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414/relationships/paragraph_type?resourceVersion=id%3A16266\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"meta\":{\"drupal_internal__target_id\":631}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414/field_link?resourceVersion=id%3A16266\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/a39bcbf9-8522-4dcf-b5fe-49bfc2c77414/relationships/field_link?resourceVersion=id%3A16266\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"f41c8404-7b78-4975-a0ff-fff1409d6a77\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77?resourceVersion=id%3A16267\"}},\"attributes\":{\"drupal_internal__id\":3418,\"drupal_internal__revision_id\":16267,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:24:28+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77/paragraph_type?resourceVersion=id%3A16267\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77/relationships/paragraph_type?resourceVersion=id%3A16267\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"meta\":{\"drupal_internal__target_id\":206}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77/field_link?resourceVersion=id%3A16267\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/f41c8404-7b78-4975-a0ff-fff1409d6a77/relationships/field_link?resourceVersion=id%3A16267\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"669ee575-5a38-48c7-87cc-033627065f29\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29?resourceVersion=id%3A16268\"}},\"attributes\":{\"drupal_internal__id\":3419,\"drupal_internal__revision_id\":16268,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:24:36+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29/paragraph_type?resourceVersion=id%3A16268\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29/relationships/paragraph_type?resourceVersion=id%3A16268\"}}},\"field_link\":{\"data\":{\"type\":\"node--landing\",\"id\":\"4610aa6a-34fd-46a7-b9d8-22cfc166433d\",\"meta\":{\"drupal_internal__target_id\":756}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29/field_link?resourceVersion=id%3A16268\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/669ee575-5a38-48c7-87cc-033627065f29/relationships/field_link?resourceVersion=id%3A16268\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"b298ff2d-1fb1-485e-84aa-92c94e581f61\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61?resourceVersion=id%3A16269\"}},\"attributes\":{\"drupal_internal__id\":3420,\"drupal_internal__revision_id\":16269,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:43:37+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61/paragraph_type?resourceVersion=id%3A16269\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61/relationships/paragraph_type?resourceVersion=id%3A16269\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"meta\":{\"drupal_internal__target_id\":246}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61/field_link?resourceVersion=id%3A16269\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/b298ff2d-1fb1-485e-84aa-92c94e581f61/relationships/field_link?resourceVersion=id%3A16269\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"64cbbefb-4c79-4a51-a519-de08bd054e61\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61?resourceVersion=id%3A16270\"}},\"attributes\":{\"drupal_internal__id\":3421,\"drupal_internal__revision_id\":16270,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-18T13:43:47+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61/paragraph_type?resourceVersion=id%3A16270\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61/relationships/paragraph_type?resourceVersion=id%3A16270\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"meta\":{\"drupal_internal__target_id\":736}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61/field_link?resourceVersion=id%3A16270\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/64cbbefb-4c79-4a51-a519-de08bd054e61/relationships/field_link?resourceVersion=id%3A16270\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"14136e73-8c9c-4b8e-be4e-64b3ed5487a1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1?resourceVersion=id%3A16271\"}},\"attributes\":{\"drupal_internal__id\":3443,\"drupal_internal__revision_id\":16271,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-21T14:11:03+00:00\",\"parent_id\":\"1148\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1/paragraph_type?resourceVersion=id%3A16271\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1/relationships/paragraph_type?resourceVersion=id%3A16271\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"meta\":{\"drupal_internal__target_id\":681}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1/field_link?resourceVersion=id%3A16271\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/14136e73-8c9c-4b8e-be4e-64b3ed5487a1/relationships/field_link?resourceVersion=id%3A16271\"}}}}},{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb?resourceVersion=id%3A5771\"}},\"attributes\":{\"drupal_internal__nid\":631,\"drupal_internal__vid\":5771,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:58+00:00\",\"status\":true,\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"created\":\"2023-01-17T18:18:03+00:00\",\"changed\":\"2024-08-05T16:01:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"pid\":621,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.org\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-04-22\",\"field_related_resources\":[{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2) \",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks\",\"options\":[],\"url\":\"/learn/cms-security-and-privacy-handbooks\"}],\"field_short_description\":{\"value\":\"Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eStandards for the minimum security and privacy controls required to mitigate risk for CMS information systems\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/node_type?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/node_type?resourceVersion=id%3A5771\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/revision_uid?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/revision_uid?resourceVersion=id%3A5771\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/uid?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/uid?resourceVersion=id%3A5771\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":{\"drupal_internal__target_id\":96}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_resource_type?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_resource_type?resourceVersion=id%3A5771\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_roles?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_roles?resourceVersion=id%3A5771\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_topics?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_topics?resourceVersion=id%3A5771\"}}}}},{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}},\"attributes\":{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}},{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}},{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}},{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}},{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}},{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}}}}},{\"type\":\"node--landing\",\"id\":\"4610aa6a-34fd-46a7-b9d8-22cfc166433d\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d?resourceVersion=id%3A5200\"}},\"attributes\":{\"drupal_internal__nid\":756,\"drupal_internal__vid\":5200,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T18:14:15+00:00\",\"status\":true,\"title\":\"System Authorization\",\"created\":\"2023-03-01T15:36:53+00:00\",\"changed\":\"2024-01-05T18:14:15+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/ispg/system-authorization\",\"pid\":736,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"CISO Team\",\"field_short_description\":{\"value\":\"Information about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\",\"#security-community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ac6ed7cc-09c7-4ce7-8f9e-9fb35373d2d7\",\"meta\":{\"drupal_internal__target_id\":\"landing\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/node_type?resourceVersion=id%3A5200\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/node_type?resourceVersion=id%3A5200\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/revision_uid?resourceVersion=id%3A5200\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/revision_uid?resourceVersion=id%3A5200\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/uid?resourceVersion=id%3A5200\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/uid?resourceVersion=id%3A5200\"}}},\"field_content\":{\"data\":{\"type\":\"paragraph--text_block\",\"id\":\"eee26e03-5dab-4133-b5be-f0a063a62b52\",\"meta\":{\"target_revision_id\":16760,\"drupal_internal__target_id\":2226}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/field_content?resourceVersion=id%3A5200\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/field_content?resourceVersion=id%3A5200\"}}},\"field_resource_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"e4ed5315-a691-4d69-9698-5385d9c6e63e\",\"meta\":{\"target_revision_id\":16761,\"drupal_internal__target_id\":3292}},{\"type\":\"paragraph--internal_link\",\"id\":\"72df51c6-c0df-46bc-a901-076d7cd3f9a6\",\"meta\":{\"target_revision_id\":16762,\"drupal_internal__target_id\":3293}},{\"type\":\"paragraph--internal_link\",\"id\":\"0054e954-1b0f-4a73-8ec4-59bf4f1088fe\",\"meta\":{\"target_revision_id\":16763,\"drupal_internal__target_id\":3294}},{\"type\":\"paragraph--internal_link\",\"id\":\"994ff88f-3d2f-4128-a649-d3e7f8aa7c42\",\"meta\":{\"target_revision_id\":16764,\"drupal_internal__target_id\":3295}},{\"type\":\"paragraph--internal_link\",\"id\":\"cf58b858-f552-4913-8d7c-6ac1f91c1728\",\"meta\":{\"target_revision_id\":16765,\"drupal_internal__target_id\":3296}},{\"type\":\"paragraph--internal_link\",\"id\":\"8b52104f-ada3-4cbe-b503-6b188c9c5fd7\",\"meta\":{\"target_revision_id\":16766,\"drupal_internal__target_id\":3297}},{\"type\":\"paragraph--internal_link\",\"id\":\"be3ecc39-f0c9-405a-b5ff-862115870314\",\"meta\":{\"target_revision_id\":16767,\"drupal_internal__target_id\":3298}},{\"type\":\"paragraph--internal_link\",\"id\":\"d13c15f6-afe7-4d23-bb35-9b248f178220\",\"meta\":{\"target_revision_id\":16768,\"drupal_internal__target_id\":3299}},{\"type\":\"paragraph--internal_link\",\"id\":\"75ad8713-9fdb-4d38-84db-1bffd3972312\",\"meta\":{\"target_revision_id\":16769,\"drupal_internal__target_id\":3300}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/field_resource_collection?resourceVersion=id%3A5200\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/field_resource_collection?resourceVersion=id%3A5200\"}}},\"field_roles\":{\"data\":[],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/field_roles?resourceVersion=id%3A5200\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/field_roles?resourceVersion=id%3A5200\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/field_topics?resourceVersion=id%3A5200\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/landing/4610aa6a-34fd-46a7-b9d8-22cfc166433d/relationships/field_topics?resourceVersion=id%3A5200\"}}}}},{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58?resourceVersion=id%3A5668\"}},\"attributes\":{\"drupal_internal__nid\":246,\"drupal_internal__vid\":5668,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-12T15:23:53+00:00\",\"status\":true,\"title\":\"CMS Cloud Services\",\"created\":\"2022-08-26T14:47:12+00:00\",\"changed\":\"2024-07-12T15:23:53+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-cloud-services\",\"pid\":236,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cloudsupport@cms.hhs.gov\",\"field_contact_name\":\"CMS Cloud Support\",\"field_short_description\":{\"value\":\"Platform-As-A-Service with tools, security, and support services designed specifically for CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003ePlatform-As-A-Service with tools, security, and support services designed specifically for CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-cloud-security-forum\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/node_type?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/node_type?resourceVersion=id%3A5668\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/revision_uid?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/revision_uid?resourceVersion=id%3A5668\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/uid?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/uid?resourceVersion=id%3A5668\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"15f8e7ab-00f6-4c17-b433-659267271131\",\"meta\":{\"target_revision_id\":18519,\"drupal_internal__target_id\":1371}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_page_section?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_page_section?resourceVersion=id%3A5668\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"b48e2348-59b0-42a6-9f44-62af8a94ddf1\",\"meta\":{\"target_revision_id\":18520,\"drupal_internal__target_id\":1376}},{\"type\":\"paragraph--internal_link\",\"id\":\"17ea04ed-0987-43ea-b494-7c051ddfcd28\",\"meta\":{\"target_revision_id\":18521,\"drupal_internal__target_id\":1381}},{\"type\":\"paragraph--internal_link\",\"id\":\"ae49a5b4-3922-4f8d-bbe5-624b243b4637\",\"meta\":{\"target_revision_id\":18522,\"drupal_internal__target_id\":1391}},{\"type\":\"paragraph--internal_link\",\"id\":\"3ebbf63a-35a8-4c15-8002-2b41f7ef528a\",\"meta\":{\"target_revision_id\":18523,\"drupal_internal__target_id\":1396}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_related_collection?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_related_collection?resourceVersion=id%3A5668\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_resource_type?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_resource_type?resourceVersion=id%3A5668\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_roles?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_roles?resourceVersion=id%3A5668\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_topics?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_topics?resourceVersion=id%3A5668\"}}}}},{\"type\":\"node--explainer\",\"id\":\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=id%3A5934\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__nid\":736,\"drupal_internal__vid\":5934,\"langcode\":\"en\",\"revision_timestamp\":\"2024-09-28T13:01:56+00:00\",\"status\":true,\"title\":\"SaaS Governance (SaaSG)\",\"created\":\"2023-02-13T19:52:17+00:00\",\"changed\":\"2024-09-28T13:01:56+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/saas-governance-saasg\",\"pid\":726,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"saasg@cms.hhs.gov\",\"field_contact_name\":\"SaaSG Team\",\"field_short_description\":{\"value\":\"Considerations and guidelines for CMS business units wanting to use SaaS applications\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eConsiderations and guidelines for CMS business units wanting to use SaaS applications\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-saas-governance\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/node_type?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/node_type?resourceVersion=id%3A5934\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/revision_uid?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/revision_uid?resourceVersion=id%3A5934\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/uid?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/uid?resourceVersion=id%3A5934\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"32796f74-9a4b-49be-b101-133dce4c4568\",\"meta\":{\"target_revision_id\":19389,\"drupal_internal__target_id\":1446}},{\"type\":\"paragraph--page_section\",\"id\":\"23cc1637-59ba-448f-8e17-e5aed202cb74\",\"meta\":{\"target_revision_id\":19396,\"drupal_internal__target_id\":3528}},{\"type\":\"paragraph--page_section\",\"id\":\"53da5747-8514-4ea5-9f3d-2905f9a61edb\",\"meta\":{\"target_revision_id\":19397,\"drupal_internal__target_id\":3529}},{\"type\":\"paragraph--page_section\",\"id\":\"c1fc448a-a41f-4061-9bc9-59b74374d79a\",\"meta\":{\"target_revision_id\":19398,\"drupal_internal__target_id\":1451}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_page_section?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_page_section?resourceVersion=id%3A5934\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"e0d07bf6-c606-4a38-ba34-9521f9e77733\",\"meta\":{\"target_revision_id\":19399,\"drupal_internal__target_id\":1671}},{\"type\":\"paragraph--internal_link\",\"id\":\"be5c8dd0-860f-4570-bf13-358733b392ca\",\"meta\":{\"target_revision_id\":19400,\"drupal_internal__target_id\":1676}},{\"type\":\"paragraph--internal_link\",\"id\":\"10abb234-5289-40da-9df3-f4e6e9c06a80\",\"meta\":{\"target_revision_id\":19401,\"drupal_internal__target_id\":1681}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_related_collection?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_related_collection?resourceVersion=id%3A5934\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_resource_type?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_resource_type?resourceVersion=id%3A5934\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_roles?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_roles?resourceVersion=id%3A5934\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/field_topics?resourceVersion=id%3A5934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a/relationships/field_topics?resourceVersion=id%3A5934\"}}}}},{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675?resourceVersion=id%3A5970\"}},\"attributes\":{\"drupal_internal__nid\":681,\"drupal_internal__vid\":5970,\"langcode\":\"en\",\"revision_timestamp\":\"2024-11-21T20:30:37+00:00\",\"status\":true,\"title\":\"CMS Security and Privacy Handbooks\",\"created\":\"2023-02-04T16:50:42+00:00\",\"changed\":\"2024-11-21T20:30:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-security-and-privacy-handbooks\",\"pid\":671,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/node_type?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/node_type?resourceVersion=id%3A5970\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/revision_uid?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/revision_uid?resourceVersion=id%3A5970\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/uid?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/uid?resourceVersion=id%3A5970\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"6348291e-48d1-4a0e-9a57-ac86d40af43e\",\"meta\":{\"target_revision_id\":19550,\"drupal_internal__target_id\":556}},{\"type\":\"paragraph--page_section\",\"id\":\"f5048b9a-b22a-4e67-abde-e964ff928b22\",\"meta\":{\"target_revision_id\":19551,\"drupal_internal__target_id\":1031}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_page_section?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_page_section?resourceVersion=id%3A5970\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"0f74c41a-2461-4cf5-b11e-ff7ce0b96f66\",\"meta\":{\"target_revision_id\":19552,\"drupal_internal__target_id\":566}},{\"type\":\"paragraph--internal_link\",\"id\":\"fe6656d7-9b88-4a4c-a27f-e41c610ab068\",\"meta\":{\"target_revision_id\":19553,\"drupal_internal__target_id\":571}},{\"type\":\"paragraph--internal_link\",\"id\":\"80d4e83c-5a1f-466b-9518-5400af425d7f\",\"meta\":{\"target_revision_id\":19554,\"drupal_internal__target_id\":576}},{\"type\":\"paragraph--internal_link\",\"id\":\"9967f006-5e08-4568-b636-63e8e8050a8f\",\"meta\":{\"target_revision_id\":19555,\"drupal_internal__target_id\":2776}},{\"type\":\"paragraph--internal_link\",\"id\":\"e0709a54-90c1-4f0d-b02a-5e8dce6acc17\",\"meta\":{\"target_revision_id\":19556,\"drupal_internal__target_id\":1871}},{\"type\":\"paragraph--internal_link\",\"id\":\"9c79715c-bf72-4433-9d27-f6a64a297c18\",\"meta\":{\"target_revision_id\":19557,\"drupal_internal__target_id\":3512}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_related_collection?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_related_collection?resourceVersion=id%3A5970\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_resource_type?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_resource_type?resourceVersion=id%3A5970\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_roles?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_roles?resourceVersion=id%3A5970\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_topics?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_topics?resourceVersion=id%3A5970\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1c\",\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\":\"$26\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$2a\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$2e\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$48\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$62\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$7c\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$96\",\"0bc7c1d0-b569-4514-b66c-367457dead7e\":\"$b0\",\"69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1\":\"$ca\",\"a39bcbf9-8522-4dcf-b5fe-49bfc2c77414\":\"$dd\",\"f41c8404-7b78-4975-a0ff-fff1409d6a77\":\"$ef\",\"669ee575-5a38-48c7-87cc-033627065f29\":\"$101\",\"b298ff2d-1fb1-485e-84aa-92c94e581f61\":\"$113\",\"64cbbefb-4c79-4a51-a519-de08bd054e61\":\"$125\",\"14136e73-8c9c-4b8e-be4e-64b3ed5487a1\":\"$137\",\"5077403d-f7aa-4bc8-b274-7af05e7134bb\":\"$149\",\"defa7277-790b-4bbd-b6ee-cc539e121df2\":\"$188\",\"4610aa6a-34fd-46a7-b9d8-22cfc166433d\":\"$1d2\",\"42018625-2456-415e-bd2c-f1c061290d58\":\"$215\",\"96ebc5ad-9ad8-42ae-9a18-8e35dc2c1e2a\":\"$25b\",\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\":\"$2a6\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"CMS Technical Reference Architecture (TRA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"CMS Technical Reference Architecture (TRA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"CMS Technical Reference Architecture (TRA) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/cms-technical-reference-architecture-tra/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink