publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
757 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Cybersecurity and Risk Assessment Program (CSRAP) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="A streamlined risk-based control(s) testing methodology designed to relieve operational burden."/><link rel="canonical" href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Cybersecurity and Risk Assessment Program (CSRAP) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="A streamlined risk-based control(s) testing methodology designed to relieve operational burden."/><meta property="og:url" content="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Cybersecurity and Risk Assessment Program (CSRAP) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="A streamlined risk-based control(s) testing methodology designed to relieve operational burden."/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Cybersecurity and Risk Assessment Program (CSRAP)</h1><p class="hero__description">A streamlined risk-based control(s) testing methodology designed to relieve operational burden.</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">CSRAP Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CSRAP@cms.hhs.gov">CSRAP@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2 dir="ltr">What is the Cybersecurity and Risk Assessment Program (CSRAP)?</h2><p dir="ltr">The&nbsp;<strong>Cybersecurity and Risk Assessment Program (CSRAP)</strong> is a security and risk assessment process for FISMA systems at CMS. It uses a holistic approach to assess a systems security capabilities to ensure that the system operates as intended and meets all security requirements.</p><p dir="ltr">CSRAP provides data and analytics to CMS system teams to help them optimize performance, streamline processes, and reduce risk.&nbsp;</p><p dir="ltr">CSRAP was formerly known as the&nbsp; <strong>Adaptive Capabilities Testing (ACT) Program</strong> at CMS. The name change aligns with ISPGs strategic goal of risk-based program management. The CSRAP team is committed to partnering with customers across CMS to help them make data-driven decisions about risk management for their systems.</p><h2 dir="ltr">Why do I need a CSRAP assessment?</h2><p dir="ltr">CSRAP is a critical component of the&nbsp;<a href="https://cybergeek.cms.gov/learn/authorization-operate-ato">Authorization to Operate (ATO)</a> process. It is used to determine overall security and privacy posture throughout the system development life cycle (SDLC).&nbsp;</p><p dir="ltr">CSRAP is strongly recommended over the traditional&nbsp;<a href="https://security.cms.gov/learn/security-controls-assessment-sca">Security Controls Assessment (SCA)</a>. While SCA is compliance-driven and focuses merely on checking boxes of security controls, CSRAP is data-driven and focuses on how to manage risk effectively. CSRAP fulfills the SCA requirement for ATO and gives system teams a clearer picture of their overall risk.</p><p>For detailed information about CSRAP, see the&nbsp;<a href="https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1&amp;modificationDate=1711993052415&amp;api=v2">CSRAP Handbook</a> (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).</p></div><div class="text-block text-block--theme-explainer"><h2 dir="ltr">Roles and responsibilities for CSRAP</h2><p dir="ltr">The designated Information System Security Officer (ISSO) initiates the CSRAP process, and is supported by the Cyber Risk Advisor (CRA), the System/Business Owner, and the Application Development Organization (ADO) team. The assessment process is led by the CSRAP team.&nbsp;</p><p dir="ltr">Every FISMA system and team has unique needs. The CSRAP team will work with your team to ensure that your assessment is completed correctly and promptly, while your team completes required paperwork and tests.&nbsp;</p><p>More information about each team member's specific roles and responsibilities can be found in the&nbsp;<a href="https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1&amp;modificationDate=1711993052415&amp;api=v2">CSRAP Handbook</a> (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).</p></div><div class="text-block text-block--theme-explainer"><h2 dir="ltr">Types of CSRAP assessments</h2><p dir="ltr">There are two types of assessments within the CSRAP process:&nbsp;<strong>Security Assessment (SA)</strong> and&nbsp;<strong>Risk Assessment (RA)</strong>. The type of assessment you need is determined by a number of factors, including:</p><ul><li dir="ltr">Whether your system is new or existing</li><li dir="ltr">Where your system is in its three-year ATO cycle</li><li dir="ltr">Whether there has been a significant change to your system</li></ul><p dir="ltr">The CSRAP team, Cyber Risk Advisor (CRA), and your ISSO can work together to determine which assessment is right for your system.</p><h3 dir="ltr">Security Assessment&nbsp;</h3><p dir="ltr">For a Security Assessment, CSRAP can be further customized to your systems needs. The categories for CSRAP Security Assessments are defined by which controls from the&nbsp;<a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a> are included in the assessment. The Security Assessment categories are:</p><ul><li dir="ltr"><strong>Comprehensive Security Assessment</strong>: All ARS Controls are included in the assessment.</li><li dir="ltr"><strong>FISMA Annual Security Assessment</strong>: Specific ARS Controls are selected by the Authorization Official or agency for yearly assessment, including core controls.</li><li dir="ltr"><strong>Tailored Security Assessment</strong>: Only a specified subset of ARS Controls are included in the Security Assessment.</li></ul><h3 dir="ltr">Risk Assessment</h3><p dir="ltr">Risk Assessment within CSRAP provides risk-based context to system teams, helping them see the big picture so they can make better decisions for how to reduce risk. The CSRAP Risk Assessment framework has several benefits:</p><ul><li dir="ltr"><strong>Risk-driven rather than compliance-driven:&nbsp;</strong>RA does not focus merely on compliance with controls, but instead emphasizes meaningful risk identification and analysis.</li><li dir="ltr"><strong>Capability-oriented rather than control-oriented</strong>: Capabilities state objectives for optimal system security, while controls are specific requirements that help meet those objectives. RA helps teams improve the overall capabilities of their systems, which results in a stronger security posture — not “just” compliance.</li><li dir="ltr"><strong>Utilizes all available risk data</strong>: RA integrates the results of Risk Information Sources (RIS), not just the results of a CSRAP assessment. RIS are sources that can reveal areas of risk — such as data collected from CSRAP Security Assessments, penetration testing, vulnerability scanning, threat analysis, and the system environment (user types, system components, etc).</li></ul><h4>What is included in a Risk Assessment?</h4><p dir="ltr">For existing systems on the three-year ATO cycle, a stand-alone RA is strongly recommended in the first and second year after your completed ATO and corresponding Comprehensive Security Assessment. At a minimum, a Risk Assessment must include:</p><ul><li dir="ltr">Previous Security Assessment and/or Risk Assessment</li><li dir="ltr"><a href="https://security.cms.gov/learn/penetration-testing-pentesting">Penetration Testing</a></li><li dir="ltr"><a href="https://security.cms.gov/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service">Vulnerability Scanning</a></li><li dir="ltr">Validation of&nbsp;<a href="https://security.cms.gov/learn/plan-action-and-milestones-poam">POA&amp;Ms</a> closed since the last assessment</li></ul><p dir="ltr">The CSRAP team will work with your team to determine which audits, assessments, and data will be used for your systems unique Risk Assessment. In addition to the sources above, the RA for your system may pull data from the following sources:</p><ul><li dir="ltr">A 123 review</li><li dir="ltr">Data from&nbsp;<a href="https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a> reports</li><li dir="ltr"><a href="https://security.cms.gov/learn/cms-information-system-risk-assessment-isra">Information System Risk Assessment (ISRA)</a></li><li dir="ltr">Inherited&nbsp;<a href="https://security.cms.gov/learn/plan-action-and-milestones-poam">POA&amp;Ms</a></li><li dir="ltr">Risk Vulnerability Assessment (RVA)</li><li dir="ltr"><a href="https://security.cms.gov/learn/security-controls-assessment-sca">Security Controls Assessment</a></li><li dir="ltr">Self-Assessment</li><li dir="ltr">Technical Review Board (TRB)</li><li dir="ltr">Vulnerability Testing</li></ul><h4>What is the result of a Risk Assessment?</h4><p dir="ltr">Following a Risk Assessment, our team will provide you with a plain-language Risk Assessment Report that quickly informs you about the system's overall health. The report focuses on high-level system security capabilities — providing the most information possible about overall system risk. This allows your team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.</p><p dir="ltr">The Risk Assessment Report divides risks into three categories:</p><ul><li dir="ltr"><strong>Inherent risks</strong><ul><li dir="ltr">Inherent risks arise directly from unmitigated findings (including open POA&amp;Ms).</li><li dir="ltr">Example: A system has two findings related to the password mechanism and three findings related to user account expiration; these might result in one risk that explains that the Identification and Authorization (I&amp;A) mechanism is weak.</li></ul></li><li dir="ltr"><strong>Residual risks</strong><ul><li dir="ltr">Residual risks arise indirectly from already mitigated findings or from some source other than technical findings.</li><li dir="ltr">Example: The system mitigated the noted I&amp;A-related findings. Although those findings are now closed and the inherent risk has been addressed, there may be a residual risk that something is wrong with the development processes because those weaknesses should not have been present in the first place.</li></ul></li><li dir="ltr"><strong>Inherited risks</strong><ul><li dir="ltr">Inherited risks exist because security controls are inherited from another system. Any open POA&amp;M or system risk that the system inherits can affect the systems risk posture; CSRAP considers this and informs the system of the impact its control providers have on them.</li><li dir="ltr">Example: The data center hosting the system has an open POA&amp;M related to failure to provide adequate physical access control to the data center floor. Since the data center is a separate FISMA-accredited system, this finding cannot be closed or mitigated by the system being assessed. Therefore, the system inherits the risk associated with this POA&amp;M from the other system.</li></ul></li></ul></div><div class="text-block text-block--theme-explainer"><h2 dir="ltr">Scheduling your CSRAP</h2><p dir="ltr">Complete the following steps to schedule and prepare for your CSRAP assessment:</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Review CSRAP Handbook</h4><div class="margin-top-05 usa-process-list__description"><p dir="ltr">The CSRAP Handbook provides guidance for every aspect of the CSRAP process from start to finish, and tells you what to expect.&nbsp;<a href="https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1&amp;modificationDate=1711993052415&amp;api=v2">Review the handbook here</a> (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Prepare required artifacts</h4><div class="margin-top-05 usa-process-list__description"><p dir="ltr">You will need your&nbsp;<strong>Tier 1 CSRAP Artifacts</strong> to proceed with CSRAP activities. Start gathering these artifacts as soon as possible since they take a lot of time and coordination to complete. Tier 1 Artifacts are due at least two weeks prior to the scheduled CSRAP Preliminary Discussion. The Tier 1, Tier 2, and Technical Output Artifacts lists are available in the CSRAP Handbook, and in the Preliminary Intake section of the SIGNAL Application.&nbsp;</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Check the Available Slots in Confluence</h4><div class="margin-top-05 usa-process-list__description"><p dir="ltr">Visit the CMS CSRAP Confluence page (CMS Log-in Required) using the following URLs to select your preferred and secondary dates for the type of CSRAP assessment you require:<br>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Security Assessment <a rel="noopener noreferrer" href="https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813098">Schedule Available Slots</a><br>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Risk Assessment <a rel="noopener noreferrer" href="https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813170">Schedule Available Slots</a><br>Email the CSRAP Team at <a rel="noopener noreferrer" href="mailto:CSRAP@cms.hhs.gov">CSRAP@cms.hhs.gov</a> with your requested dates.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Complete CSRAP intake Form</h4><div class="margin-top-05 usa-process-list__description"><p dir="ltr">CSRAP Team will confirm the dates via email and schedule a date for Preliminary meeting for assessment along with sending CSRAP intake form and Tier 1 document list to be completed and directly uploaded to CFACTS under Assessment Tab.&nbsp;</p><p dir="ltr">After "intake form" is uploaded, notify CSRAP Team so they can review that.&nbsp;</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Prep for Preliminary Discussion Meeting</h4><div class="margin-top-05 usa-process-list__description"><p>Your team will begin formal involvement with the CSRAP team at the Preliminary Discussion Meeting. You will need to provide your completed&nbsp;<strong>Tier 1 Artifacts</strong> at the meeting. Those artifacts, and the CSRAP Intake Form you completed in SIGNAL, will be used to provide information about your systems needs. The CSRAP team will make sure you are on track with the documentation and preparation needed for your CSRAP assessment.</p></div></li></ol></div><div class="text-block text-block--theme-explainer"><h2>Important due dates</h2><p dir="ltr">Once you have met with the CSRAP Assessment Team at the Preliminary Discussion, you will begin preparing other required artifacts. Some of these need to be prepared before your system assessment can begin. Required artifacts and their due dates are summarized below. You can find more details about the artifacts in the&nbsp;<a href="https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1&amp;modificationDate=1711993052415&amp;api=v2">CSRAP Handbook</a> (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).</p><ul><li dir="ltr"><strong>Tier 1 Artifacts</strong>: 3 weeks before Preliminary Discussion Meeting</li><li dir="ltr"><strong>Tier 2 Artifacts</strong>: 2 weeks before Assessment Kickoff Meeting</li><li dir="ltr"><strong>Technical Outputs</strong>: 2 weeks before Assessment Kickoff Meeting</li></ul></div><div class="text-block text-block--theme-explainer"><h2 dir="ltr">Need help?</h2><p dir="ltr">If you have questions or need assistance, contact the CSRAP team via email: <a href="mailto:CSRAP@cms.hhs.gov">CSRAP@cms.hhs.gov</a></p><p>You can also review the CSRAP Handbook for all details on the process.&nbsp;<a href="https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1&amp;modificationDate=1711993052415&amp;api=v2">Review the handbook here</a> (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service">Avoid database breaches with ISPGs free vulnerability scanning service</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Before your next CSRAP assessment, scan your databases using Trustwave DbProtect Vulnerability Management (VM) — offered by ISPG for free!</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/risk-management-handbook-chapter-14-risk-assessment-ra">Risk Management Handbook Chapter 14: Risk Assessment (RA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>RMH Chapter 14 identifies the policies and standards for the Risk Management family of controls</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/penetration-testing-pentesting">Penetration Testing (PenTesting)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-information-system-risk-assessment-isra">CMS Information System Risk Assessment (ISRA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Documentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-security-and-privacy-handbooks">CMS Security and Privacy Handbooks</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"cybersecurity-risk-assessment-program-csrap\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"cybersecurity-risk-assessment-program-csrap\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cybersecurity-risk-assessment-program-csrap\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"cybersecurity-risk-assessment-program-csrap\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T806,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is the Cybersecurity and Risk Assessment Program (CSRAP)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/strong\u003e is a security and risk assessment process for FISMA systems at CMS. It uses a holistic approach to assess a systems security capabilities to ensure that the system operates as intended and meets all security requirements.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP provides data and analytics to CMS system teams to help them optimize performance, streamline processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP was formerly known as the\u0026nbsp; \u003cstrong\u003eAdaptive Capabilities Testing (ACT) Program\u003c/strong\u003e at CMS. The name change aligns with ISPGs strategic goal of risk-based program management. The CSRAP team is committed to partnering with customers across CMS to help them make data-driven decisions about risk management for their systems.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eWhy do I need a CSRAP assessment?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCSRAP is a critical component of the\u0026nbsp;\u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process. It is used to determine overall security and privacy posture throughout the system development life cycle (SDLC).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP is strongly recommended over the traditional\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment (SCA)\u003c/a\u003e. While SCA is compliance-driven and focuses merely on checking boxes of security controls, CSRAP is data-driven and focuses on how to manage risk effectively. CSRAP fulfills the SCA requirement for ATO and gives system teams a clearer picture of their overall risk.\u003c/p\u003e\u003cp\u003eFor detailed information about CSRAP, see the\u0026nbsp;\u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T806,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is the Cybersecurity and Risk Assessment Program (CSRAP)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/strong\u003e is a security and risk assessment process for FISMA systems at CMS. It uses a holistic approach to assess a systems security capabilities to ensure that the system operates as intended and meets all security requirements.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP provides data and analytics to CMS system teams to help them optimize performance, streamline processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP was formerly known as the\u0026nbsp; \u003cstrong\u003eAdaptive Capabilities Testing (ACT) Program\u003c/strong\u003e at CMS. The name change aligns with ISPGs strategic goal of risk-based program management. The CSRAP team is committed to partnering with customers across CMS to help them make data-driven decisions about risk management for their systems.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eWhy do I need a CSRAP assessment?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCSRAP is a critical component of the\u0026nbsp;\u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process. It is used to determine overall security and privacy posture throughout the system development life cycle (SDLC).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP is strongly recommended over the traditional\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment (SCA)\u003c/a\u003e. While SCA is compliance-driven and focuses merely on checking boxes of security controls, CSRAP is data-driven and focuses on how to manage risk effectively. CSRAP fulfills the SCA requirement for ATO and gives system teams a clearer picture of their overall risk.\u003c/p\u003e\u003cp\u003eFor detailed information about CSRAP, see the\u0026nbsp;\u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T1b2c,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eTypes of CSRAP assessments\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThere are two types of assessments within the CSRAP process:\u0026nbsp;\u003cstrong\u003eSecurity Assessment (SA)\u003c/strong\u003e and\u0026nbsp;\u003cstrong\u003eRisk Assessment (RA)\u003c/strong\u003e. The type of assessment you need is determined by a number of factors, including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWhether your system is new or existing\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhere your system is in its three-year ATO cycle\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhether there has been a significant change to your system\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CSRAP team, Cyber Risk Advisor (CRA), and your ISSO can work together to determine which assessment is right for your system.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSecurity Assessment\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor a Security Assessment, CSRAP can be further customized to your systems needs. The categories for CSRAP Security Assessments are defined by which controls from the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e are included in the assessment. The Security Assessment categories are:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eComprehensive Security Assessment\u003c/strong\u003e: All ARS Controls are included in the assessment.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFISMA Annual Security Assessment\u003c/strong\u003e: Specific ARS Controls are selected by the Authorization Official or agency for yearly assessment, including core controls.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eTailored Security Assessment\u003c/strong\u003e: Only a specified subset of ARS Controls are included in the Security Assessment.\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRisk Assessment\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eRisk Assessment within CSRAP provides risk-based context to system teams, helping them see the big picture so they can make better decisions for how to reduce risk. The CSRAP Risk Assessment framework has several benefits:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eRisk-driven rather than compliance-driven:\u0026nbsp;\u003c/strong\u003eRA does not focus merely on compliance with controls, but instead emphasizes meaningful risk identification and analysis.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eCapability-oriented rather than control-oriented\u003c/strong\u003e: Capabilities state objectives for optimal system security, while controls are specific requirements that help meet those objectives. RA helps teams improve the overall capabilities of their systems, which results in a stronger security posture — not “just” compliance.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eUtilizes all available risk data\u003c/strong\u003e: RA integrates the results of Risk Information Sources (RIS), not just the results of a CSRAP assessment. RIS are sources that can reveal areas of risk — such as data collected from CSRAP Security Assessments, penetration testing, vulnerability scanning, threat analysis, and the system environment (user types, system components, etc).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is included in a Risk Assessment?\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFor existing systems on the three-year ATO cycle, a stand-alone RA is strongly recommended in the first and second year after your completed ATO and corresponding Comprehensive Security Assessment. At a minimum, a Risk Assessment must include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrevious Security Assessment and/or Risk Assessment\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service\"\u003eVulnerability Scanning\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eValidation of\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePOA\u0026amp;Ms\u003c/a\u003e closed since the last assessment\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CSRAP team will work with your team to determine which audits, assessments, and data will be used for your systems unique Risk Assessment. In addition to the sources above, the RA for your system may pull data from the following sources:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eA 123 review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eData from\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e reports\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eInformation System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInherited\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePOA\u0026amp;Ms\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRisk Vulnerability Assessment (RVA)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSelf-Assessment\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVulnerability Testing\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is the result of a Risk Assessment?\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFollowing a Risk Assessment, our team will provide you with a plain-language Risk Assessment Report that quickly informs you about the system's overall health. The report focuses on high-level system security capabilities — providing the most information possible about overall system risk. This allows your team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe Risk Assessment Report divides risks into three categories:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eInherent risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eInherent risks arise directly from unmitigated findings (including open POA\u0026amp;Ms).\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: A system has two findings related to the password mechanism and three findings related to user account expiration; these might result in one risk that explains that the Identification and Authorization (I\u0026amp;A) mechanism is weak.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eResidual risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eResidual risks arise indirectly from already mitigated findings or from some source other than technical findings.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: The system mitigated the noted I\u0026amp;A-related findings. Although those findings are now closed and the inherent risk has been addressed, there may be a residual risk that something is wrong with the development processes because those weaknesses should not have been present in the first place.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eInherited risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eInherited risks exist because security controls are inherited from another system. Any open POA\u0026amp;M or system risk that the system inherits can affect the systems risk posture; CSRAP considers this and informs the system of the impact its control providers have on them.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: The data center hosting the system has an open POA\u0026amp;M related to failure to provide adequate physical access control to the data center floor. Since the data center is a separate FISMA-accredited system, this finding cannot be closed or mitigated by the system being assessed. Therefore, the system inherits the risk associated with this POA\u0026amp;M from the other system.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1b:T1b2c,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eTypes of CSRAP assessments\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThere are two types of assessments within the CSRAP process:\u0026nbsp;\u003cstrong\u003eSecurity Assessment (SA)\u003c/strong\u003e and\u0026nbsp;\u003cstrong\u003eRisk Assessment (RA)\u003c/strong\u003e. The type of assessment you need is determined by a number of factors, including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWhether your system is new or existing\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhere your system is in its three-year ATO cycle\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhether there has been a significant change to your system\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CSRAP team, Cyber Risk Advisor (CRA), and your ISSO can work together to determine which assessment is right for your system.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSecurity Assessment\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor a Security Assessment, CSRAP can be further customized to your systems needs. The categories for CSRAP Security Assessments are defined by which controls from the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e are included in the assessment. The Security Assessment categories are:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eComprehensive Security Assessment\u003c/strong\u003e: All ARS Controls are included in the assessment.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFISMA Annual Security Assessment\u003c/strong\u003e: Specific ARS Controls are selected by the Authorization Official or agency for yearly assessment, including core controls.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eTailored Security Assessment\u003c/strong\u003e: Only a specified subset of ARS Controls are included in the Security Assessment.\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRisk Assessment\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eRisk Assessment within CSRAP provides risk-based context to system teams, helping them see the big picture so they can make better decisions for how to reduce risk. The CSRAP Risk Assessment framework has several benefits:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eRisk-driven rather than compliance-driven:\u0026nbsp;\u003c/strong\u003eRA does not focus merely on compliance with controls, but instead emphasizes meaningful risk identification and analysis.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eCapability-oriented rather than control-oriented\u003c/strong\u003e: Capabilities state objectives for optimal system security, while controls are specific requirements that help meet those objectives. RA helps teams improve the overall capabilities of their systems, which results in a stronger security posture — not “just” compliance.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eUtilizes all available risk data\u003c/strong\u003e: RA integrates the results of Risk Information Sources (RIS), not just the results of a CSRAP assessment. RIS are sources that can reveal areas of risk — such as data collected from CSRAP Security Assessments, penetration testing, vulnerability scanning, threat analysis, and the system environment (user types, system components, etc).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is included in a Risk Assessment?\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFor existing systems on the three-year ATO cycle, a stand-alone RA is strongly recommended in the first and second year after your completed ATO and corresponding Comprehensive Security Assessment. At a minimum, a Risk Assessment must include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrevious Security Assessment and/or Risk Assessment\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service\"\u003eVulnerability Scanning\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eValidation of\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePOA\u0026amp;Ms\u003c/a\u003e closed since the last assessment\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CSRAP team will work with your team to determine which audits, assessments, and data will be used for your systems unique Risk Assessment. In addition to the sources above, the RA for your system may pull data from the following sources:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eA 123 review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eData from\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e reports\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eInformation System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInherited\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePOA\u0026amp;Ms\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRisk Vulnerability Assessment (RVA)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSelf-Assessment\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVulnerability Testing\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is the result of a Risk Assessment?\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFollowing a Risk Assessment, our team will provide you with a plain-language Risk Assessment Report that quickly informs you about the system's overall health. The report focuses on high-level system security capabilities — providing the most information possible about overall system risk. This allows your team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe Risk Assessment Report divides risks into three categories:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eInherent risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eInherent risks arise directly from unmitigated findings (including open POA\u0026amp;Ms).\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: A system has two findings related to the password mechanism and three findings related to user account expiration; these might result in one risk that explains that the Identification and Authorization (I\u0026amp;A) mechanism is weak.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eResidual risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eResidual risks arise indirectly from already mitigated findings or from some source other than technical findings.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: The system mitigated the noted I\u0026amp;A-related findings. Although those findings are now closed and the inherent risk has been addressed, there may be a residual risk that something is wrong with the development processes because those weaknesses should not have been present in the first place.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eInherited risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eInherited risks exist because security controls are inherited from another system. Any open POA\u0026amp;M or system risk that the system inherits can affect the systems risk posture; CSRAP considers this and informs the system of the impact its control providers have on them.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: The data center hosting the system has an open POA\u0026amp;M related to failure to provide adequate physical access control to the data center floor. Since the data center is a separate FISMA-accredited system, this finding cannot be closed or mitigated by the system being assessed. Therefore, the system inherits the risk associated with this POA\u0026amp;M from the other system.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1c:Tbe0,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhy is database scanning important?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCMS databases and large data stores are a prime target for attackers because of the volume of sensitive information stored on CMS systems. That includes personally identifiable information (PII), protected health information (PHI), provider and beneficiary information, and intellectual property.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eScanning databases and large data stores helps protect the databases and mitigate risks, enhancing the overall security profile of CMS systems. This is part of the process known as Vulnerability Management (VM).\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eWhy use DbProtect?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eISPG provides\u0026nbsp;\u003ca href=\"https://www.trustwave.com/en-us/services/database-security/dbprotect/\"\u003eTrustwave DbProtect\u003c/a\u003e (external link) for use throughout CMS. Licenses for the DbProtect Vulnerability Management module are available to CMS Business Owners at no charge.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe DbProtect Vulnerability Management module helps prevent database breaches and accidental data leakage by routinely scanning databases and large data stores. It will uncover configuration errors, access control errors, and unauthorized or unusual privileged user behavior.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eTrustwave DbProtect is:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eCompatible\u003c/strong\u003e with both on-premises and cloud-based databases\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eFree\u003c/strong\u003e for all systems at CMS\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eEasy\u003c/strong\u003e to request through ServiceNow\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eWhen do I use DbProtect?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAt CMS, the Cybersecurity Risk Assessment Program (CSRAP) strongly encourages database scanning as part of their onboarding process. Scan reports created by DbProtect can be used as a risk information source during your CSRAP assessment.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eDbProtect is available even if youre not preparing for a CSRAP assessment. Any time youre adding a database or large data store to the system, you can use DbProtect to do it as securely as possible.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eHow do I get started?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eTo request a DbProtect scan of a database or large data store, complete the\u0026nbsp;\u003ca href=\"https://cmsitsm.servicenowservices.com/connect?page=cat_item\u0026amp;sys_id=03b71d651baa6510fed48512f54bcb70\"\u003eServiceNow workflow\u003c/a\u003e (link requires a CMS login). It will ask you for information about the database, and the scan will be scheduled from there.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIn order to access the workflow in ServiceNow and request a scan, \u003cstrong\u003eyou will need the following CMS job codes\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003eSNOW_PRD\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003eSNOW_TRG\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eContact\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eQuestions about DbProtect or database scanning? Contact the CMS Vulnerability Assessment Team at\u0026nbsp;\u003ca href=\"mailto:VAT@cms.hhs.gov\"\u003eVAT@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis post is contributed by the DbProtect team to encourage database scanning by CMS system teams and promote risk-based decision making throughout the enterprise.\u003c/em\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1d:Tbe0,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhy is database scanning important?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCMS databases and large data stores are a prime target for attackers because of the volume of sensitive information stored on CMS systems. That includes personally identifiable information (PII), protected health information (PHI), provider and beneficiary information, and intellectual property.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eScanning databases and large data stores helps protect the databases and mitigate risks, enhancing the overall security profile of CMS systems. This is part of the process known as Vulnerability Management (VM).\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eWhy use DbProtect?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eISPG provides\u0026nbsp;\u003ca href=\"https://www.trustwave.com/en-us/services/database-security/dbprotect/\"\u003eTrustwave DbProtect\u003c/a\u003e (external link) for use throughout CMS. Licenses for the DbProtect Vulnerability Management module are available to CMS Business Owners at no charge.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe DbProtect Vulnerability Management module helps prevent database breaches and accidental data leakage by routinely scanning databases and large data stores. It will uncover configuration errors, access control errors, and unauthorized or unusual privileged user behavior.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eTrustwave DbProtect is:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eCompatible\u003c/strong\u003e with both on-premises and cloud-based databases\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eFree\u003c/strong\u003e for all systems at CMS\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eEasy\u003c/strong\u003e to request through ServiceNow\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eWhen do I use DbProtect?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAt CMS, the Cybersecurity Risk Assessment Program (CSRAP) strongly encourages database scanning as part of their onboarding process. Scan reports created by DbProtect can be used as a risk information source during your CSRAP assessment.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eDbProtect is available even if youre not preparing for a CSRAP assessment. Any time youre adding a database or large data store to the system, you can use DbProtect to do it as securely as possible.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eHow do I get started?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eTo request a DbProtect scan of a database or large data store, complete the\u0026nbsp;\u003ca href=\"https://cmsitsm.servicenowservices.com/connect?page=cat_item\u0026amp;sys_id=03b71d651baa6510fed48512f54bcb70\"\u003eServiceNow workflow\u003c/a\u003e (link requires a CMS login). It will ask you for information about the database, and the scan will be scheduled from there.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIn order to access the workflow in ServiceNow and request a scan, \u003cstrong\u003eyou will need the following CMS job codes\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003eSNOW_PRD\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003eSNOW_TRG\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eContact\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eQuestions about DbProtect or database scanning? Contact the CMS Vulnerability Assessment Team at\u0026nbsp;\u003ca href=\"mailto:VAT@cms.hhs.gov\"\u003eVAT@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis post is contributed by the DbProtect team to encourage database scanning by CMS system teams and promote risk-based decision making throughout the enterprise.\u003c/em\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1e:T9f00,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Risk Management Handbook (RMH) Chapter 14: Risk Assessment provides the procedures for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).\u0026nbsp;This document describes procedures that facilitate the implementation of security controls associated with the Risk Assessment (RA) family of controls. To promote consistency among all RMH Chapters, CMS intends for Chapter 14.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Assessment controls\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Categorization (RA-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are compromised through a loss of confidentiality, integrity, and/or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Security categories are used in conjunction with vulnerability and threat information in assessing the risk to an organization. The security category of an information type can be associated with both user information and system information. Establishing an appropriate security category of an information type requires determining the potential impact level for each security objectives of confidentiality, integrity, and availability (CIA) associated with the particular information type.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eSecurity Objective\u003c/th\u003e\u003cth\u003eLow impact potential\u003c/th\u003e\u003cth\u003eModerate impact potential\u003c/th\u003e\u003cth\u003eHigh impact potential\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConfidentiality\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003ePreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e\u0026nbsp;adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eIntegrity\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eGuarding against improper information modification or destruction\u0026nbsp;and includes ensuring information non-repudiation and authenticity.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eAvailability\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eEnsuring timely and reliable access to and use of information.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, each new system must define its security categorization within the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Controls Tracking System (CFACTS)\u003c/a\u003e. Before the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e can be developed, the information system and the information resident within that system must be categorized based on the Federal Information Processing Standards Publication 199 (FIPS 199). NIST Special Publication 800-60 Volume I: \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories \u003c/em\u003eprovides a guideline for mapping types of information and information systems to security categories and works in conjunction with FIPS 199.\u003c/p\u003e\u003cp\u003eThe SSPP provides the detailed descriptions of all the implemented controls by the CMS ARS categories to minimize risks. Authorization boundaries are also developed and reviewed in correlation with the security categorization as the boundary has a direct effect on the categorization of the system. CMS has synthesized and identified the information types that apply to CMS into 11 information types:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Information Types\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eInformation Type\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eSystem Security Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003ee-Authentication Level\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInvestigation, intelligence-related, and security information (14 CFR PART 191.5(D))\u003c/td\u003e\u003ctd\u003eHigh\u003c/td\u003e\u003ctd\u003eLevel 4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMission Critical Information\u003c/td\u003e\u003ctd\u003eHigh\u003c/td\u003e\u003ctd\u003eLevel 4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation About Persons\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 2 or Level 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFinancial, budgetary, commercial, proprietary and trade secret information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInternal Administration\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOther Federal Agency Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNew technology controlled scientific information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperational Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Configuration Management Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOther Sensitive Information\u003c/td\u003e\u003ctd\u003eLow\u003c/td\u003e\u003ctd\u003eLevel 2\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePublic Information\u003c/td\u003e\u003ctd\u003eLow\u003c/td\u003e\u003ctd\u003eNone or Level 1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe security categorization for an information system is completed by the Information System Security Officer and approved by the Information System Owner. All CMS information systems categorized as High or Moderate are considered sensitive or contain sensitive information. All CMS information systems categorized as Low are considered non-sensitive or contain non- sensitive information. Organizations implement the minimum security requirements and controls as established in the current CMS Information Security ARS Standard, based on the system security categorization. When identifying information types and assigning appropriate security categorizations for CMS systems, it is essential that the Data Guardian, Information System Owner, Business Owner, Information System Security Officer, and Cyber Risk Advisor coordinate their efforts.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for conducting a security categorization on an information system using CFACTS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1\u003c/strong\u003e: Login to CFACTS and select the “Assessment \u0026amp; Authorization (A\u0026amp;A)” dropdown tab from the top menu.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2\u003c/strong\u003e: Click on the “Authorization Package - Records” under the “Quick Links” section.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3\u003c/strong\u003e: Select the appropriate information system. You may also find the information system by clicking on the search icon in the top right of the page and specifying search criteria.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4\u003c/strong\u003e: Once the information system has been located, click on the system name to open the authorization package for the system.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5\u003c/strong\u003e: Select the “Security Category” tab from the top navigation tab of the authorization package.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 6\u003c/strong\u003e: Click “Edit” at the top of the authorization package window.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 7\u003c/strong\u003e: Answer the following question in the Organizational Users Section: “Is this system accessed by non-organizational users?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 8\u003c/strong\u003e: Select the information types processed, stored or transmitted by the system.\u003cul\u003e\u003cli\u003eFor help determining who is considered an organizational user and a non- organizational user, see the help text by clicking on the question mark to the left of the question.\u003c/li\u003e\u003cli\u003eIn the Information Type section, click on the right hand side of the “Lookup” title bar in the upper right hand corner.\u003c/li\u003e\u003cli\u003eIn the “Record Lookup” pop up, select the checkbox to the left of each information type that is used by your information system.\u003c/li\u003e\u003cli\u003eClick “Ok” when done.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 9: \u003c/strong\u003eAnswer the following question in the Personally Identifiable Information (PII) section: “Does this FISMA system collect, maintain, use or share Personally Identifiable Information (PII)?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 10: \u003c/strong\u003eAnswer the following question in the Protected Health Information (PHI) section: “Is the data maintained in this FISMA system considered electronic Protected Health Information (PHI)?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 11\u003c/strong\u003e: Click “Save” at the top of the screen to save all changes.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe SOP ultimately reviews and approves the categorization of information systems that process, store, or transmit PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Assessment (RA-3)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRisk assessment is the process of identifying risks, both business and technical, to organizational operations mission, functions, image, and reputation, including individuals, organizational assets, other organizations, and the Nation, resulting from the operation of an information system. As part of risk management, risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by security and privacy controls planned or in place.\u003c/p\u003e\u003cp\u003eThis publication focuses on the risk assessment component of risk management—providing a step-by-step process for organizations on: (i) how to prepare for risk assessments; (ii) how to conduct risk assessments; (iii) how to communicate risk assessment results to key organizational personnel; and (iv) how to maintain the risk assessments over time. Risk assessments are not simply one-time activities that provide permanent and definitive information for decision makers to guide and inform responses to information security and privacy risks. Rather, organizations employ risk assessments on an ongoing basis throughout the system development life cycle and across all of the tiers in the risk management hierarchy—with the frequency of the risk assessments and the resources applied during the assessments, commensurate with the expressly defined purpose and scope of the assessments.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBasic Risk Management\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRisk assessment is a key component of a holistic, organization-wide risk management process as defined in NIST Special Publication 800-39, \u003cem\u003eManaging Information Security Risk: Organization, Mission, and Information System View\u003c/em\u003e. Risk management processes include: (i) framing risk; (ii) assessing risk; (iii) responding to risk; and (iv) monitoring risk. Figure 2 illustrates the four steps in the risk management process—including the risk assessment step and the information and communications flows necessary to make the process work effectively.\u003c/p\u003e\u003cp\u003eAs laid out by NIST in 800-30, the first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.\u003c/p\u003e\u003cp\u003eThe second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation; (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., adverse impact) that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm, i.e., impact to the organization, and likelihood of harm occurring).\u003c/p\u003e\u003cp\u003eThe third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of a risk assessment. The purpose of the risk response component is to provide a consistent, organization-wide response to risk, or “risk mitigation plan”, in accordance with the organizational risk frame by: (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action.\u003c/p\u003e\u003cp\u003eThe fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to: (i) determine the ongoing effectiveness of risk responses (consistent with the organizational risk frame); (ii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate; and (iii) verify that planned risk responses are implemented and information security and privacy requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied.\u003c/p\u003e\u003cp\u003eEffective information security and privacy-related risk management is a holistic activity and requires integration of risk input from the information system level (Tier 3) through the organizations business processes (Tier 2) and up through the governance of the enterprise (Tier 1). Risk management among the top and bottom tier are bi-directional as the highest tier directs the lower tiers through policy and processes, and the lower tier feeds tactical risk back up the enterprise. The RMF primarily operates at Tier 3 but does involve interactions in the other two tiers through feedback from ongoing authorization decisions, dissemination of updated threat and risk information to authorizing officials and information system owners.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRisk Models\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRisk models define the risk factors to be assessed and the relationships among those factors. Risk factors are characteristics used in risk models as inputs to determining levels of risk in risk assessments. Risk factors are also used extensively in risk communications to highlight what strongly affects the levels of risk in particular situations, circumstances, or contexts. Typical risk factors include threat, vulnerability, impact, likelihood, and predisposing condition. Risk factors\u0026nbsp;can be decomposed into more detailed characteristics (e.g., threats decomposed into threat sources and threat events). These definitions are important for organizations to document prior to conducting risk assessments because the assessments rely upon well-defined attributes of threats, vulnerabilities, impact, and other risk factors to effectively determine risk.\u003c/p\u003e\u003cp\u003eAs noted above, risk is a function of the likelihood of a threat events occurrence and potential adverse impact should the event occur. This definition accommodates many types of adverse impacts at all tiers in the risk management hierarchy described in NIST Special Publication 800- 3910 (e.g., damage to image or reputation of the organization or financial loss at Tier 1; inability to successfully execute a specific mission/business process at Tier 2; or the resources expended in responding to an information system incident at Tier 3). It also accommodates relationships among impacts (e.g., loss of current or future mission/business effectiveness due to the loss of data confidentiality; loss of confidence in critical information due to loss of data or system integrity; or unavailability or degradation of information or information systems). For purposes of risk communication, risk is generally grouped according to the types of adverse impacts and possibly the time frames in which those impacts are likely to be experienced.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHigh Value Assets\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePer OMB Memorandum M-19-0311 Federal Agencies must extend their risk management approach to include \u003ca href=\"https://policy.cio.gov/hva/definition/\"\u003eHigh Value Assets (HVA).\u003c/a\u003e HVAs are assets, information systems, information, and data which unauthorized use could cause a significant impact to the United States national security interests. HVA risk assessments require the agency to incorporate enterprise- wide risk considerations to include operational, business, mission, and continuity. Agencies' assessment of risk should consider not only the risk that an HVA poses to the agency itself, but also the risk of interconnectivity and interdependencies leading to significant adverse impact on the functions, operations, and mission of other agencies. Agencies' assessment of risk to an HVA should be informed by an up-to-date awareness of threat intelligence regarding agencies' Federal information and information systems; the evolving behaviors and interests of malicious actors; and the likelihood that certain agencies and their HVAs are at risk owing to demonstrated adversary interest in agencies' actual, related, or similar assets.\u003c/p\u003e\u003cp\u003eCMS information systems are encouraged to implement the requirements mentioned in the HHS High Value Asset Program Policy , the controls from the \u003ca href=\"https://www.cisa.gov/publication/high-value-asset-control-overlay\"\u003eCybersecurity and Infrastructure Security\u003c/a\u003e \u003ca href=\"https://www.cisa.gov/publication/high-value-asset-control-overlay\"\u003eAgency (CISA) High Value Assest Control Overlay\u003c/a\u003e and the CMS Acceptable Risk Safeguards (ARS) which specifies security control implementations that aim to make HVAs more resistant to attacks, limit the damage from attacks when they occur, and improve resiliency and survivability.\u003c/p\u003e\u003cp\u003eCMS must conduct independent third party or CISA led HVA assessments within the CISA defined frequency, methodology standards and assessment specific requirements. CISA has established Tier Designations 1, 2 and 3 which determines the above frequency, standard and requirement.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHVA Assessment Process\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn accordance with FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems and the HHS IS2P, CMS are responsible for the ongoing assessment and authorization of all information systems classified as HVAs. In coordination with the Division of Security \u0026amp; Privacy Compliance (DSPC), assessments are conducted to ensure the accuracy of the information pertaining to the security posture of information systems, and the tailoring and implementation of security and privacy controls following the selection of the appropriate baseline mapped to the CMS IS2P2. CMS HVA assessements are required to include and be consistent with CISA HVA assessment requirements and expectations.\u003c/p\u003e\u003cp\u003eThe Information System Security Officer (ISSO) is responsible for preparing their information system for upcoming assessments by\u003c/p\u003e\u003col\u003e\u003cli\u003eParticipating in assessment activities as detailed in the assessment schedule\u003c/li\u003e\u003cli\u003eRequest access to the CISA file repository for RVA artifacts requests (HSIN).\u003c/li\u003e\u003cli\u003eRemediating identified issues in a timely manner as stated in the HVA Assessment Report.\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003cstrong\u003eCISA-Led HVA Assessment Process\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS, in co-ordination with the Office of Management and Budget (OMB), Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS), must perform certain actions to ensure effective identification and timely remediation of weaknesses based on HVA system assessments. All Tier 1 designated HVAs are to be assessed by CISA once every three (3) years. The below actions follow the \u003ca href=\"https://cyber.dhs.gov/bod/18-02/\"\u003eBinding Operational Directive 18-\u003c/a\u003e \u003ca href=\"https://cyber.dhs.gov/bod/18-02/\"\u003e02\u003c/a\u003e with CMS specific additions:\u003c/p\u003e\u003col\u003e\u003cli\u003eSubmit to CISA a single Rules of Engagement (ROE) and complete an RVA intake form once the system has been identified for a CISA RVA.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eThe applicable ROE is maintained between HHS and CISA and applies to all HVA assesments across the departments\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFor each HVA and related system(s) to be assessed, one ROE Appendix A titled \u003cem\u003e“RVA Services for High Value Assets and Related Systems,” \u003c/em\u003eauthorizing CISA to conduct a HVA Risk and Vulnerability Assessment (RVA) on the CMS HVA and related systems.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS:\u003c/strong\u003e\u003cul\u003e\u003cli\u003eAppendix A specifies all of the IPs in scope for the assessment. Note that it will likely be necessary for the assessment to stop and the Appendix to be revised if IPs must be added during the assessment.\u003c/li\u003e\u003cli\u003eAppendix B will also be necessary if third party contractor os involved in the assessment\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFully participate in the HVA assessment activities authorized by the ROE.\u003c/li\u003e\u003cli\u003eFully participate in a Security Assessment Report (SAR) after RVA completion.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eAs of FY2021, CISA has revised the HVA assessment methodology to include both the security architecture (previously SAR) and technical assessment (previously RVA) during a single engagement.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS systems shall impose no restrictions on the timing and/or frequency of the assessments, the services to be provided by CISA, or the scope of the systems that are part of or related ot the HVA being assessed.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eThe expected scope of the HVA assessment will be the full operational “footprint” of the HVA. The hosting site and supporting services should expect to be involved. Generally any systems that are providing inheritable controls to the HVA will be included in the assessment.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eAfter completion of the assessment, the BO and ISSO must ensure timely remediation of identified vulnerabilities and report remediation plans and progress by following the below\u003c/p\u003e\u003col\u003e\u003cli\u003eWithin 30 days of receipt of the HVA asessment reports identifying major or critical weakness to an assessed CISA, remediate all major critical weaknesses and provide notification to CISA that each identified weakness was addressed.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS:\u003c/strong\u003e\u003cul\u003e\u003cli\u003eHigh, Major or Critical findings must be reported to CISA as remediated within 30 days. This is in addition to HHS requirements specified in the HHS HVA Policy and CMS POA\u0026amp;M requirements.\u003c/li\u003e\u003cli\u003eThe 30 days timing is considered to be in relation to the final assessment report. Remediation efforts should be undertaken as soon as possible afterthe potential finding is identified to maximize the available remediation time.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eIf it is determined by the designated Senior Accountable Official for Risk Management (SAORM) that full remediation cannot be completed within the initial 30 day timeframe, develop and submit to CISA a remediation plan with remaining major or critical weaknesses within 30 days of the receipt of the RVA and/or SAR reports.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003ei. \u003cstrong\u003eFor CMS: \u003c/strong\u003eThe HHS SAORM is the HHS CIO, and must approve anything other than full remediation within the initial 30 days after the final report is issued, in addition to all CMS approvals.\u003c/p\u003e\u003col\u003e\u003cli\u003eThis remediation plan shall include justification for the extended timeline, the proposed timeline and associated milestones to remediation (not to exceed one year), interim mitigation actions planned to address immediate vulnerabilities, and, if relevant, the identification of constraints related to policy, budget, workforce, and operations.This remediation plan must be signed by the designated SAORM prior to submission to CISA.\u003c/li\u003e\u003cli\u003eHHS reports the status of each remaining major or critical weakness to CISA every 30 days until full remediation is achieved. Status reports must address HVA assessment results through combined reporting and must be submitted every 30 days after the submission of the remediation plan described above.\u003c/li\u003e\u003cli\u003eHHS notifies CISA via monthly status reports of any modifications to remediate plan timelines and when full remediation has been achieved. The notifications for modifications and full remediation must be certified under signature of the designated SAORM.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eCISA will manage the progress and report submissions associated with these actions. If deadlines outlined above are not being met, CISA will enage the CMS CISO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVulnerability Scanning (RA-5)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA vulnerability is a weakness that can be accidentally triggered or intentionally exploited, usually due to misconfigurations. Vulnerability scanning is a non-destructive form of testing that provides an organized approach to the testing, identification, analysis and reporting of potential security issues on a network. Vulnerability scanners can be run against a host either locally or from the network. Some network-based scanners have administrator-level credentials on individual hosts and can extract vulnerability information from hosts using those credentials. Other network-based scanners do not have such credentials and must rely on conducting scanning of networks to locate hosts and then scan those hosts for vulnerabilities. In such cases, network-based scanning is primarily used to perform network discovery and identify open ports and related vulnerabilities. Network-based scanning without host credentials can be performed both internally and externally—and although internal scanning usually uncovers more vulnerabilities than external scanning, testing from both viewpoints is important. External scanning must contend with perimeter security devices that block traffic, limiting assessors to scanning only the ports authorized to pass traffic.\u003c/p\u003e\u003cp\u003eFor local vulnerability scanning, a scanner is installed on each host to be scanned. This is done primarily to identify host Operating Systems (OS) and application misconfigurations and vulnerabilities—both network-exploitable and locally exploitable. Local scanning is able to detect\u0026nbsp;vulnerabilities with a higher level of detail than network-based scanning because local scanning usually requires both host (local) access and a root or administrative account. Some scanners also offer the capability of repairing local misconfigurations.\u003c/p\u003e\u003cp\u003eThe foundation for effective vulnerability scanning includes having an asset inventory management process (e.g. automated tools and their processes) in place. Without a robust asset inventory management process in place there is an increased risk that the asset inventory is incomplete which may impact downstream processes to include vulnerability scanning and security configuration. This may lead to vulnerabilities and misconfigurations going unidentified and may result in exploitable conditions.\u003c/p\u003e\u003cp\u003eThe results from a vulnerability scan can show the path an adversary can take once they have gained access to the network and how much data they could collect. Vulnerability scans can also support penetration testing (CA-8) by providing information on targets for the penetration testing team to look into. Some examples of scanning activities are:\u003c/p\u003e\u003col\u003e\u003cli\u003escanning for patch levels;\u003c/li\u003e\u003cli\u003escanning for functions, ports, protocols, and services that should not be accessible to users or devices; and\u003c/li\u003e\u003cli\u003escanning for improperly configured or incorrectly operating information flow control mechanisms. Based on the information provided, the organization can then remediate vulnerabilities identified and work towards improving the security of the network.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eFor CMS, the security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. All data centers must have a vulnerability scanner in place before connecting to the CMS network, either through their own vendor-provided scanner or by establishing a connection with the \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e team at the CMS Cybersecurity Integration Center (CCIC). One of the services provided by the CCIC includes vulnerability scanning, with support in place for all scanning needed from infrastructure to endpoint. The CCIC supports risk analysis at CMS by ingesting scan logs and identifying risks through its Security Incident Event Management (SIEM) tool. In order to set up vulnerability scanning for new systems, please send an email to the CDM Manager using this email address: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-CMP@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIf a datacenter chooses not to utilize the vulnerability scanning service provided by the CCIC then they are able to choose a vendor-provided one. There are requirements that must be met for those System Owners who decide not to use the CCIC. These requirements include the baseline configurations that must be scanned against, such as those found in \u003cem\u003eRisk Management Handbook Chapter 5 Configuration Management\u0026nbsp;\u003c/em\u003e(CM-6). Information for meeting these requirements are\u0026nbsp;found in the \u003cem\u003eCMS CCIC Integration Requirements \u003c/em\u003edocument. For access to this document, please reach out to the CDM Manager by sending an email to: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-CMP@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eWhen vulnerabilities are discovered they must be mitigated within a given timeframe. This timeframe varies depending on the criticality of the vulnerability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical vulnerabilities within \u003cstrong\u003e15 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eHigh vulnerabilities within \u003cstrong\u003e30 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eModerate vulnerabilities within \u003cstrong\u003e90 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eLow vulnerabilities within \u003cstrong\u003e365 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the identified vulnerabilities cannot be mitigated within the given time frame and exceed those thresholds then they must be documented in the designated POA\u0026amp;M as weaknesses and mitigated through timelines defined for the corresponding level of weakness.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 2: CMS Defined Parameters Control RA-5\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003col\u003e\u003cli\u003eScans for vulnerabilities in the information system and hosted applications [\u003cem\u003eAssignment: organization- defined frequency and/or randomly in accordance with organization-defined process\u003c/em\u003e] and when new vulnerabilities potentially affecting the system/applications are identified and reported;\u003c/li\u003e\u003cli\u003eEmploys vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\u003c/li\u003e\u003cli\u003eEnumerating platforms, software flaws, and improper configurations;\u003c/li\u003e\u003cli\u003eFormatting checklists and test procedures; and\u003c/li\u003e\u003cli\u003eMeasuring vulnerability impact;\u003c/li\u003e\u003cli\u003eAnalyzes vulnerability scan reports and results from security control assessments;\u003c/li\u003e\u003cli\u003eRemediates legitimate vulnerabilities [\u003cem\u003eAssignment: organization-defined response times\u003c/em\u003e] in accordance with an organizational assessment of risk; and\u003c/li\u003e\u003cli\u003eShares information obtained from the vulnerability scanning process and security control assessments with [\u003cem\u003eAssignment: organization-defined personnel or roles\u003c/em\u003e] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003col\u003e\u003cli\u003eScans for vulnerabilities in the information system and hosted applications no less often than once every 72 hours and when new vulnerabilities potentially affecting the system/applications are identified and reported;\u003c/li\u003e\u003cli\u003eComplies with DHS Continuous Diagnostics and Mitigation program and CMS requirements; and 5. Complying with required reporting metrics (e.g., CyberScope).\u003c/li\u003e\u003cli\u003eRemediates legitimate vulnerabilities based on the Business Owners risk prioritization in accordance with the guidance defined under security control SI- 02; and\u003c/li\u003e\u003cli\u003eShares information obtained from the vulnerability scanning process and security control assessments with affected/related stakeholders on a “need to know” basis to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eUpdate Tool Capability (RA-5(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS has the capability to update the scanning tools it uses for vulnerability scanning efforts. New vulnerabilities are a constant and it is essential to update the capability of the tools used as new vulnerabilities are discovered, announced, and published. Better scanning methods are therefore developed in response to the ever-changing threat landscape. As new updates and versions of the vulnerability scanning tools become available, they must be updated in order to ensure that the latest capabilities are deployed in scanning the CMS network. Vendor-provided tools will include a process to update as agreed between the vendor and datacenter.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eUpdate Frequency/Prior to New Scan/When Identified (RA-5(2))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS is updating the vulnerabilities it is scanning for on a regular basis through a defined frequency, prior to each new scan, and when identified. Readily updating the vulnerabilities that are scanned helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for updating the information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: CMS Defined Parameters Control RA-5(2)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(2)\u003c/td\u003e\u003ctd\u003eThe organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].\u003c/td\u003e\u003ctd\u003eThe organization updates the database of known information system vulnerabilities to be used in the scanning process no less often than every 72 hours, immediately prior to a new scan, and when new vulnerabilities are identified and reported.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eSystem Owners whose systems are not covered by the CCIC must provide documentation to demonstrate their vendor-provided tools are updated no less often once every 72 hours, immediately prior to a new scan, and when new vulnerabilities are identified and reported.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e\u0026nbsp;Discoverable Information (RA-5(4))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS is determining the information that potential adversaries can discover in the event of malicious activities against the CMS network. In addition, this control requires that corrective actions are identified and then taken to eliminate the information discoverable to adversaries. In order to ensure that vulnerability scans are prompting appropriate corrective actions, organizations must be able to determine what information is discoverable by adversaries. For systems that are scanned by the CCIC, the CDM team utilizes a Security Intelligence Hub (SIH) that acts as a central repository of vulnerability information and holds such data specific to that scan for one (1) year. Included in this information are corrective actions that the ISSO can take to remedy the identified vulnerabilities in their systems. The ISSO may request access to this repository by sending an email to the CDM Manager at: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-\u003c/a\u003e \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eCMP@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSystem Owners whose systems are not scanned by the CCIC must provide documentation to the CDM team detailing the information discoverable on their systems to adversaries. This can be done by performing annual searches of common internet locations to find out what information is available on the internet about your system. The procedures for documenting this discoverable information should follow the basic who, what, when, where, and why format. Once this information is determined and documented, the Division of Cyber Threat and Security Operations, System Owner, and Contractor Staff will establish a meeting to identify and carry out the appropriate corrective actions.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5(4):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters Control RA-5(4)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(4)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment:\u003c/p\u003e\u003cp\u003eorganization-defined corrective actions].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization determines what information about the information system is discoverable by adversaries, and subsequently takes appropriate corrective\u003c/p\u003e\u003cp\u003eactions to limit discoverable system information.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003e\u0026nbsp;Privileged Access (RA-5(5))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThere are systems on the CMS network that require privileged access. In order to conduct vulnerability scans on these systems, there must be an ability for the scanners to receive privileged access to these systems. A complete analysis of the privileged areas of system appliances cannot be performed without the necessary privileged access. The purpose of this control is to ensure that CMS identifies the information system components that require privileged access and the vulnerability scanning activities that require such access, as well as ensuring that privileged access is implemented for these activities.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5(5):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters Control RA-5(5)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(5)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-\u003c/p\u003e\u003cp\u003edefined vulnerability scanning activities].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe information system implements privileged access authorization to operating system, telecommunications, and configuration components for selected vulnerability scanning activities to facilitate more thorough scanning.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThis can be achieved by obtaining appropriate management approval to allow privileged users such as Firewall Privileged Users and Intrusion Detection Privileged Users to perform vulnerability assessment from the privileged accounts perspective.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1f:T9f00,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Risk Management Handbook (RMH) Chapter 14: Risk Assessment provides the procedures for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).\u0026nbsp;This document describes procedures that facilitate the implementation of security controls associated with the Risk Assessment (RA) family of controls. To promote consistency among all RMH Chapters, CMS intends for Chapter 14.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Assessment controls\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Categorization (RA-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are compromised through a loss of confidentiality, integrity, and/or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Security categories are used in conjunction with vulnerability and threat information in assessing the risk to an organization. The security category of an information type can be associated with both user information and system information. Establishing an appropriate security category of an information type requires determining the potential impact level for each security objectives of confidentiality, integrity, and availability (CIA) associated with the particular information type.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eSecurity Objective\u003c/th\u003e\u003cth\u003eLow impact potential\u003c/th\u003e\u003cth\u003eModerate impact potential\u003c/th\u003e\u003cth\u003eHigh impact potential\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConfidentiality\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003ePreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e\u0026nbsp;adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eIntegrity\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eGuarding against improper information modification or destruction\u0026nbsp;and includes ensuring information non-repudiation and authenticity.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eAvailability\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eEnsuring timely and reliable access to and use of information.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, each new system must define its security categorization within the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Controls Tracking System (CFACTS)\u003c/a\u003e. Before the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e can be developed, the information system and the information resident within that system must be categorized based on the Federal Information Processing Standards Publication 199 (FIPS 199). NIST Special Publication 800-60 Volume I: \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories \u003c/em\u003eprovides a guideline for mapping types of information and information systems to security categories and works in conjunction with FIPS 199.\u003c/p\u003e\u003cp\u003eThe SSPP provides the detailed descriptions of all the implemented controls by the CMS ARS categories to minimize risks. Authorization boundaries are also developed and reviewed in correlation with the security categorization as the boundary has a direct effect on the categorization of the system. CMS has synthesized and identified the information types that apply to CMS into 11 information types:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Information Types\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eInformation Type\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eSystem Security Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003ee-Authentication Level\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInvestigation, intelligence-related, and security information (14 CFR PART 191.5(D))\u003c/td\u003e\u003ctd\u003eHigh\u003c/td\u003e\u003ctd\u003eLevel 4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMission Critical Information\u003c/td\u003e\u003ctd\u003eHigh\u003c/td\u003e\u003ctd\u003eLevel 4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation About Persons\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 2 or Level 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFinancial, budgetary, commercial, proprietary and trade secret information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInternal Administration\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOther Federal Agency Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNew technology controlled scientific information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperational Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Configuration Management Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOther Sensitive Information\u003c/td\u003e\u003ctd\u003eLow\u003c/td\u003e\u003ctd\u003eLevel 2\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePublic Information\u003c/td\u003e\u003ctd\u003eLow\u003c/td\u003e\u003ctd\u003eNone or Level 1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe security categorization for an information system is completed by the Information System Security Officer and approved by the Information System Owner. All CMS information systems categorized as High or Moderate are considered sensitive or contain sensitive information. All CMS information systems categorized as Low are considered non-sensitive or contain non- sensitive information. Organizations implement the minimum security requirements and controls as established in the current CMS Information Security ARS Standard, based on the system security categorization. When identifying information types and assigning appropriate security categorizations for CMS systems, it is essential that the Data Guardian, Information System Owner, Business Owner, Information System Security Officer, and Cyber Risk Advisor coordinate their efforts.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for conducting a security categorization on an information system using CFACTS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1\u003c/strong\u003e: Login to CFACTS and select the “Assessment \u0026amp; Authorization (A\u0026amp;A)” dropdown tab from the top menu.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2\u003c/strong\u003e: Click on the “Authorization Package - Records” under the “Quick Links” section.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3\u003c/strong\u003e: Select the appropriate information system. You may also find the information system by clicking on the search icon in the top right of the page and specifying search criteria.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4\u003c/strong\u003e: Once the information system has been located, click on the system name to open the authorization package for the system.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5\u003c/strong\u003e: Select the “Security Category” tab from the top navigation tab of the authorization package.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 6\u003c/strong\u003e: Click “Edit” at the top of the authorization package window.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 7\u003c/strong\u003e: Answer the following question in the Organizational Users Section: “Is this system accessed by non-organizational users?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 8\u003c/strong\u003e: Select the information types processed, stored or transmitted by the system.\u003cul\u003e\u003cli\u003eFor help determining who is considered an organizational user and a non- organizational user, see the help text by clicking on the question mark to the left of the question.\u003c/li\u003e\u003cli\u003eIn the Information Type section, click on the right hand side of the “Lookup” title bar in the upper right hand corner.\u003c/li\u003e\u003cli\u003eIn the “Record Lookup” pop up, select the checkbox to the left of each information type that is used by your information system.\u003c/li\u003e\u003cli\u003eClick “Ok” when done.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 9: \u003c/strong\u003eAnswer the following question in the Personally Identifiable Information (PII) section: “Does this FISMA system collect, maintain, use or share Personally Identifiable Information (PII)?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 10: \u003c/strong\u003eAnswer the following question in the Protected Health Information (PHI) section: “Is the data maintained in this FISMA system considered electronic Protected Health Information (PHI)?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 11\u003c/strong\u003e: Click “Save” at the top of the screen to save all changes.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe SOP ultimately reviews and approves the categorization of information systems that process, store, or transmit PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Assessment (RA-3)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRisk assessment is the process of identifying risks, both business and technical, to organizational operations mission, functions, image, and reputation, including individuals, organizational assets, other organizations, and the Nation, resulting from the operation of an information system. As part of risk management, risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by security and privacy controls planned or in place.\u003c/p\u003e\u003cp\u003eThis publication focuses on the risk assessment component of risk management—providing a step-by-step process for organizations on: (i) how to prepare for risk assessments; (ii) how to conduct risk assessments; (iii) how to communicate risk assessment results to key organizational personnel; and (iv) how to maintain the risk assessments over time. Risk assessments are not simply one-time activities that provide permanent and definitive information for decision makers to guide and inform responses to information security and privacy risks. Rather, organizations employ risk assessments on an ongoing basis throughout the system development life cycle and across all of the tiers in the risk management hierarchy—with the frequency of the risk assessments and the resources applied during the assessments, commensurate with the expressly defined purpose and scope of the assessments.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBasic Risk Management\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRisk assessment is a key component of a holistic, organization-wide risk management process as defined in NIST Special Publication 800-39, \u003cem\u003eManaging Information Security Risk: Organization, Mission, and Information System View\u003c/em\u003e. Risk management processes include: (i) framing risk; (ii) assessing risk; (iii) responding to risk; and (iv) monitoring risk. Figure 2 illustrates the four steps in the risk management process—including the risk assessment step and the information and communications flows necessary to make the process work effectively.\u003c/p\u003e\u003cp\u003eAs laid out by NIST in 800-30, the first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.\u003c/p\u003e\u003cp\u003eThe second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation; (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., adverse impact) that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm, i.e., impact to the organization, and likelihood of harm occurring).\u003c/p\u003e\u003cp\u003eThe third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of a risk assessment. The purpose of the risk response component is to provide a consistent, organization-wide response to risk, or “risk mitigation plan”, in accordance with the organizational risk frame by: (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action.\u003c/p\u003e\u003cp\u003eThe fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to: (i) determine the ongoing effectiveness of risk responses (consistent with the organizational risk frame); (ii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate; and (iii) verify that planned risk responses are implemented and information security and privacy requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied.\u003c/p\u003e\u003cp\u003eEffective information security and privacy-related risk management is a holistic activity and requires integration of risk input from the information system level (Tier 3) through the organizations business processes (Tier 2) and up through the governance of the enterprise (Tier 1). Risk management among the top and bottom tier are bi-directional as the highest tier directs the lower tiers through policy and processes, and the lower tier feeds tactical risk back up the enterprise. The RMF primarily operates at Tier 3 but does involve interactions in the other two tiers through feedback from ongoing authorization decisions, dissemination of updated threat and risk information to authorizing officials and information system owners.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRisk Models\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRisk models define the risk factors to be assessed and the relationships among those factors. Risk factors are characteristics used in risk models as inputs to determining levels of risk in risk assessments. Risk factors are also used extensively in risk communications to highlight what strongly affects the levels of risk in particular situations, circumstances, or contexts. Typical risk factors include threat, vulnerability, impact, likelihood, and predisposing condition. Risk factors\u0026nbsp;can be decomposed into more detailed characteristics (e.g., threats decomposed into threat sources and threat events). These definitions are important for organizations to document prior to conducting risk assessments because the assessments rely upon well-defined attributes of threats, vulnerabilities, impact, and other risk factors to effectively determine risk.\u003c/p\u003e\u003cp\u003eAs noted above, risk is a function of the likelihood of a threat events occurrence and potential adverse impact should the event occur. This definition accommodates many types of adverse impacts at all tiers in the risk management hierarchy described in NIST Special Publication 800- 3910 (e.g., damage to image or reputation of the organization or financial loss at Tier 1; inability to successfully execute a specific mission/business process at Tier 2; or the resources expended in responding to an information system incident at Tier 3). It also accommodates relationships among impacts (e.g., loss of current or future mission/business effectiveness due to the loss of data confidentiality; loss of confidence in critical information due to loss of data or system integrity; or unavailability or degradation of information or information systems). For purposes of risk communication, risk is generally grouped according to the types of adverse impacts and possibly the time frames in which those impacts are likely to be experienced.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHigh Value Assets\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePer OMB Memorandum M-19-0311 Federal Agencies must extend their risk management approach to include \u003ca href=\"https://policy.cio.gov/hva/definition/\"\u003eHigh Value Assets (HVA).\u003c/a\u003e HVAs are assets, information systems, information, and data which unauthorized use could cause a significant impact to the United States national security interests. HVA risk assessments require the agency to incorporate enterprise- wide risk considerations to include operational, business, mission, and continuity. Agencies' assessment of risk should consider not only the risk that an HVA poses to the agency itself, but also the risk of interconnectivity and interdependencies leading to significant adverse impact on the functions, operations, and mission of other agencies. Agencies' assessment of risk to an HVA should be informed by an up-to-date awareness of threat intelligence regarding agencies' Federal information and information systems; the evolving behaviors and interests of malicious actors; and the likelihood that certain agencies and their HVAs are at risk owing to demonstrated adversary interest in agencies' actual, related, or similar assets.\u003c/p\u003e\u003cp\u003eCMS information systems are encouraged to implement the requirements mentioned in the HHS High Value Asset Program Policy , the controls from the \u003ca href=\"https://www.cisa.gov/publication/high-value-asset-control-overlay\"\u003eCybersecurity and Infrastructure Security\u003c/a\u003e \u003ca href=\"https://www.cisa.gov/publication/high-value-asset-control-overlay\"\u003eAgency (CISA) High Value Assest Control Overlay\u003c/a\u003e and the CMS Acceptable Risk Safeguards (ARS) which specifies security control implementations that aim to make HVAs more resistant to attacks, limit the damage from attacks when they occur, and improve resiliency and survivability.\u003c/p\u003e\u003cp\u003eCMS must conduct independent third party or CISA led HVA assessments within the CISA defined frequency, methodology standards and assessment specific requirements. CISA has established Tier Designations 1, 2 and 3 which determines the above frequency, standard and requirement.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHVA Assessment Process\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn accordance with FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems and the HHS IS2P, CMS are responsible for the ongoing assessment and authorization of all information systems classified as HVAs. In coordination with the Division of Security \u0026amp; Privacy Compliance (DSPC), assessments are conducted to ensure the accuracy of the information pertaining to the security posture of information systems, and the tailoring and implementation of security and privacy controls following the selection of the appropriate baseline mapped to the CMS IS2P2. CMS HVA assessements are required to include and be consistent with CISA HVA assessment requirements and expectations.\u003c/p\u003e\u003cp\u003eThe Information System Security Officer (ISSO) is responsible for preparing their information system for upcoming assessments by\u003c/p\u003e\u003col\u003e\u003cli\u003eParticipating in assessment activities as detailed in the assessment schedule\u003c/li\u003e\u003cli\u003eRequest access to the CISA file repository for RVA artifacts requests (HSIN).\u003c/li\u003e\u003cli\u003eRemediating identified issues in a timely manner as stated in the HVA Assessment Report.\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003cstrong\u003eCISA-Led HVA Assessment Process\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS, in co-ordination with the Office of Management and Budget (OMB), Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS), must perform certain actions to ensure effective identification and timely remediation of weaknesses based on HVA system assessments. All Tier 1 designated HVAs are to be assessed by CISA once every three (3) years. The below actions follow the \u003ca href=\"https://cyber.dhs.gov/bod/18-02/\"\u003eBinding Operational Directive 18-\u003c/a\u003e \u003ca href=\"https://cyber.dhs.gov/bod/18-02/\"\u003e02\u003c/a\u003e with CMS specific additions:\u003c/p\u003e\u003col\u003e\u003cli\u003eSubmit to CISA a single Rules of Engagement (ROE) and complete an RVA intake form once the system has been identified for a CISA RVA.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eThe applicable ROE is maintained between HHS and CISA and applies to all HVA assesments across the departments\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFor each HVA and related system(s) to be assessed, one ROE Appendix A titled \u003cem\u003e“RVA Services for High Value Assets and Related Systems,” \u003c/em\u003eauthorizing CISA to conduct a HVA Risk and Vulnerability Assessment (RVA) on the CMS HVA and related systems.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS:\u003c/strong\u003e\u003cul\u003e\u003cli\u003eAppendix A specifies all of the IPs in scope for the assessment. Note that it will likely be necessary for the assessment to stop and the Appendix to be revised if IPs must be added during the assessment.\u003c/li\u003e\u003cli\u003eAppendix B will also be necessary if third party contractor os involved in the assessment\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFully participate in the HVA assessment activities authorized by the ROE.\u003c/li\u003e\u003cli\u003eFully participate in a Security Assessment Report (SAR) after RVA completion.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eAs of FY2021, CISA has revised the HVA assessment methodology to include both the security architecture (previously SAR) and technical assessment (previously RVA) during a single engagement.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS systems shall impose no restrictions on the timing and/or frequency of the assessments, the services to be provided by CISA, or the scope of the systems that are part of or related ot the HVA being assessed.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eThe expected scope of the HVA assessment will be the full operational “footprint” of the HVA. The hosting site and supporting services should expect to be involved. Generally any systems that are providing inheritable controls to the HVA will be included in the assessment.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eAfter completion of the assessment, the BO and ISSO must ensure timely remediation of identified vulnerabilities and report remediation plans and progress by following the below\u003c/p\u003e\u003col\u003e\u003cli\u003eWithin 30 days of receipt of the HVA asessment reports identifying major or critical weakness to an assessed CISA, remediate all major critical weaknesses and provide notification to CISA that each identified weakness was addressed.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS:\u003c/strong\u003e\u003cul\u003e\u003cli\u003eHigh, Major or Critical findings must be reported to CISA as remediated within 30 days. This is in addition to HHS requirements specified in the HHS HVA Policy and CMS POA\u0026amp;M requirements.\u003c/li\u003e\u003cli\u003eThe 30 days timing is considered to be in relation to the final assessment report. Remediation efforts should be undertaken as soon as possible afterthe potential finding is identified to maximize the available remediation time.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eIf it is determined by the designated Senior Accountable Official for Risk Management (SAORM) that full remediation cannot be completed within the initial 30 day timeframe, develop and submit to CISA a remediation plan with remaining major or critical weaknesses within 30 days of the receipt of the RVA and/or SAR reports.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003ei. \u003cstrong\u003eFor CMS: \u003c/strong\u003eThe HHS SAORM is the HHS CIO, and must approve anything other than full remediation within the initial 30 days after the final report is issued, in addition to all CMS approvals.\u003c/p\u003e\u003col\u003e\u003cli\u003eThis remediation plan shall include justification for the extended timeline, the proposed timeline and associated milestones to remediation (not to exceed one year), interim mitigation actions planned to address immediate vulnerabilities, and, if relevant, the identification of constraints related to policy, budget, workforce, and operations.This remediation plan must be signed by the designated SAORM prior to submission to CISA.\u003c/li\u003e\u003cli\u003eHHS reports the status of each remaining major or critical weakness to CISA every 30 days until full remediation is achieved. Status reports must address HVA assessment results through combined reporting and must be submitted every 30 days after the submission of the remediation plan described above.\u003c/li\u003e\u003cli\u003eHHS notifies CISA via monthly status reports of any modifications to remediate plan timelines and when full remediation has been achieved. The notifications for modifications and full remediation must be certified under signature of the designated SAORM.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eCISA will manage the progress and report submissions associated with these actions. If deadlines outlined above are not being met, CISA will enage the CMS CISO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVulnerability Scanning (RA-5)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA vulnerability is a weakness that can be accidentally triggered or intentionally exploited, usually due to misconfigurations. Vulnerability scanning is a non-destructive form of testing that provides an organized approach to the testing, identification, analysis and reporting of potential security issues on a network. Vulnerability scanners can be run against a host either locally or from the network. Some network-based scanners have administrator-level credentials on individual hosts and can extract vulnerability information from hosts using those credentials. Other network-based scanners do not have such credentials and must rely on conducting scanning of networks to locate hosts and then scan those hosts for vulnerabilities. In such cases, network-based scanning is primarily used to perform network discovery and identify open ports and related vulnerabilities. Network-based scanning without host credentials can be performed both internally and externally—and although internal scanning usually uncovers more vulnerabilities than external scanning, testing from both viewpoints is important. External scanning must contend with perimeter security devices that block traffic, limiting assessors to scanning only the ports authorized to pass traffic.\u003c/p\u003e\u003cp\u003eFor local vulnerability scanning, a scanner is installed on each host to be scanned. This is done primarily to identify host Operating Systems (OS) and application misconfigurations and vulnerabilities—both network-exploitable and locally exploitable. Local scanning is able to detect\u0026nbsp;vulnerabilities with a higher level of detail than network-based scanning because local scanning usually requires both host (local) access and a root or administrative account. Some scanners also offer the capability of repairing local misconfigurations.\u003c/p\u003e\u003cp\u003eThe foundation for effective vulnerability scanning includes having an asset inventory management process (e.g. automated tools and their processes) in place. Without a robust asset inventory management process in place there is an increased risk that the asset inventory is incomplete which may impact downstream processes to include vulnerability scanning and security configuration. This may lead to vulnerabilities and misconfigurations going unidentified and may result in exploitable conditions.\u003c/p\u003e\u003cp\u003eThe results from a vulnerability scan can show the path an adversary can take once they have gained access to the network and how much data they could collect. Vulnerability scans can also support penetration testing (CA-8) by providing information on targets for the penetration testing team to look into. Some examples of scanning activities are:\u003c/p\u003e\u003col\u003e\u003cli\u003escanning for patch levels;\u003c/li\u003e\u003cli\u003escanning for functions, ports, protocols, and services that should not be accessible to users or devices; and\u003c/li\u003e\u003cli\u003escanning for improperly configured or incorrectly operating information flow control mechanisms. Based on the information provided, the organization can then remediate vulnerabilities identified and work towards improving the security of the network.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eFor CMS, the security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. All data centers must have a vulnerability scanner in place before connecting to the CMS network, either through their own vendor-provided scanner or by establishing a connection with the \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e team at the CMS Cybersecurity Integration Center (CCIC). One of the services provided by the CCIC includes vulnerability scanning, with support in place for all scanning needed from infrastructure to endpoint. The CCIC supports risk analysis at CMS by ingesting scan logs and identifying risks through its Security Incident Event Management (SIEM) tool. In order to set up vulnerability scanning for new systems, please send an email to the CDM Manager using this email address: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-CMP@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIf a datacenter chooses not to utilize the vulnerability scanning service provided by the CCIC then they are able to choose a vendor-provided one. There are requirements that must be met for those System Owners who decide not to use the CCIC. These requirements include the baseline configurations that must be scanned against, such as those found in \u003cem\u003eRisk Management Handbook Chapter 5 Configuration Management\u0026nbsp;\u003c/em\u003e(CM-6). Information for meeting these requirements are\u0026nbsp;found in the \u003cem\u003eCMS CCIC Integration Requirements \u003c/em\u003edocument. For access to this document, please reach out to the CDM Manager by sending an email to: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-CMP@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eWhen vulnerabilities are discovered they must be mitigated within a given timeframe. This timeframe varies depending on the criticality of the vulnerability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical vulnerabilities within \u003cstrong\u003e15 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eHigh vulnerabilities within \u003cstrong\u003e30 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eModerate vulnerabilities within \u003cstrong\u003e90 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eLow vulnerabilities within \u003cstrong\u003e365 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the identified vulnerabilities cannot be mitigated within the given time frame and exceed those thresholds then they must be documented in the designated POA\u0026amp;M as weaknesses and mitigated through timelines defined for the corresponding level of weakness.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 2: CMS Defined Parameters Control RA-5\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003col\u003e\u003cli\u003eScans for vulnerabilities in the information system and hosted applications [\u003cem\u003eAssignment: organization- defined frequency and/or randomly in accordance with organization-defined process\u003c/em\u003e] and when new vulnerabilities potentially affecting the system/applications are identified and reported;\u003c/li\u003e\u003cli\u003eEmploys vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\u003c/li\u003e\u003cli\u003eEnumerating platforms, software flaws, and improper configurations;\u003c/li\u003e\u003cli\u003eFormatting checklists and test procedures; and\u003c/li\u003e\u003cli\u003eMeasuring vulnerability impact;\u003c/li\u003e\u003cli\u003eAnalyzes vulnerability scan reports and results from security control assessments;\u003c/li\u003e\u003cli\u003eRemediates legitimate vulnerabilities [\u003cem\u003eAssignment: organization-defined response times\u003c/em\u003e] in accordance with an organizational assessment of risk; and\u003c/li\u003e\u003cli\u003eShares information obtained from the vulnerability scanning process and security control assessments with [\u003cem\u003eAssignment: organization-defined personnel or roles\u003c/em\u003e] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003col\u003e\u003cli\u003eScans for vulnerabilities in the information system and hosted applications no less often than once every 72 hours and when new vulnerabilities potentially affecting the system/applications are identified and reported;\u003c/li\u003e\u003cli\u003eComplies with DHS Continuous Diagnostics and Mitigation program and CMS requirements; and 5. Complying with required reporting metrics (e.g., CyberScope).\u003c/li\u003e\u003cli\u003eRemediates legitimate vulnerabilities based on the Business Owners risk prioritization in accordance with the guidance defined under security control SI- 02; and\u003c/li\u003e\u003cli\u003eShares information obtained from the vulnerability scanning process and security control assessments with affected/related stakeholders on a “need to know” basis to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eUpdate Tool Capability (RA-5(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS has the capability to update the scanning tools it uses for vulnerability scanning efforts. New vulnerabilities are a constant and it is essential to update the capability of the tools used as new vulnerabilities are discovered, announced, and published. Better scanning methods are therefore developed in response to the ever-changing threat landscape. As new updates and versions of the vulnerability scanning tools become available, they must be updated in order to ensure that the latest capabilities are deployed in scanning the CMS network. Vendor-provided tools will include a process to update as agreed between the vendor and datacenter.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eUpdate Frequency/Prior to New Scan/When Identified (RA-5(2))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS is updating the vulnerabilities it is scanning for on a regular basis through a defined frequency, prior to each new scan, and when identified. Readily updating the vulnerabilities that are scanned helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for updating the information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: CMS Defined Parameters Control RA-5(2)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(2)\u003c/td\u003e\u003ctd\u003eThe organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].\u003c/td\u003e\u003ctd\u003eThe organization updates the database of known information system vulnerabilities to be used in the scanning process no less often than every 72 hours, immediately prior to a new scan, and when new vulnerabilities are identified and reported.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eSystem Owners whose systems are not covered by the CCIC must provide documentation to demonstrate their vendor-provided tools are updated no less often once every 72 hours, immediately prior to a new scan, and when new vulnerabilities are identified and reported.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e\u0026nbsp;Discoverable Information (RA-5(4))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS is determining the information that potential adversaries can discover in the event of malicious activities against the CMS network. In addition, this control requires that corrective actions are identified and then taken to eliminate the information discoverable to adversaries. In order to ensure that vulnerability scans are prompting appropriate corrective actions, organizations must be able to determine what information is discoverable by adversaries. For systems that are scanned by the CCIC, the CDM team utilizes a Security Intelligence Hub (SIH) that acts as a central repository of vulnerability information and holds such data specific to that scan for one (1) year. Included in this information are corrective actions that the ISSO can take to remedy the identified vulnerabilities in their systems. The ISSO may request access to this repository by sending an email to the CDM Manager at: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-\u003c/a\u003e \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eCMP@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSystem Owners whose systems are not scanned by the CCIC must provide documentation to the CDM team detailing the information discoverable on their systems to adversaries. This can be done by performing annual searches of common internet locations to find out what information is available on the internet about your system. The procedures for documenting this discoverable information should follow the basic who, what, when, where, and why format. Once this information is determined and documented, the Division of Cyber Threat and Security Operations, System Owner, and Contractor Staff will establish a meeting to identify and carry out the appropriate corrective actions.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5(4):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters Control RA-5(4)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(4)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment:\u003c/p\u003e\u003cp\u003eorganization-defined corrective actions].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization determines what information about the information system is discoverable by adversaries, and subsequently takes appropriate corrective\u003c/p\u003e\u003cp\u003eactions to limit discoverable system information.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003e\u0026nbsp;Privileged Access (RA-5(5))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThere are systems on the CMS network that require privileged access. In order to conduct vulnerability scans on these systems, there must be an ability for the scanners to receive privileged access to these systems. A complete analysis of the privileged areas of system appliances cannot be performed without the necessary privileged access. The purpose of this control is to ensure that CMS identifies the information system components that require privileged access and the vulnerability scanning activities that require such access, as well as ensuring that privileged access is implemented for these activities.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5(5):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters Control RA-5(5)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(5)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-\u003c/p\u003e\u003cp\u003edefined vulnerability scanning activities].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe information system implements privileged access authorization to operating system, telecommunications, and configuration components for selected vulnerability scanning activities to facilitate more thorough scanning.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThis can be achieved by obtaining appropriate management approval to allow privileged users such as Firewall Privileged Users and Intrusion Detection Privileged Users to perform vulnerability assessment from the privileged accounts perspective.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"21:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"24:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n23:{\"self\":\"$24\"}\n27:[\"menu_ui\",\"scheduler\"]\n26:{\"module\":\"$27\"}\n2a:[]\n29:{\"available_menus\":\"$2a\",\"parent\":\"\"}\n2b:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n28:{\"menu_ui\":\"$29\",\"scheduler\":\"$2b\"}\n25:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$26\",\"third_party_settings\":\"$28\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n22:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$23\",\"attributes\":\"$25\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/39240c69-3096-49cd-a07c-3843b6c48c5f\"}\n2d:{\"self\":\"$2e\"}\n2f:{\"display_name\":\"dwheeler\"}\n2c:{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"links\":\"$2d\",\"attributes\":\"$2f\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n31:{\"self\":\"$32\"}\n33:{\"display_name\":\"meg - retired\"}\n30:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$31\",\"attributes\":\"$33\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}\n35:{\"self\":\"$36\"}\n38:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n37:{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\""])</script><script>self.__next_f.push([1,"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$38\"}\n3c:{\"drupal_internal__target_id\":\"resource_type\"}\n3b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$3c\"}\n3e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"}\n3f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}\n3d:{\"related\":\"$3e\",\"self\":\"$3f\"}\n3a:{\"data\":\"$3b\",\"links\":\"$3d\"}\n42:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"}\n43:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}\n41:{\"related\":\"$42\",\"self\":\"$43\"}\n40:{\"data\":null,\"links\":\"$41\"}\n4a:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n49:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$4a\"}\n48:{\"help\":\"$49\"}\n47:{\"links\":\"$48\"}\n46:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$47\"}\n45:[\"$46\"]\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"}\n4d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}\n4b:{\"related\":\"$4c\",\"self\":\"$4d\"}\n44:{\"data\":\"$45\",\"links\":\"$4b\"}\n39:{\"vid\":\"$3a\",\"revision_user\":\"$40\",\"parent\":\"$44\"}\n34:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":\"$35\",\"attributes\":\"$37\",\"relationships\":\"$39\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n4f:{\"self\":\"$50\"}\n52:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n51:{\"drupal_internal_"])</script><script>self.__next_f.push([1,"_tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$52\"}\n56:{\"drupal_internal__target_id\":\"roles\"}\n55:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$56\"}\n58:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n59:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n57:{\"related\":\"$58\",\"self\":\"$59\"}\n54:{\"data\":\"$55\",\"links\":\"$57\"}\n5c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n5d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n5b:{\"related\":\"$5c\",\"self\":\"$5d\"}\n5a:{\"data\":null,\"links\":\"$5b\"}\n64:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n63:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$64\"}\n62:{\"help\":\"$63\"}\n61:{\"links\":\"$62\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$61\"}\n5f:[\"$60\"]\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n67:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n65:{\"related\":\"$66\",\"self\":\"$67\"}\n5e:{\"data\":\"$5f\",\"links\":\"$65\"}\n53:{\"vid\":\"$54\",\"revision_user\":\"$5a\",\"parent\":\"$5e\"}\n4e:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$4f\",\"attributes\":\"$51\",\"relationships\":\"$53\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a"])</script><script>self.__next_f.push([1,"18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n69:{\"self\":\"$6a\"}\n6c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n6b:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$6c\"}\n70:{\"drupal_internal__target_id\":\"roles\"}\n6f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$70\"}\n72:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n71:{\"related\":\"$72\",\"self\":\"$73\"}\n6e:{\"data\":\"$6f\",\"links\":\"$71\"}\n76:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n77:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n75:{\"related\":\"$76\",\"self\":\"$77\"}\n74:{\"data\":null,\"links\":\"$75\"}\n7e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n7d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7e\"}\n7c:{\"help\":\"$7d\"}\n7b:{\"links\":\"$7c\"}\n7a:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$7b\"}\n79:[\"$7a\"]\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n81:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n7f:{\"related\":\"$80\",\"self\":\"$81\"}\n78:{\"data\":\"$79\",\"links\":\"$7f\"}\n6d:{\"vid\":\"$6e\",\"revision_user\":\"$74\",\"parent\":\"$78\"}\n68:{\"type\":\"taxonomy_term--roles\",\"id\":"])</script><script>self.__next_f.push([1,"\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$69\",\"attributes\":\"$6b\",\"relationships\":\"$6d\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n83:{\"self\":\"$84\"}\n86:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n85:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$86\"}\n8a:{\"drupal_internal__target_id\":\"roles\"}\n89:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$8a\"}\n8c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n8b:{\"related\":\"$8c\",\"self\":\"$8d\"}\n88:{\"data\":\"$89\",\"links\":\"$8b\"}\n90:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n91:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n8f:{\"related\":\"$90\",\"self\":\"$91\"}\n8e:{\"data\":null,\"links\":\"$8f\"}\n98:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n97:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$98\"}\n96:{\"help\":\"$97\"}\n95:{\"links\":\"$96\"}\n94:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$95\"}\n93:[\"$94\"]\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n9b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n99:{\"related\":\""])</script><script>self.__next_f.push([1,"$9a\",\"self\":\"$9b\"}\n92:{\"data\":\"$93\",\"links\":\"$99\"}\n87:{\"vid\":\"$88\",\"revision_user\":\"$8e\",\"parent\":\"$92\"}\n82:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$83\",\"attributes\":\"$85\",\"relationships\":\"$87\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674?resourceVersion=id%3A6\"}\n9d:{\"self\":\"$9e\"}\na0:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9f:{\"drupal_internal__tid\":6,\"drupal_internal__revision_id\":6,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:04:59+00:00\",\"status\":true,\"name\":\"Assessments \u0026 Audits\",\"description\":null,\"weight\":1,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$a0\"}\na4:{\"drupal_internal__target_id\":\"topics\"}\na3:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$a4\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/vid?resourceVersion=id%3A6\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/vid?resourceVersion=id%3A6\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na2:{\"data\":\"$a3\",\"links\":\"$a5\"}\naa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/revision_user?resourceVersion=id%3A6\"}\nab:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/revision_user?resourceVersion=id%3A6\"}\na9:{\"related\":\"$aa\",\"self\":\"$ab\"}\na8:{\"data\":null,\"links\":\"$a9\"}\nb2:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nb1:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$b2\"}\nb0:{\"help\":\"$b1\"}\naf:{\"links\":\"$b0\"}\nae:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$af\"}\nad:[\"$ae\"]\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/parent?resourceVersion=id%3A6\"}\nb5:{\"href\":\"https://cybe"])</script><script>self.__next_f.push([1,"rgeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/parent?resourceVersion=id%3A6\"}\nb3:{\"related\":\"$b4\",\"self\":\"$b5\"}\nac:{\"data\":\"$ad\",\"links\":\"$b3\"}\na1:{\"vid\":\"$a2\",\"revision_user\":\"$a8\",\"parent\":\"$ac\"}\n9c:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"links\":\"$9d\",\"attributes\":\"$9f\",\"relationships\":\"$a1\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}\nb7:{\"self\":\"$b8\"}\nba:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb9:{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$ba\"}\nbe:{\"drupal_internal__target_id\":\"topics\"}\nbd:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$be\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}\nbf:{\"related\":\"$c0\",\"self\":\"$c1\"}\nbc:{\"data\":\"$bd\",\"links\":\"$bf\"}\nc4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"}\nc5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}\nc3:{\"related\":\"$c4\",\"self\":\"$c5\"}\nc2:{\"data\":null,\"links\":\"$c3\"}\ncc:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ncb:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$cc\"}\nca:{\"help\":\"$cb\"}\nc9:{\"links\":\"$ca\"}\nc8:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c9\"}\nc7:[\"$c8\"]\nce:{"])</script><script>self.__next_f.push([1,"\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"}\ncf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}\ncd:{\"related\":\"$ce\",\"self\":\"$cf\"}\nc6:{\"data\":\"$c7\",\"links\":\"$cd\"}\nbb:{\"vid\":\"$bc\",\"revision_user\":\"$c2\",\"parent\":\"$c6\"}\nb6:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":\"$b7\",\"attributes\":\"$b9\",\"relationships\":\"$bb\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0?resourceVersion=id%3A19433\"}\nd1:{\"self\":\"$d2\"}\nd4:[]\nd6:T806,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is the Cybersecurity and Risk Assessment Program (CSRAP)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/strong\u003e is a security and risk assessment process for FISMA systems at CMS. It uses a holistic approach to assess a systems security capabilities to ensure that the system operates as intended and meets all security requirements.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP provides data and analytics to CMS system teams to help them optimize performance, streamline processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP was formerly known as the\u0026nbsp; \u003cstrong\u003eAdaptive Capabilities Testing (ACT) Program\u003c/strong\u003e at CMS. The name change aligns with ISPGs strategic goal of risk-based program management. The CSRAP team is committed to partnering with customers across CMS to help them make data-driven decisions about risk management for their systems.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eWhy do I need a CSRAP assessment?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCSRAP is a critical component of the\u0026nbsp;\u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process. It is used to determine overall security and privacy posture throughout the system development life cycle (SDLC).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP is strongly recommended over the traditional\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment (SCA)\u003c/a\u003e. While SCA is compliance-driven and focuses merely on checking boxes of security controls, CSRAP is data-driven and focuses on how to manage risk effectively. CSRAP fulfills the SCA requirement for ATO and gives system teams a clearer picture of their overall risk.\u003c/p\u003e\u003cp\u003eFor detailed information about CSRAP, see the\u0026nbsp;\u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"d7:T806,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhat is the Cybersecurity and Risk Assessment Program (CSRAP)?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/strong\u003e is a security and risk assessment process for FISMA systems at CMS. It uses a holistic approach to assess a systems security capabilities to ensure that the system operates as intended and meets all security requirements.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP provides data and analytics to CMS system teams to help them optimize performance, streamline processes, and reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP was formerly known as the\u0026nbsp; \u003cstrong\u003eAdaptive Capabilities Testing (ACT) Program\u003c/strong\u003e at CMS. The name change aligns with ISPGs strategic goal of risk-based program management. The CSRAP team is committed to partnering with customers across CMS to help them make data-driven decisions about risk management for their systems.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eWhy do I need a CSRAP assessment?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCSRAP is a critical component of the\u0026nbsp;\u003ca href=\"https://cybergeek.cms.gov/learn/authorization-operate-ato\"\u003eAuthorization to Operate (ATO)\u003c/a\u003e process. It is used to determine overall security and privacy posture throughout the system development life cycle (SDLC).\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eCSRAP is strongly recommended over the traditional\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment (SCA)\u003c/a\u003e. While SCA is compliance-driven and focuses merely on checking boxes of security controls, CSRAP is data-driven and focuses on how to manage risk effectively. CSRAP fulfills the SCA requirement for ATO and gives system teams a clearer picture of their overall risk.\u003c/p\u003e\u003cp\u003eFor detailed information about CSRAP, see the\u0026nbsp;\u003ca href=\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).\u003c/p\u003e"])</script><script>self.__next_f.push([1,"d5:{\"value\":\"$d6\",\"format\":\"body_text\",\"processed\":\"$d7\"}\nd3:{\"drupal_internal__id\":3501,\"drupal_internal__revision_id\":19433,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:33:34+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$d4\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$d5\"}\ndb:{\"drupal_internal__target_id\":\"page_section\"}\nda:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$db\"}\ndd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0/paragraph_type?resourceVersion=id%3A19433\"}\nde:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0/relationships/paragraph_type?resourceVersion=id%3A19433\"}\ndc:{\"related\":\"$dd\",\"self\":\"$de\"}\nd9:{\"data\":\"$da\",\"links\":\"$dc\"}\ne1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0/field_specialty_item?resourceVersion=id%3A19433\"}\ne2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0/relationships/field_specialty_item?resourceVersion=id%3A19433\"}\ne0:{\"related\":\"$e1\",\"self\":\"$e2\"}\ndf:{\"data\":null,\"links\":\"$e0\"}\nd8:{\"paragraph_type\":\"$d9\",\"field_specialty_item\":\"$df\"}\nd0:{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"links\":\"$d1\",\"attributes\":\"$d3\",\"relationships\":\"$d8\"}\ne5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8?resourceVersion=id%3A19434\"}\ne4:{\"self\":\"$e5\"}\ne7:[]\ne8:{\"value\":\"\u003ch2 dir=\\\"ltr\\\"\u003eRoles and responsibilities for CSRAP\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eThe designated Information System Security Officer (ISSO) initiates the CSRAP process, and is supported by the Cyber Risk Advisor (CRA), the System/Business Owner, and the Application Development Organization (ADO) team. The assessment process is led by the CSRAP team.\u0026nbsp;\u003c/p\u003e\u003cp dir=\\\"ltr\\\"\u003eEvery"])</script><script>self.__next_f.push([1," FISMA system and team has unique needs. The CSRAP team will work with your team to ensure that your assessment is completed correctly and promptly, while your team completes required paperwork and tests.\u0026nbsp;\u003c/p\u003e\u003cp\u003eMore information about each team member's specific roles and responsibilities can be found in the\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2 dir=\\\"ltr\\\"\u003eRoles and responsibilities for CSRAP\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eThe designated Information System Security Officer (ISSO) initiates the CSRAP process, and is supported by the Cyber Risk Advisor (CRA), the System/Business Owner, and the Application Development Organization (ADO) team. The assessment process is led by the CSRAP team.\u0026nbsp;\u003c/p\u003e\u003cp dir=\\\"ltr\\\"\u003eEvery FISMA system and team has unique needs. The CSRAP team will work with your team to ensure that your assessment is completed correctly and promptly, while your team completes required paperwork and tests.\u0026nbsp;\u003c/p\u003e\u003cp\u003eMore information about each team member's specific roles and responsibilities can be found in the\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).\u003c/p\u003e\"}\ne6:{\"drupal_internal__id\":611,\"drupal_internal__revision_id\":19434,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T16:55:19+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$e7\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$e8\"}\nec:{\"drupal_internal__target_id\":\"page_section\"}\neb:{\"type\":\"par"])</script><script>self.__next_f.push([1,"agraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ec\"}\nee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8/paragraph_type?resourceVersion=id%3A19434\"}\nef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8/relationships/paragraph_type?resourceVersion=id%3A19434\"}\ned:{\"related\":\"$ee\",\"self\":\"$ef\"}\nea:{\"data\":\"$eb\",\"links\":\"$ed\"}\nf2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8/field_specialty_item?resourceVersion=id%3A19434\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8/relationships/field_specialty_item?resourceVersion=id%3A19434\"}\nf1:{\"related\":\"$f2\",\"self\":\"$f3\"}\nf0:{\"data\":null,\"links\":\"$f1\"}\ne9:{\"paragraph_type\":\"$ea\",\"field_specialty_item\":\"$f0\"}\ne3:{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"links\":\"$e4\",\"attributes\":\"$e6\",\"relationships\":\"$e9\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a?resourceVersion=id%3A19435\"}\nf5:{\"self\":\"$f6\"}\nf8:[]\nfa:T1b2c,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eTypes of CSRAP assessments\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThere are two types of assessments within the CSRAP process:\u0026nbsp;\u003cstrong\u003eSecurity Assessment (SA)\u003c/strong\u003e and\u0026nbsp;\u003cstrong\u003eRisk Assessment (RA)\u003c/strong\u003e. The type of assessment you need is determined by a number of factors, including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWhether your system is new or existing\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhere your system is in its three-year ATO cycle\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhether there has been a significant change to your system\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CSRAP team, Cyber Risk Advisor (CRA), and your ISSO can work together to determine which assessment is right for your system.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSecurity Assessment\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor a Security Assessment, CSRAP can be further customized to your systems needs. The categories for CSRAP Security Assessments are defined by which controls from the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e are included in the assessment. The Security Assessment categories are:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eComprehensive Security Assessment\u003c/strong\u003e: All ARS Controls are included in the assessment.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFISMA Annual Security Assessment\u003c/strong\u003e: Specific ARS Controls are selected by the Authorization Official or agency for yearly assessment, including core controls.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eTailored Security Assessment\u003c/strong\u003e: Only a specified subset of ARS Controls are included in the Security Assessment.\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRisk Assessment\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eRisk Assessment within CSRAP provides risk-based context to system teams, helping them see the big picture so they can make better decisions for how to reduce risk. The CSRAP Risk Assessment framework has several benefits:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eRisk-driven rather than compliance-driven:\u0026nbsp;\u003c/strong\u003eRA does not focus merely on compliance with controls, but instead emphasizes meaningful risk identification and analysis.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eCapability-oriented rather than control-oriented\u003c/strong\u003e: Capabilities state objectives for optimal system security, while controls are specific requirements that help meet those objectives. RA helps teams improve the overall capabilities of their systems, which results in a stronger security posture — not “just” compliance.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eUtilizes all available risk data\u003c/strong\u003e: RA integrates the results of Risk Information Sources (RIS), not just the results of a CSRAP assessment. RIS are sources that can reveal areas of risk — such as data collected from CSRAP Security Assessments, penetration testing, vulnerability scanning, threat analysis, and the system environment (user types, system components, etc).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is included in a Risk Assessment?\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFor existing systems on the three-year ATO cycle, a stand-alone RA is strongly recommended in the first and second year after your completed ATO and corresponding Comprehensive Security Assessment. At a minimum, a Risk Assessment must include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrevious Security Assessment and/or Risk Assessment\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service\"\u003eVulnerability Scanning\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eValidation of\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePOA\u0026amp;Ms\u003c/a\u003e closed since the last assessment\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CSRAP team will work with your team to determine which audits, assessments, and data will be used for your systems unique Risk Assessment. In addition to the sources above, the RA for your system may pull data from the following sources:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eA 123 review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eData from\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e reports\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eInformation System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInherited\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePOA\u0026amp;Ms\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRisk Vulnerability Assessment (RVA)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSelf-Assessment\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVulnerability Testing\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is the result of a Risk Assessment?\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFollowing a Risk Assessment, our team will provide you with a plain-language Risk Assessment Report that quickly informs you about the system's overall health. The report focuses on high-level system security capabilities — providing the most information possible about overall system risk. This allows your team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe Risk Assessment Report divides risks into three categories:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eInherent risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eInherent risks arise directly from unmitigated findings (including open POA\u0026amp;Ms).\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: A system has two findings related to the password mechanism and three findings related to user account expiration; these might result in one risk that explains that the Identification and Authorization (I\u0026amp;A) mechanism is weak.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eResidual risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eResidual risks arise indirectly from already mitigated findings or from some source other than technical findings.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: The system mitigated the noted I\u0026amp;A-related findings. Although those findings are now closed and the inherent risk has been addressed, there may be a residual risk that something is wrong with the development processes because those weaknesses should not have been present in the first place.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eInherited risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eInherited risks exist because security controls are inherited from another system. Any open POA\u0026amp;M or system risk that the system inherits can affect the systems risk posture; CSRAP considers this and informs the system of the impact its control providers have on them.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: The data center hosting the system has an open POA\u0026amp;M related to failure to provide adequate physical access control to the data center floor. Since the data center is a separate FISMA-accredited system, this finding cannot be closed or mitigated by the system being assessed. Therefore, the system inherits the risk associated with this POA\u0026amp;M from the other system.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"fb:T1b2c,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eTypes of CSRAP assessments\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThere are two types of assessments within the CSRAP process:\u0026nbsp;\u003cstrong\u003eSecurity Assessment (SA)\u003c/strong\u003e and\u0026nbsp;\u003cstrong\u003eRisk Assessment (RA)\u003c/strong\u003e. The type of assessment you need is determined by a number of factors, including:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eWhether your system is new or existing\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhere your system is in its three-year ATO cycle\u003c/li\u003e\u003cli dir=\"ltr\"\u003eWhether there has been a significant change to your system\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CSRAP team, Cyber Risk Advisor (CRA), and your ISSO can work together to determine which assessment is right for your system.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003eSecurity Assessment\u0026nbsp;\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eFor a Security Assessment, CSRAP can be further customized to your systems needs. The categories for CSRAP Security Assessments are defined by which controls from the\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e are included in the assessment. The Security Assessment categories are:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eComprehensive Security Assessment\u003c/strong\u003e: All ARS Controls are included in the assessment.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eFISMA Annual Security Assessment\u003c/strong\u003e: Specific ARS Controls are selected by the Authorization Official or agency for yearly assessment, including core controls.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eTailored Security Assessment\u003c/strong\u003e: Only a specified subset of ARS Controls are included in the Security Assessment.\u003c/li\u003e\u003c/ul\u003e\u003ch3 dir=\"ltr\"\u003eRisk Assessment\u003c/h3\u003e\u003cp dir=\"ltr\"\u003eRisk Assessment within CSRAP provides risk-based context to system teams, helping them see the big picture so they can make better decisions for how to reduce risk. The CSRAP Risk Assessment framework has several benefits:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eRisk-driven rather than compliance-driven:\u0026nbsp;\u003c/strong\u003eRA does not focus merely on compliance with controls, but instead emphasizes meaningful risk identification and analysis.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eCapability-oriented rather than control-oriented\u003c/strong\u003e: Capabilities state objectives for optimal system security, while controls are specific requirements that help meet those objectives. RA helps teams improve the overall capabilities of their systems, which results in a stronger security posture — not “just” compliance.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eUtilizes all available risk data\u003c/strong\u003e: RA integrates the results of Risk Information Sources (RIS), not just the results of a CSRAP assessment. RIS are sources that can reveal areas of risk — such as data collected from CSRAP Security Assessments, penetration testing, vulnerability scanning, threat analysis, and the system environment (user types, system components, etc).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is included in a Risk Assessment?\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFor existing systems on the three-year ATO cycle, a stand-alone RA is strongly recommended in the first and second year after your completed ATO and corresponding Comprehensive Security Assessment. At a minimum, a Risk Assessment must include:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003ePrevious Security Assessment and/or Risk Assessment\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service\"\u003eVulnerability Scanning\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eValidation of\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePOA\u0026amp;Ms\u003c/a\u003e closed since the last assessment\u003c/li\u003e\u003c/ul\u003e\u003cp dir=\"ltr\"\u003eThe CSRAP team will work with your team to determine which audits, assessments, and data will be used for your systems unique Risk Assessment. In addition to the sources above, the RA for your system may pull data from the following sources:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eA 123 review\u003c/li\u003e\u003cli dir=\"ltr\"\u003eData from\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e reports\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/cms-information-system-risk-assessment-isra\"\u003eInformation System Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eInherited\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePOA\u0026amp;Ms\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eRisk Vulnerability Assessment (RVA)\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003ca href=\"https://security.cms.gov/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment\u003c/a\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003eSelf-Assessment\u003c/li\u003e\u003cli dir=\"ltr\"\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eVulnerability Testing\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eWhat is the result of a Risk Assessment?\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eFollowing a Risk Assessment, our team will provide you with a plain-language Risk Assessment Report that quickly informs you about the system's overall health. The report focuses on high-level system security capabilities — providing the most information possible about overall system risk. This allows your team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe Risk Assessment Report divides risks into three categories:\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eInherent risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eInherent risks arise directly from unmitigated findings (including open POA\u0026amp;Ms).\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: A system has two findings related to the password mechanism and three findings related to user account expiration; these might result in one risk that explains that the Identification and Authorization (I\u0026amp;A) mechanism is weak.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eResidual risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eResidual risks arise indirectly from already mitigated findings or from some source other than technical findings.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: The system mitigated the noted I\u0026amp;A-related findings. Although those findings are now closed and the inherent risk has been addressed, there may be a residual risk that something is wrong with the development processes because those weaknesses should not have been present in the first place.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eInherited risks\u003c/strong\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eInherited risks exist because security controls are inherited from another system. Any open POA\u0026amp;M or system risk that the system inherits can affect the systems risk posture; CSRAP considers this and informs the system of the impact its control providers have on them.\u003c/li\u003e\u003cli dir=\"ltr\"\u003eExample: The data center hosting the system has an open POA\u0026amp;M related to failure to provide adequate physical access control to the data center floor. Since the data center is a separate FISMA-accredited system, this finding cannot be closed or mitigated by the system being assessed. Therefore, the system inherits the risk associated with this POA\u0026amp;M from the other system.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"f9:{\"value\":\"$fa\",\"format\":\"body_text\",\"processed\":\"$fb\"}\nf7:{\"drupal_internal__id\":651,\"drupal_internal__revision_id\":19435,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:00:27+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$f8\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$f9\"}\nff:{\"drupal_internal__target_id\":\"page_section\"}\nfe:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ff\"}\n101:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a/paragraph_type?resourceVersion=id%3A19435\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a/relationships/paragraph_type?resourceVersion=id%3A19435\"}\n100:{\"related\":\"$101\",\"self\":\"$102\"}\nfd:{\"data\":\"$fe\",\"links\":\"$100\"}\n105:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a/field_specialty_item?resourceVersion=id%3A19435\"}\n106:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a/relationships/field_specialty_item?resourceVersion=id%3A19435\"}\n104:{\"related\":\"$105\",\"self\":\"$106\"}\n103:{\"data\":null,\"links\":\"$104\"}\nfc:{\"paragraph_type\":\"$fd\",\"field_specialty_item\":\"$103\"}\nf4:{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"links\":\"$f5\",\"attributes\":\"$f7\",\"relationships\":\"$fc\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893?resourceVersion=id%3A19442\"}\n108:{\"self\":\"$109\"}\n10b:[]\n10c:{\"value\":\"\u003ch2 dir=\\\"ltr\\\"\u003eScheduling your CSRAP\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eComplete the following steps to schedule and prepare for your CSRAP assessment:\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2 dir=\\\"ltr\\\"\u003eScheduling your CSRAP\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eComplete the following steps to schedule and prepare for your CSRAP assessment:\u003c/p\u003e\"}\n10a:{\"drupal_internal__id\":3502,\"d"])</script><script>self.__next_f.push([1,"rupal_internal__revision_id\":19442,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:40:45+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$10b\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$10c\"}\n110:{\"drupal_internal__target_id\":\"page_section\"}\n10f:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$110\"}\n112:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893/paragraph_type?resourceVersion=id%3A19442\"}\n113:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893/relationships/paragraph_type?resourceVersion=id%3A19442\"}\n111:{\"related\":\"$112\",\"self\":\"$113\"}\n10e:{\"data\":\"$10f\",\"links\":\"$111\"}\n116:{\"target_revision_id\":19441,\"drupal_internal__target_id\":3511}\n115:{\"type\":\"paragraph--process_list\",\"id\":\"116789c0-3ace-45d4-85ec-ef9e0aa216c5\",\"meta\":\"$116\"}\n118:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893/field_specialty_item?resourceVersion=id%3A19442\"}\n119:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893/relationships/field_specialty_item?resourceVersion=id%3A19442\"}\n117:{\"related\":\"$118\",\"self\":\"$119\"}\n114:{\"data\":\"$115\",\"links\":\"$117\"}\n10d:{\"paragraph_type\":\"$10e\",\"field_specialty_item\":\"$114\"}\n107:{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"links\":\"$108\",\"attributes\":\"$10a\",\"relationships\":\"$10d\"}\n11c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa?resourceVersion=id%3A19443\"}\n11b:{\"self\":\"$11c\"}\n11e:[]\n11f:{\"value\":\"\u003ch2\u003eImportant due dates\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eOnce you have met with the CSRAP Assessment Team at the Preliminary Discussion, you will begin preparing other required artifacts. Some of these need to be prepared before your system assessment can begin. Required artifa"])</script><script>self.__next_f.push([1,"cts and their due dates are summarized below. You can find more details about the artifacts in the\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTier 1 Artifacts\u003c/strong\u003e: 3 weeks before Preliminary Discussion Meeting\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTier 2 Artifacts\u003c/strong\u003e: 2 weeks before Assessment Kickoff Meeting\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTechnical Outputs\u003c/strong\u003e: 2 weeks before Assessment Kickoff Meeting\u003c/li\u003e\u003c/ul\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003eImportant due dates\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eOnce you have met with the CSRAP Assessment Team at the Preliminary Discussion, you will begin preparing other required artifacts. Some of these need to be prepared before your system assessment can begin. Required artifacts and their due dates are summarized below. You can find more details about the artifacts in the\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTier 1 Artifacts\u003c/strong\u003e: 3 weeks before Preliminary Discussion Meeting\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTier 2 Artifacts\u003c/strong\u003e: 2 weeks before Assessment Kickoff Meeting\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTechnical Outputs\u003c/strong\u003e: 2 weeks before Assessment Kickoff Meeting\u003c/li\u003e\u003c/ul\u003e\"}\n11d:{\"drupal_internal__id\":3503,\"drupal_internal__revision_id\":19443,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:42:07+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$11e\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field"])</script><script>self.__next_f.push([1,"_text_block\":\"$11f\"}\n123:{\"drupal_internal__target_id\":\"page_section\"}\n122:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$123\"}\n125:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa/paragraph_type?resourceVersion=id%3A19443\"}\n126:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa/relationships/paragraph_type?resourceVersion=id%3A19443\"}\n124:{\"related\":\"$125\",\"self\":\"$126\"}\n121:{\"data\":\"$122\",\"links\":\"$124\"}\n129:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa/field_specialty_item?resourceVersion=id%3A19443\"}\n12a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa/relationships/field_specialty_item?resourceVersion=id%3A19443\"}\n128:{\"related\":\"$129\",\"self\":\"$12a\"}\n127:{\"data\":null,\"links\":\"$128\"}\n120:{\"paragraph_type\":\"$121\",\"field_specialty_item\":\"$127\"}\n11a:{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"links\":\"$11b\",\"attributes\":\"$11d\",\"relationships\":\"$120\"}\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d?resourceVersion=id%3A19444\"}\n12c:{\"self\":\"$12d\"}\n12f:[]\n130:{\"value\":\"\u003ch2 dir=\\\"ltr\\\"\u003eNeed help?\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eIf you have questions or need assistance, contact the CSRAP team via email: \u003ca href=\\\"mailto:CSRAP@cms.hhs.gov\\\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eYou can also review the CSRAP Handbook for all details on the process.\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eReview the handbook here\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2 dir=\\\"ltr\\\"\u003eNeed help?\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eIf you have questions or need assistance, co"])</script><script>self.__next_f.push([1,"ntact the CSRAP team via email: \u003ca href=\\\"mailto:CSRAP@cms.hhs.gov\\\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eYou can also review the CSRAP Handbook for all details on the process.\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eReview the handbook here\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\"}\n12e:{\"drupal_internal__id\":3504,\"drupal_internal__revision_id\":19444,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:42:52+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$12f\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$130\"}\n134:{\"drupal_internal__target_id\":\"page_section\"}\n133:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$134\"}\n136:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d/paragraph_type?resourceVersion=id%3A19444\"}\n137:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d/relationships/paragraph_type?resourceVersion=id%3A19444\"}\n135:{\"related\":\"$136\",\"self\":\"$137\"}\n132:{\"data\":\"$133\",\"links\":\"$135\"}\n13a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d/field_specialty_item?resourceVersion=id%3A19444\"}\n13b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d/relationships/field_specialty_item?resourceVersion=id%3A19444\"}\n139:{\"related\":\"$13a\",\"self\":\"$13b\"}\n138:{\"data\":null,\"links\":\"$139\"}\n131:{\"paragraph_type\":\"$132\",\"field_specialty_item\":\"$138\"}\n12b:{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"links\":\"$12c\",\"attributes\":\"$12e\",\"relationships\":\"$131\"}\n13e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-"])</script><script>self.__next_f.push([1,"3ace-45d4-85ec-ef9e0aa216c5?resourceVersion=id%3A19441\"}\n13d:{\"self\":\"$13e\"}\n140:[]\n13f:{\"drupal_internal__id\":3511,\"drupal_internal__revision_id\":19441,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:11:46+00:00\",\"parent_id\":\"3502\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$140\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null}\n144:{\"drupal_internal__target_id\":\"process_list\"}\n143:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$144\"}\n146:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5/paragraph_type?resourceVersion=id%3A19441\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5/relationships/paragraph_type?resourceVersion=id%3A19441\"}\n145:{\"related\":\"$146\",\"self\":\"$147\"}\n142:{\"data\":\"$143\",\"links\":\"$145\"}\n14b:{\"target_revision_id\":19436,\"drupal_internal__target_id\":3506}\n14a:{\"type\":\"paragraph--process_list_item\",\"id\":\"8a1d84c1-95c5-48b5-86b9-4c882407749a\",\"meta\":\"$14b\"}\n14d:{\"target_revision_id\":19437,\"drupal_internal__target_id\":3507}\n14c:{\"type\":\"paragraph--process_list_item\",\"id\":\"4141ae6a-5815-4a57-a071-1db86f64f189\",\"meta\":\"$14d\"}\n14f:{\"target_revision_id\":19438,\"drupal_internal__target_id\":3508}\n14e:{\"type\":\"paragraph--process_list_item\",\"id\":\"d5c26c96-7000-4819-a38a-1bc09ccb4411\",\"meta\":\"$14f\"}\n151:{\"target_revision_id\":19439,\"drupal_internal__target_id\":3509}\n150:{\"type\":\"paragraph--process_list_item\",\"id\":\"54a9fc7e-b81a-43c2-8ff3-e61f938d74b3\",\"meta\":\"$151\"}\n153:{\"target_revision_id\":19440,\"drupal_internal__target_id\":3510}\n152:{\"type\":\"paragraph--process_list_item\",\"id\":\"ae035b1f-08b9-41ab-bc34-28fe8261b666\",\"meta\":\"$153\"}\n149:[\"$14a\",\"$14c\",\"$14e\",\"$150\",\"$152\"]\n155:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5/field_process_list_item?resourceVersion=id%3A19441\"}\n156:{\"href\":\"https://cy"])</script><script>self.__next_f.push([1,"bergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5/relationships/field_process_list_item?resourceVersion=id%3A19441\"}\n154:{\"related\":\"$155\",\"self\":\"$156\"}\n148:{\"data\":\"$149\",\"links\":\"$154\"}\n141:{\"paragraph_type\":\"$142\",\"field_process_list_item\":\"$148\"}\n13c:{\"type\":\"paragraph--process_list\",\"id\":\"116789c0-3ace-45d4-85ec-ef9e0aa216c5\",\"links\":\"$13d\",\"attributes\":\"$13f\",\"relationships\":\"$141\"}\n159:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8a1d84c1-95c5-48b5-86b9-4c882407749a?resourceVersion=id%3A19436\"}\n158:{\"self\":\"$159\"}\n15b:[]\n15c:{\"value\":\"\u003cp dir=\\\"ltr\\\"\u003eThe CSRAP Handbook provides guidance for every aspect of the CSRAP process from start to finish, and tells you what to expect.\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eReview the handbook here\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp dir=\\\"ltr\\\"\u003eThe CSRAP Handbook provides guidance for every aspect of the CSRAP process from start to finish, and tells you what to expect.\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eReview the handbook here\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\"}\n15a:{\"drupal_internal__id\":3506,\"drupal_internal__revision_id\":19436,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:11:46+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$15b\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$15c\",\"field_list_item_title\":\"Review CSRAP Handbook\"}\n160:{\"drupal_internal__target_id\":\"process_list_item\"}\n15f:{\"t"])</script><script>self.__next_f.push([1,"ype\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$160\"}\n162:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8a1d84c1-95c5-48b5-86b9-4c882407749a/paragraph_type?resourceVersion=id%3A19436\"}\n163:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8a1d84c1-95c5-48b5-86b9-4c882407749a/relationships/paragraph_type?resourceVersion=id%3A19436\"}\n161:{\"related\":\"$162\",\"self\":\"$163\"}\n15e:{\"data\":\"$15f\",\"links\":\"$161\"}\n15d:{\"paragraph_type\":\"$15e\"}\n157:{\"type\":\"paragraph--process_list_item\",\"id\":\"8a1d84c1-95c5-48b5-86b9-4c882407749a\",\"links\":\"$158\",\"attributes\":\"$15a\",\"relationships\":\"$15d\"}\n166:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4141ae6a-5815-4a57-a071-1db86f64f189?resourceVersion=id%3A19437\"}\n165:{\"self\":\"$166\"}\n168:[]\n169:{\"value\":\"\u003cp dir=\\\"ltr\\\"\u003eYou will need your\u0026nbsp;\u003cstrong\u003eTier 1 CSRAP Artifacts\u003c/strong\u003e to proceed with CSRAP activities. Start gathering these artifacts as soon as possible since they take a lot of time and coordination to complete. Tier 1 Artifacts are due at least two weeks prior to the scheduled CSRAP Preliminary Discussion. The Tier 1, Tier 2, and Technical Output Artifacts lists are available in the CSRAP Handbook, and in the Preliminary Intake section of the SIGNAL Application.\u0026nbsp;\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp dir=\\\"ltr\\\"\u003eYou will need your\u0026nbsp;\u003cstrong\u003eTier 1 CSRAP Artifacts\u003c/strong\u003e to proceed with CSRAP activities. Start gathering these artifacts as soon as possible since they take a lot of time and coordination to complete. Tier 1 Artifacts are due at least two weeks prior to the scheduled CSRAP Preliminary Discussion. The Tier 1, Tier 2, and Technical Output Artifacts lists are available in the CSRAP Handbook, and in the Preliminary Intake section of the SIGNAL Application.\u0026nbsp;\u003c/p\u003e\"}\n167:{\"drupal_internal__id\":3507,\"drupal_internal__revision_id\":19437,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:12:16+00:00\",\"parent_id\":\"3511\",\"parent_type"])</script><script>self.__next_f.push([1,"\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$168\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$169\",\"field_list_item_title\":\"Prepare required artifacts\"}\n16d:{\"drupal_internal__target_id\":\"process_list_item\"}\n16c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$16d\"}\n16f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4141ae6a-5815-4a57-a071-1db86f64f189/paragraph_type?resourceVersion=id%3A19437\"}\n170:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4141ae6a-5815-4a57-a071-1db86f64f189/relationships/paragraph_type?resourceVersion=id%3A19437\"}\n16e:{\"related\":\"$16f\",\"self\":\"$170\"}\n16b:{\"data\":\"$16c\",\"links\":\"$16e\"}\n16a:{\"paragraph_type\":\"$16b\"}\n164:{\"type\":\"paragraph--process_list_item\",\"id\":\"4141ae6a-5815-4a57-a071-1db86f64f189\",\"links\":\"$165\",\"attributes\":\"$167\",\"relationships\":\"$16a\"}\n173:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/d5c26c96-7000-4819-a38a-1bc09ccb4411?resourceVersion=id%3A19438\"}\n172:{\"self\":\"$173\"}\n175:[]\n176:{\"value\":\"\u003cp dir=\\\"ltr\\\"\u003eVisit the CMS CSRAP Confluence page (CMS Log-in Required) using the following URLs to select your preferred and secondary dates for the type of CSRAP assessment you require:\u003cbr\u003e·\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Security Assessment \u003ca href=\\\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813098\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eSchedule Available Slots\u003c/a\u003e\u003cbr\u003e·\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Risk Assessment \u003ca href=\\\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813170\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eSchedule Available Slots\u003c/a\u003e\u003cbr\u003eEmail the CSRAP Team at \u003ca href=\\\"mailto:CSRAP@cms.hhs.gov\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e with your requested dates.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp dir=\\\"ltr\\\"\u003eVisit the CMS CSRAP Confluence page (CMS Log-in Required) using "])</script><script>self.__next_f.push([1,"the following URLs to select your preferred and secondary dates for the type of CSRAP assessment you require:\u003cbr\u003e·\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Security Assessment \u003ca href=\\\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813098\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eSchedule Available Slots\u003c/a\u003e\u003cbr\u003e·\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Risk Assessment \u003ca href=\\\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813170\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eSchedule Available Slots\u003c/a\u003e\u003cbr\u003eEmail the CSRAP Team at \u003ca href=\\\"mailto:CSRAP@cms.hhs.gov\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e with your requested dates.\u003c/p\u003e\"}\n174:{\"drupal_internal__id\":3508,\"drupal_internal__revision_id\":19438,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:12:41+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$175\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$176\",\"field_list_item_title\":\"Check the Available Slots in Confluence\"}\n17a:{\"drupal_internal__target_id\":\"process_list_item\"}\n179:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$17a\"}\n17c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/d5c26c96-7000-4819-a38a-1bc09ccb4411/paragraph_type?resourceVersion=id%3A19438\"}\n17d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/d5c26c96-7000-4819-a38a-1bc09ccb4411/relationships/paragraph_type?resourceVersion=id%3A19438\"}\n17b:{\"related\":\"$17c\",\"self\":\"$17d\"}\n178:{\"data\":\"$179\",\"links\":\"$17b\"}\n177:{\"paragraph_type\":\"$178\"}\n171:{\"type\":\"paragraph--process_list_item\",\"id\":\"d5c26c96-7000-4819-a38a-1bc09ccb4411\",\"links\":\"$172\",\"attributes\":\"$174\",\"relationships\":\"$177\"}\n180:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/54a9fc7e-b81a-43c2-8ff3-e61f938d74b3?resourceVersion=id%3A19439\"}\n17f:{\"self\":\"$180\"}\n182:[]\n183:{\"value\":\"\u003cp dir=\\\"ltr\\\"\u003eC"])</script><script>self.__next_f.push([1,"SRAP Team will confirm the dates via email and schedule a date for Preliminary meeting for assessment along with sending CSRAP intake form and Tier 1 document list to be completed and directly uploaded to CFACTS under Assessment Tab.\u0026nbsp;\u003c/p\u003e\u003cp dir=\\\"ltr\\\"\u003eAfter \\\"intake form\\\" is uploaded, notify CSRAP Team so they can review that.\u0026nbsp;\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp dir=\\\"ltr\\\"\u003eCSRAP Team will confirm the dates via email and schedule a date for Preliminary meeting for assessment along with sending CSRAP intake form and Tier 1 document list to be completed and directly uploaded to CFACTS under Assessment Tab.\u0026nbsp;\u003c/p\u003e\u003cp dir=\\\"ltr\\\"\u003eAfter \\\"intake form\\\" is uploaded, notify CSRAP Team so they can review that.\u0026nbsp;\u003c/p\u003e\"}\n181:{\"drupal_internal__id\":3509,\"drupal_internal__revision_id\":19439,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:13:22+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$182\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$183\",\"field_list_item_title\":\"Complete CSRAP intake Form\"}\n187:{\"drupal_internal__target_id\":\"process_list_item\"}\n186:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$187\"}\n189:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/54a9fc7e-b81a-43c2-8ff3-e61f938d74b3/paragraph_type?resourceVersion=id%3A19439\"}\n18a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/54a9fc7e-b81a-43c2-8ff3-e61f938d74b3/relationships/paragraph_type?resourceVersion=id%3A19439\"}\n188:{\"related\":\"$189\",\"self\":\"$18a\"}\n185:{\"data\":\"$186\",\"links\":\"$188\"}\n184:{\"paragraph_type\":\"$185\"}\n17e:{\"type\":\"paragraph--process_list_item\",\"id\":\"54a9fc7e-b81a-43c2-8ff3-e61f938d74b3\",\"links\":\"$17f\",\"attributes\":\"$181\",\"relationships\":\"$184\"}\n18d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ae035b1f-08b9-41ab-bc34-28fe8261b666?resourceVersion=id%3A19440\"}\n18c:{\"self\":\"$"])</script><script>self.__next_f.push([1,"18d\"}\n18f:[]\n190:{\"value\":\"\u003cp\u003eYour team will begin formal involvement with the CSRAP team at the Preliminary Discussion Meeting. You will need to provide your completed\u0026nbsp;\u003cstrong\u003eTier 1 Artifacts\u003c/strong\u003e at the meeting. Those artifacts, and the CSRAP Intake Form you completed in SIGNAL, will be used to provide information about your systems needs. The CSRAP team will make sure you are on track with the documentation and preparation needed for your CSRAP assessment.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eYour team will begin formal involvement with the CSRAP team at the Preliminary Discussion Meeting. You will need to provide your completed\u0026nbsp;\u003cstrong\u003eTier 1 Artifacts\u003c/strong\u003e at the meeting. Those artifacts, and the CSRAP Intake Form you completed in SIGNAL, will be used to provide information about your systems needs. The CSRAP team will make sure you are on track with the documentation and preparation needed for your CSRAP assessment.\u003c/p\u003e\"}\n18e:{\"drupal_internal__id\":3510,\"drupal_internal__revision_id\":19440,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:13:37+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$18f\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$190\",\"field_list_item_title\":\"Prep for Preliminary Discussion Meeting\"}\n194:{\"drupal_internal__target_id\":\"process_list_item\"}\n193:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$194\"}\n196:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ae035b1f-08b9-41ab-bc34-28fe8261b666/paragraph_type?resourceVersion=id%3A19440\"}\n197:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ae035b1f-08b9-41ab-bc34-28fe8261b666/relationships/paragraph_type?resourceVersion=id%3A19440\"}\n195:{\"related\":\"$196\",\"self\":\"$197\"}\n192:{\"data\":\"$193\",\"links\":\"$195\"}\n191:{\"paragraph_type\":\"$192\"}\n18b:{\"type\":\"paragraph--process_list_item\",\"id\":\"ae035b1f-08b"])</script><script>self.__next_f.push([1,"9-41ab-bc34-28fe8261b666\",\"links\":\"$18c\",\"attributes\":\"$18e\",\"relationships\":\"$191\"}\n19a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926?resourceVersion=id%3A19445\"}\n199:{\"self\":\"$19a\"}\n19c:[]\n19b:{\"drupal_internal__id\":656,\"drupal_internal__revision_id\":19445,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:06:24+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$19c\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1a0:{\"drupal_internal__target_id\":\"internal_link\"}\n19f:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1a0\"}\n1a2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926/paragraph_type?resourceVersion=id%3A19445\"}\n1a3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926/relationships/paragraph_type?resourceVersion=id%3A19445\"}\n1a1:{\"related\":\"$1a2\",\"self\":\"$1a3\"}\n19e:{\"data\":\"$19f\",\"links\":\"$1a1\"}\n1a6:{\"drupal_internal__target_id\":1187}\n1a5:{\"type\":\"node--blog\",\"id\":\"d1446997-1d1b-4b7d-aa29-4e35dcd79dc2\",\"meta\":\"$1a6\"}\n1a8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926/field_link?resourceVersion=id%3A19445\"}\n1a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926/relationships/field_link?resourceVersion=id%3A19445\"}\n1a7:{\"related\":\"$1a8\",\"self\":\"$1a9\"}\n1a4:{\"data\":\"$1a5\",\"links\":\"$1a7\"}\n19d:{\"paragraph_type\":\"$19e\",\"field_link\":\"$1a4\"}\n198:{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"links\":\"$199\",\"attributes\":\"$19b\",\"relationships\":\"$19d\"}\n1ac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2?resourceVersion=id%3A19446\"}\n1ab:{\"self\":\"$1ac\"}\n1ae:[]\n1ad:{\"drupal_internal__id\":661,\"drupal_internal__revision_id\":19446,\"langcode\":"])</script><script>self.__next_f.push([1,"\"en\",\"status\":true,\"created\":\"2023-02-07T17:06:55+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1ae\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1b2:{\"drupal_internal__target_id\":\"internal_link\"}\n1b1:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1b2\"}\n1b4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2/paragraph_type?resourceVersion=id%3A19446\"}\n1b5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2/relationships/paragraph_type?resourceVersion=id%3A19446\"}\n1b3:{\"related\":\"$1b4\",\"self\":\"$1b5\"}\n1b0:{\"data\":\"$1b1\",\"links\":\"$1b3\"}\n1b8:{\"drupal_internal__target_id\":501}\n1b7:{\"type\":\"node--library\",\"id\":\"3ca47d54-92ca-4015-b7a3-6875f0d42bb6\",\"meta\":\"$1b8\"}\n1ba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2/field_link?resourceVersion=id%3A19446\"}\n1bb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2/relationships/field_link?resourceVersion=id%3A19446\"}\n1b9:{\"related\":\"$1ba\",\"self\":\"$1bb\"}\n1b6:{\"data\":\"$1b7\",\"links\":\"$1b9\"}\n1af:{\"paragraph_type\":\"$1b0\",\"field_link\":\"$1b6\"}\n1aa:{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"links\":\"$1ab\",\"attributes\":\"$1ad\",\"relationships\":\"$1af\"}\n1be:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a?resourceVersion=id%3A19447\"}\n1bd:{\"self\":\"$1be\"}\n1c0:[]\n1bf:{\"drupal_internal__id\":671,\"drupal_internal__revision_id\":19447,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:06:16+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1c0\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1c4:{\"drupal_internal__target_id\":\"internal_link\"}\n1c3:{\"type\":\"paragraphs_type--paragraphs_ty"])</script><script>self.__next_f.push([1,"pe\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1c4\"}\n1c6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a/paragraph_type?resourceVersion=id%3A19447\"}\n1c7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a/relationships/paragraph_type?resourceVersion=id%3A19447\"}\n1c5:{\"related\":\"$1c6\",\"self\":\"$1c7\"}\n1c2:{\"data\":\"$1c3\",\"links\":\"$1c5\"}\n1ca:{\"drupal_internal__target_id\":391}\n1c9:{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"meta\":\"$1ca\"}\n1cc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a/field_link?resourceVersion=id%3A19447\"}\n1cd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a/relationships/field_link?resourceVersion=id%3A19447\"}\n1cb:{\"related\":\"$1cc\",\"self\":\"$1cd\"}\n1c8:{\"data\":\"$1c9\",\"links\":\"$1cb\"}\n1c1:{\"paragraph_type\":\"$1c2\",\"field_link\":\"$1c8\"}\n1bc:{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"links\":\"$1bd\",\"attributes\":\"$1bf\",\"relationships\":\"$1c1\"}\n1d0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a?resourceVersion=id%3A19448\"}\n1cf:{\"self\":\"$1d0\"}\n1d2:[]\n1d1:{\"drupal_internal__id\":676,\"drupal_internal__revision_id\":19448,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:06:01+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1d2\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1d6:{\"drupal_internal__target_id\":\"internal_link\"}\n1d5:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1d6\"}\n1d8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a/paragraph_type?resourceVersion=id%3A19448\"}\n1d9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a/r"])</script><script>self.__next_f.push([1,"elationships/paragraph_type?resourceVersion=id%3A19448\"}\n1d7:{\"related\":\"$1d8\",\"self\":\"$1d9\"}\n1d4:{\"data\":\"$1d5\",\"links\":\"$1d7\"}\n1dc:{\"drupal_internal__target_id\":361}\n1db:{\"type\":\"node--explainer\",\"id\":\"5b6426b9-0294-40a7-9777-28b1e5871345\",\"meta\":\"$1dc\"}\n1de:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a/field_link?resourceVersion=id%3A19448\"}\n1df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a/relationships/field_link?resourceVersion=id%3A19448\"}\n1dd:{\"related\":\"$1de\",\"self\":\"$1df\"}\n1da:{\"data\":\"$1db\",\"links\":\"$1dd\"}\n1d3:{\"paragraph_type\":\"$1d4\",\"field_link\":\"$1da\"}\n1ce:{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"links\":\"$1cf\",\"attributes\":\"$1d1\",\"relationships\":\"$1d3\"}\n1e2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5?resourceVersion=id%3A19449\"}\n1e1:{\"self\":\"$1e2\"}\n1e4:[]\n1e3:{\"drupal_internal__id\":681,\"drupal_internal__revision_id\":19449,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:09:14+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1e4\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1e8:{\"drupal_internal__target_id\":\"internal_link\"}\n1e7:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1e8\"}\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5/paragraph_type?resourceVersion=id%3A19449\"}\n1eb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5/relationships/paragraph_type?resourceVersion=id%3A19449\"}\n1e9:{\"related\":\"$1ea\",\"self\":\"$1eb\"}\n1e6:{\"data\":\"$1e7\",\"links\":\"$1e9\"}\n1ee:{\"drupal_internal__target_id\":631}\n1ed:{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"meta\":\"$1ee\"}\n1f0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_lin"])</script><script>self.__next_f.push([1,"k/c4a332dc-02ea-48f6-9c08-c12ca06e62b5/field_link?resourceVersion=id%3A19449\"}\n1f1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5/relationships/field_link?resourceVersion=id%3A19449\"}\n1ef:{\"related\":\"$1f0\",\"self\":\"$1f1\"}\n1ec:{\"data\":\"$1ed\",\"links\":\"$1ef\"}\n1e5:{\"paragraph_type\":\"$1e6\",\"field_link\":\"$1ec\"}\n1e0:{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"links\":\"$1e1\",\"attributes\":\"$1e3\",\"relationships\":\"$1e5\"}\n1f4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9?resourceVersion=id%3A19450\"}\n1f3:{\"self\":\"$1f4\"}\n1f6:[]\n1f5:{\"drupal_internal__id\":3505,\"drupal_internal__revision_id\":19450,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:45:13+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1f6\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1fa:{\"drupal_internal__target_id\":\"internal_link\"}\n1f9:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1fa\"}\n1fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9/paragraph_type?resourceVersion=id%3A19450\"}\n1fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9/relationships/paragraph_type?resourceVersion=id%3A19450\"}\n1fb:{\"related\":\"$1fc\",\"self\":\"$1fd\"}\n1f8:{\"data\":\"$1f9\",\"links\":\"$1fb\"}\n200:{\"drupal_internal__target_id\":681}\n1ff:{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"meta\":\"$200\"}\n202:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9/field_link?resourceVersion=id%3A19450\"}\n203:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9/relationships/field_link?resourceVersion=id%3A19450\"}\n201:{\"related\":\"$202\",\"self\":\"$203\"}\n1fe:{\"data\":\"$1ff\",\"links\":\"$201\"}\n1f7:{\"para"])</script><script>self.__next_f.push([1,"graph_type\":\"$1f8\",\"field_link\":\"$1fe\"}\n1f2:{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"links\":\"$1f3\",\"attributes\":\"$1f5\",\"relationships\":\"$1f7\"}\n206:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2?resourceVersion=id%3A5922\"}\n205:{\"self\":\"$206\"}\n208:{\"alias\":\"/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service\",\"pid\":1192,\"langcode\":\"en\"}\n20a:Tbe0,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhy is database scanning important?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCMS databases and large data stores are a prime target for attackers because of the volume of sensitive information stored on CMS systems. That includes personally identifiable information (PII), protected health information (PHI), provider and beneficiary information, and intellectual property.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eScanning databases and large data stores helps protect the databases and mitigate risks, enhancing the overall security profile of CMS systems. This is part of the process known as Vulnerability Management (VM).\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eWhy use DbProtect?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eISPG provides\u0026nbsp;\u003ca href=\"https://www.trustwave.com/en-us/services/database-security/dbprotect/\"\u003eTrustwave DbProtect\u003c/a\u003e (external link) for use throughout CMS. Licenses for the DbProtect Vulnerability Management module are available to CMS Business Owners at no charge.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe DbProtect Vulnerability Management module helps prevent database breaches and accidental data leakage by routinely scanning databases and large data stores. It will uncover configuration errors, access control errors, and unauthorized or unusual privileged user behavior.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eTrustwave DbProtect is:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eCompatible\u003c/strong\u003e with both on-premises and cloud-based databases\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eFree\u003c/strong\u003e for all systems at CMS\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eEasy\u003c/strong\u003e to request through ServiceNow\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eWhen do I use DbProtect?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAt CMS, the Cybersecurity Risk Assessment Program (CSRAP) strongly encourages database scanning as part of their onboarding process. Scan reports created by DbProtect can be used as a risk information source during your CSRAP assessment.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eDbProtect is available even if youre not preparing for a CSRAP assessment. Any time youre adding a database or large data store to the system, you can use DbProtect to do it as securely as possible.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eHow do I get started?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eTo request a DbProtect scan of a database or large data store, complete the\u0026nbsp;\u003ca href=\"https://cmsitsm.servicenowservices.com/connect?page=cat_item\u0026amp;sys_id=03b71d651baa6510fed48512f54bcb70\"\u003eServiceNow workflow\u003c/a\u003e (link requires a CMS login). It will ask you for information about the database, and the scan will be scheduled from there.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIn order to access the workflow in ServiceNow and request a scan, \u003cstrong\u003eyou will need the following CMS job codes\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003eSNOW_PRD\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003eSNOW_TRG\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eContact\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eQuestions about DbProtect or database scanning? Contact the CMS Vulnerability Assessment Team at\u0026nbsp;\u003ca href=\"mailto:VAT@cms.hhs.gov\"\u003eVAT@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis post is contributed by the DbProtect team to encourage database scanning by CMS system teams and promote risk-based decision making throughout the enterprise.\u003c/em\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20b:Tbe0,"])</script><script>self.__next_f.push([1,"\u003ch2 dir=\"ltr\"\u003eWhy is database scanning important?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eCMS databases and large data stores are a prime target for attackers because of the volume of sensitive information stored on CMS systems. That includes personally identifiable information (PII), protected health information (PHI), provider and beneficiary information, and intellectual property.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eScanning databases and large data stores helps protect the databases and mitigate risks, enhancing the overall security profile of CMS systems. This is part of the process known as Vulnerability Management (VM).\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eWhy use DbProtect?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eISPG provides\u0026nbsp;\u003ca href=\"https://www.trustwave.com/en-us/services/database-security/dbprotect/\"\u003eTrustwave DbProtect\u003c/a\u003e (external link) for use throughout CMS. Licenses for the DbProtect Vulnerability Management module are available to CMS Business Owners at no charge.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThe DbProtect Vulnerability Management module helps prevent database breaches and accidental data leakage by routinely scanning databases and large data stores. It will uncover configuration errors, access control errors, and unauthorized or unusual privileged user behavior.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eTrustwave DbProtect is:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eCompatible\u003c/strong\u003e with both on-premises and cloud-based databases\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eFree\u003c/strong\u003e for all systems at CMS\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003e\u003cstrong\u003eEasy\u003c/strong\u003e to request through ServiceNow\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eWhen do I use DbProtect?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAt CMS, the Cybersecurity Risk Assessment Program (CSRAP) strongly encourages database scanning as part of their onboarding process. Scan reports created by DbProtect can be used as a risk information source during your CSRAP assessment.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eDbProtect is available even if youre not preparing for a CSRAP assessment. Any time youre adding a database or large data store to the system, you can use DbProtect to do it as securely as possible.\u003c/p\u003e\u003ch2 dir=\"ltr\"\u003eHow do I get started?\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eTo request a DbProtect scan of a database or large data store, complete the\u0026nbsp;\u003ca href=\"https://cmsitsm.servicenowservices.com/connect?page=cat_item\u0026amp;sys_id=03b71d651baa6510fed48512f54bcb70\"\u003eServiceNow workflow\u003c/a\u003e (link requires a CMS login). It will ask you for information about the database, and the scan will be scheduled from there.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eIn order to access the workflow in ServiceNow and request a scan, \u003cstrong\u003eyou will need the following CMS job codes\u003c/strong\u003e:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003eSNOW_PRD\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp dir=\"ltr\"\u003eSNOW_TRG\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2 dir=\"ltr\"\u003eContact\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eQuestions about DbProtect or database scanning? Contact the CMS Vulnerability Assessment Team at\u0026nbsp;\u003ca href=\"mailto:VAT@cms.hhs.gov\"\u003eVAT@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp dir=\"ltr\"\u003e\u003cem\u003eThis post is contributed by the DbProtect team to encourage database scanning by CMS system teams and promote risk-based decision making throughout the enterprise.\u003c/em\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"209:{\"value\":\"$20a\",\"format\":\"body_text\",\"processed\":\"$20b\",\"summary\":\"\"}\n20c:{\"value\":\"Before your next CSRAP assessment, scan your databases using Trustwave DbProtect Vulnerability Management (VM) — offered by ISPG for free!\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eBefore your next CSRAP assessment, scan your databases using Trustwave DbProtect Vulnerability Management (VM) — offered by ISPG for free!\u003c/p\u003e\\n\"}\n207:{\"drupal_internal__nid\":1187,\"drupal_internal__vid\":5922,\"langcode\":\"en\",\"revision_timestamp\":\"2024-09-18T18:12:36+00:00\",\"status\":true,\"title\":\"Avoid database breaches with ISPGs free vulnerability scanning service\",\"created\":\"2024-05-01T14:38:06+00:00\",\"changed\":\"2024-09-18T18:12:36+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$208\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$209\",\"field_short_description\":\"$20c\",\"field_video_link\":null}\n210:{\"drupal_internal__target_id\":\"blog\"}\n20f:{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":\"$210\"}\n212:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/node_type?resourceVersion=id%3A5922\"}\n213:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/node_type?resourceVersion=id%3A5922\"}\n211:{\"related\":\"$212\",\"self\":\"$213\"}\n20e:{\"data\":\"$20f\",\"links\":\"$211\"}\n216:{\"drupal_internal__target_id\":6}\n215:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$216\"}\n218:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/revision_uid?resourceVersion=id%3A5922\"}\n219:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/revision_uid?resourceVersion=id%3A5922\"}\n217:{\"related\":\"$218\",\"self\":\"$219\"}\n214:{\"data\":\"$215\",\"links\":\"$217\"}\n21c:{\"drupal_internal_"])</script><script>self.__next_f.push([1,"_target_id\":6}\n21b:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$21c\"}\n21e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/uid?resourceVersion=id%3A5922\"}\n21f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/uid?resourceVersion=id%3A5922\"}\n21d:{\"related\":\"$21e\",\"self\":\"$21f\"}\n21a:{\"data\":\"$21b\",\"links\":\"$21d\"}\n222:{\"drupal_internal__target_id\":6}\n221:{\"type\":\"media--blog_cover_image\",\"id\":\"72738a9d-42bb-4ba9-90c2-635a49ceeb81\",\"meta\":\"$222\"}\n224:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_cover_image?resourceVersion=id%3A5922\"}\n225:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_cover_image?resourceVersion=id%3A5922\"}\n223:{\"related\":\"$224\",\"self\":\"$225\"}\n220:{\"data\":\"$221\",\"links\":\"$223\"}\n228:{\"drupal_internal__target_id\":20}\n227:{\"type\":\"group--team\",\"id\":\"3fd7f823-5271-484b-b015-377d55251796\",\"meta\":\"$228\"}\n22a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_publisher_group?resourceVersion=id%3A5922\"}\n22b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_publisher_group?resourceVersion=id%3A5922\"}\n229:{\"related\":\"$22a\",\"self\":\"$22b\"}\n226:{\"data\":\"$227\",\"links\":\"$229\"}\n22e:{\"drupal_internal__target_id\":106}\n22d:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":\"$22e\"}\n230:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_resource_type?resourceVersion=id%3A5922\"}\n231:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_resource_type?resourceVersion=id%3A5922\"}\n22f:{\"related\":\"$230\",\"self\":\"$231\"}\n22c:{\"data\":\"$22d\",\"links\":\"$22f\"}\n235:{\"drupal_internal__target_id\":66}\n234:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-"])</script><script>self.__next_f.push([1,"dffe50c27da5\",\"meta\":\"$235\"}\n237:{\"drupal_internal__target_id\":61}\n236:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$237\"}\n239:{\"drupal_internal__target_id\":76}\n238:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$239\"}\n23b:{\"drupal_internal__target_id\":71}\n23a:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$23b\"}\n233:[\"$234\",\"$236\",\"$238\",\"$23a\"]\n23d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_roles?resourceVersion=id%3A5922\"}\n23e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_roles?resourceVersion=id%3A5922\"}\n23c:{\"related\":\"$23d\",\"self\":\"$23e\"}\n232:{\"data\":\"$233\",\"links\":\"$23c\"}\n242:{\"drupal_internal__target_id\":6}\n241:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$242\"}\n244:{\"drupal_internal__target_id\":46}\n243:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$244\"}\n240:[\"$241\",\"$243\"]\n246:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_topics?resourceVersion=id%3A5922\"}\n247:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_topics?resourceVersion=id%3A5922\"}\n245:{\"related\":\"$246\",\"self\":\"$247\"}\n23f:{\"data\":\"$240\",\"links\":\"$245\"}\n20d:{\"node_type\":\"$20e\",\"revision_uid\":\"$214\",\"uid\":\"$21a\",\"field_cover_image\":\"$220\",\"field_publisher_group\":\"$226\",\"field_resource_type\":\"$22c\",\"field_roles\":\"$232\",\"field_topics\":\"$23f\"}\n204:{\"type\":\"node--blog\",\"id\":\"d1446997-1d1b-4b7d-aa29-4e35dcd79dc2\",\"links\":\"$205\",\"attributes\":\"$207\",\"relationships\":\"$20d\"}\n24a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6?resourceVersion=id%3A5752\"}\n249:{\"self\":\"$24a\"}\n24c:{\"alias\":\"/policy-guidance/risk-management-handbook-chapter-14-risk-assessment-ra\",\"pid\":491,\"langcode\":\"en\"}\n24e:T9f00,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Risk Management Handbook (RMH) Chapter 14: Risk Assessment provides the procedures for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).\u0026nbsp;This document describes procedures that facilitate the implementation of security controls associated with the Risk Assessment (RA) family of controls. To promote consistency among all RMH Chapters, CMS intends for Chapter 14.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Assessment controls\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Categorization (RA-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are compromised through a loss of confidentiality, integrity, and/or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Security categories are used in conjunction with vulnerability and threat information in assessing the risk to an organization. The security category of an information type can be associated with both user information and system information. Establishing an appropriate security category of an information type requires determining the potential impact level for each security objectives of confidentiality, integrity, and availability (CIA) associated with the particular information type.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eSecurity Objective\u003c/th\u003e\u003cth\u003eLow impact potential\u003c/th\u003e\u003cth\u003eModerate impact potential\u003c/th\u003e\u003cth\u003eHigh impact potential\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConfidentiality\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003ePreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e\u0026nbsp;adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eIntegrity\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eGuarding against improper information modification or destruction\u0026nbsp;and includes ensuring information non-repudiation and authenticity.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eAvailability\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eEnsuring timely and reliable access to and use of information.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, each new system must define its security categorization within the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Controls Tracking System (CFACTS)\u003c/a\u003e. Before the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e can be developed, the information system and the information resident within that system must be categorized based on the Federal Information Processing Standards Publication 199 (FIPS 199). NIST Special Publication 800-60 Volume I: \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories \u003c/em\u003eprovides a guideline for mapping types of information and information systems to security categories and works in conjunction with FIPS 199.\u003c/p\u003e\u003cp\u003eThe SSPP provides the detailed descriptions of all the implemented controls by the CMS ARS categories to minimize risks. Authorization boundaries are also developed and reviewed in correlation with the security categorization as the boundary has a direct effect on the categorization of the system. CMS has synthesized and identified the information types that apply to CMS into 11 information types:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Information Types\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eInformation Type\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eSystem Security Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003ee-Authentication Level\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInvestigation, intelligence-related, and security information (14 CFR PART 191.5(D))\u003c/td\u003e\u003ctd\u003eHigh\u003c/td\u003e\u003ctd\u003eLevel 4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMission Critical Information\u003c/td\u003e\u003ctd\u003eHigh\u003c/td\u003e\u003ctd\u003eLevel 4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation About Persons\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 2 or Level 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFinancial, budgetary, commercial, proprietary and trade secret information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInternal Administration\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOther Federal Agency Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNew technology controlled scientific information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperational Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Configuration Management Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOther Sensitive Information\u003c/td\u003e\u003ctd\u003eLow\u003c/td\u003e\u003ctd\u003eLevel 2\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePublic Information\u003c/td\u003e\u003ctd\u003eLow\u003c/td\u003e\u003ctd\u003eNone or Level 1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe security categorization for an information system is completed by the Information System Security Officer and approved by the Information System Owner. All CMS information systems categorized as High or Moderate are considered sensitive or contain sensitive information. All CMS information systems categorized as Low are considered non-sensitive or contain non- sensitive information. Organizations implement the minimum security requirements and controls as established in the current CMS Information Security ARS Standard, based on the system security categorization. When identifying information types and assigning appropriate security categorizations for CMS systems, it is essential that the Data Guardian, Information System Owner, Business Owner, Information System Security Officer, and Cyber Risk Advisor coordinate their efforts.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for conducting a security categorization on an information system using CFACTS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1\u003c/strong\u003e: Login to CFACTS and select the “Assessment \u0026amp; Authorization (A\u0026amp;A)” dropdown tab from the top menu.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2\u003c/strong\u003e: Click on the “Authorization Package - Records” under the “Quick Links” section.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3\u003c/strong\u003e: Select the appropriate information system. You may also find the information system by clicking on the search icon in the top right of the page and specifying search criteria.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4\u003c/strong\u003e: Once the information system has been located, click on the system name to open the authorization package for the system.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5\u003c/strong\u003e: Select the “Security Category” tab from the top navigation tab of the authorization package.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 6\u003c/strong\u003e: Click “Edit” at the top of the authorization package window.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 7\u003c/strong\u003e: Answer the following question in the Organizational Users Section: “Is this system accessed by non-organizational users?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 8\u003c/strong\u003e: Select the information types processed, stored or transmitted by the system.\u003cul\u003e\u003cli\u003eFor help determining who is considered an organizational user and a non- organizational user, see the help text by clicking on the question mark to the left of the question.\u003c/li\u003e\u003cli\u003eIn the Information Type section, click on the right hand side of the “Lookup” title bar in the upper right hand corner.\u003c/li\u003e\u003cli\u003eIn the “Record Lookup” pop up, select the checkbox to the left of each information type that is used by your information system.\u003c/li\u003e\u003cli\u003eClick “Ok” when done.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 9: \u003c/strong\u003eAnswer the following question in the Personally Identifiable Information (PII) section: “Does this FISMA system collect, maintain, use or share Personally Identifiable Information (PII)?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 10: \u003c/strong\u003eAnswer the following question in the Protected Health Information (PHI) section: “Is the data maintained in this FISMA system considered electronic Protected Health Information (PHI)?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 11\u003c/strong\u003e: Click “Save” at the top of the screen to save all changes.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe SOP ultimately reviews and approves the categorization of information systems that process, store, or transmit PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Assessment (RA-3)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRisk assessment is the process of identifying risks, both business and technical, to organizational operations mission, functions, image, and reputation, including individuals, organizational assets, other organizations, and the Nation, resulting from the operation of an information system. As part of risk management, risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by security and privacy controls planned or in place.\u003c/p\u003e\u003cp\u003eThis publication focuses on the risk assessment component of risk management—providing a step-by-step process for organizations on: (i) how to prepare for risk assessments; (ii) how to conduct risk assessments; (iii) how to communicate risk assessment results to key organizational personnel; and (iv) how to maintain the risk assessments over time. Risk assessments are not simply one-time activities that provide permanent and definitive information for decision makers to guide and inform responses to information security and privacy risks. Rather, organizations employ risk assessments on an ongoing basis throughout the system development life cycle and across all of the tiers in the risk management hierarchy—with the frequency of the risk assessments and the resources applied during the assessments, commensurate with the expressly defined purpose and scope of the assessments.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBasic Risk Management\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRisk assessment is a key component of a holistic, organization-wide risk management process as defined in NIST Special Publication 800-39, \u003cem\u003eManaging Information Security Risk: Organization, Mission, and Information System View\u003c/em\u003e. Risk management processes include: (i) framing risk; (ii) assessing risk; (iii) responding to risk; and (iv) monitoring risk. Figure 2 illustrates the four steps in the risk management process—including the risk assessment step and the information and communications flows necessary to make the process work effectively.\u003c/p\u003e\u003cp\u003eAs laid out by NIST in 800-30, the first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.\u003c/p\u003e\u003cp\u003eThe second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation; (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., adverse impact) that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm, i.e., impact to the organization, and likelihood of harm occurring).\u003c/p\u003e\u003cp\u003eThe third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of a risk assessment. The purpose of the risk response component is to provide a consistent, organization-wide response to risk, or “risk mitigation plan”, in accordance with the organizational risk frame by: (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action.\u003c/p\u003e\u003cp\u003eThe fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to: (i) determine the ongoing effectiveness of risk responses (consistent with the organizational risk frame); (ii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate; and (iii) verify that planned risk responses are implemented and information security and privacy requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied.\u003c/p\u003e\u003cp\u003eEffective information security and privacy-related risk management is a holistic activity and requires integration of risk input from the information system level (Tier 3) through the organizations business processes (Tier 2) and up through the governance of the enterprise (Tier 1). Risk management among the top and bottom tier are bi-directional as the highest tier directs the lower tiers through policy and processes, and the lower tier feeds tactical risk back up the enterprise. The RMF primarily operates at Tier 3 but does involve interactions in the other two tiers through feedback from ongoing authorization decisions, dissemination of updated threat and risk information to authorizing officials and information system owners.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRisk Models\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRisk models define the risk factors to be assessed and the relationships among those factors. Risk factors are characteristics used in risk models as inputs to determining levels of risk in risk assessments. Risk factors are also used extensively in risk communications to highlight what strongly affects the levels of risk in particular situations, circumstances, or contexts. Typical risk factors include threat, vulnerability, impact, likelihood, and predisposing condition. Risk factors\u0026nbsp;can be decomposed into more detailed characteristics (e.g., threats decomposed into threat sources and threat events). These definitions are important for organizations to document prior to conducting risk assessments because the assessments rely upon well-defined attributes of threats, vulnerabilities, impact, and other risk factors to effectively determine risk.\u003c/p\u003e\u003cp\u003eAs noted above, risk is a function of the likelihood of a threat events occurrence and potential adverse impact should the event occur. This definition accommodates many types of adverse impacts at all tiers in the risk management hierarchy described in NIST Special Publication 800- 3910 (e.g., damage to image or reputation of the organization or financial loss at Tier 1; inability to successfully execute a specific mission/business process at Tier 2; or the resources expended in responding to an information system incident at Tier 3). It also accommodates relationships among impacts (e.g., loss of current or future mission/business effectiveness due to the loss of data confidentiality; loss of confidence in critical information due to loss of data or system integrity; or unavailability or degradation of information or information systems). For purposes of risk communication, risk is generally grouped according to the types of adverse impacts and possibly the time frames in which those impacts are likely to be experienced.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHigh Value Assets\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePer OMB Memorandum M-19-0311 Federal Agencies must extend their risk management approach to include \u003ca href=\"https://policy.cio.gov/hva/definition/\"\u003eHigh Value Assets (HVA).\u003c/a\u003e HVAs are assets, information systems, information, and data which unauthorized use could cause a significant impact to the United States national security interests. HVA risk assessments require the agency to incorporate enterprise- wide risk considerations to include operational, business, mission, and continuity. Agencies' assessment of risk should consider not only the risk that an HVA poses to the agency itself, but also the risk of interconnectivity and interdependencies leading to significant adverse impact on the functions, operations, and mission of other agencies. Agencies' assessment of risk to an HVA should be informed by an up-to-date awareness of threat intelligence regarding agencies' Federal information and information systems; the evolving behaviors and interests of malicious actors; and the likelihood that certain agencies and their HVAs are at risk owing to demonstrated adversary interest in agencies' actual, related, or similar assets.\u003c/p\u003e\u003cp\u003eCMS information systems are encouraged to implement the requirements mentioned in the HHS High Value Asset Program Policy , the controls from the \u003ca href=\"https://www.cisa.gov/publication/high-value-asset-control-overlay\"\u003eCybersecurity and Infrastructure Security\u003c/a\u003e \u003ca href=\"https://www.cisa.gov/publication/high-value-asset-control-overlay\"\u003eAgency (CISA) High Value Assest Control Overlay\u003c/a\u003e and the CMS Acceptable Risk Safeguards (ARS) which specifies security control implementations that aim to make HVAs more resistant to attacks, limit the damage from attacks when they occur, and improve resiliency and survivability.\u003c/p\u003e\u003cp\u003eCMS must conduct independent third party or CISA led HVA assessments within the CISA defined frequency, methodology standards and assessment specific requirements. CISA has established Tier Designations 1, 2 and 3 which determines the above frequency, standard and requirement.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHVA Assessment Process\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn accordance with FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems and the HHS IS2P, CMS are responsible for the ongoing assessment and authorization of all information systems classified as HVAs. In coordination with the Division of Security \u0026amp; Privacy Compliance (DSPC), assessments are conducted to ensure the accuracy of the information pertaining to the security posture of information systems, and the tailoring and implementation of security and privacy controls following the selection of the appropriate baseline mapped to the CMS IS2P2. CMS HVA assessements are required to include and be consistent with CISA HVA assessment requirements and expectations.\u003c/p\u003e\u003cp\u003eThe Information System Security Officer (ISSO) is responsible for preparing their information system for upcoming assessments by\u003c/p\u003e\u003col\u003e\u003cli\u003eParticipating in assessment activities as detailed in the assessment schedule\u003c/li\u003e\u003cli\u003eRequest access to the CISA file repository for RVA artifacts requests (HSIN).\u003c/li\u003e\u003cli\u003eRemediating identified issues in a timely manner as stated in the HVA Assessment Report.\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003cstrong\u003eCISA-Led HVA Assessment Process\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS, in co-ordination with the Office of Management and Budget (OMB), Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS), must perform certain actions to ensure effective identification and timely remediation of weaknesses based on HVA system assessments. All Tier 1 designated HVAs are to be assessed by CISA once every three (3) years. The below actions follow the \u003ca href=\"https://cyber.dhs.gov/bod/18-02/\"\u003eBinding Operational Directive 18-\u003c/a\u003e \u003ca href=\"https://cyber.dhs.gov/bod/18-02/\"\u003e02\u003c/a\u003e with CMS specific additions:\u003c/p\u003e\u003col\u003e\u003cli\u003eSubmit to CISA a single Rules of Engagement (ROE) and complete an RVA intake form once the system has been identified for a CISA RVA.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eThe applicable ROE is maintained between HHS and CISA and applies to all HVA assesments across the departments\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFor each HVA and related system(s) to be assessed, one ROE Appendix A titled \u003cem\u003e“RVA Services for High Value Assets and Related Systems,” \u003c/em\u003eauthorizing CISA to conduct a HVA Risk and Vulnerability Assessment (RVA) on the CMS HVA and related systems.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS:\u003c/strong\u003e\u003cul\u003e\u003cli\u003eAppendix A specifies all of the IPs in scope for the assessment. Note that it will likely be necessary for the assessment to stop and the Appendix to be revised if IPs must be added during the assessment.\u003c/li\u003e\u003cli\u003eAppendix B will also be necessary if third party contractor os involved in the assessment\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFully participate in the HVA assessment activities authorized by the ROE.\u003c/li\u003e\u003cli\u003eFully participate in a Security Assessment Report (SAR) after RVA completion.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eAs of FY2021, CISA has revised the HVA assessment methodology to include both the security architecture (previously SAR) and technical assessment (previously RVA) during a single engagement.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS systems shall impose no restrictions on the timing and/or frequency of the assessments, the services to be provided by CISA, or the scope of the systems that are part of or related ot the HVA being assessed.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eThe expected scope of the HVA assessment will be the full operational “footprint” of the HVA. The hosting site and supporting services should expect to be involved. Generally any systems that are providing inheritable controls to the HVA will be included in the assessment.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eAfter completion of the assessment, the BO and ISSO must ensure timely remediation of identified vulnerabilities and report remediation plans and progress by following the below\u003c/p\u003e\u003col\u003e\u003cli\u003eWithin 30 days of receipt of the HVA asessment reports identifying major or critical weakness to an assessed CISA, remediate all major critical weaknesses and provide notification to CISA that each identified weakness was addressed.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS:\u003c/strong\u003e\u003cul\u003e\u003cli\u003eHigh, Major or Critical findings must be reported to CISA as remediated within 30 days. This is in addition to HHS requirements specified in the HHS HVA Policy and CMS POA\u0026amp;M requirements.\u003c/li\u003e\u003cli\u003eThe 30 days timing is considered to be in relation to the final assessment report. Remediation efforts should be undertaken as soon as possible afterthe potential finding is identified to maximize the available remediation time.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eIf it is determined by the designated Senior Accountable Official for Risk Management (SAORM) that full remediation cannot be completed within the initial 30 day timeframe, develop and submit to CISA a remediation plan with remaining major or critical weaknesses within 30 days of the receipt of the RVA and/or SAR reports.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003ei. \u003cstrong\u003eFor CMS: \u003c/strong\u003eThe HHS SAORM is the HHS CIO, and must approve anything other than full remediation within the initial 30 days after the final report is issued, in addition to all CMS approvals.\u003c/p\u003e\u003col\u003e\u003cli\u003eThis remediation plan shall include justification for the extended timeline, the proposed timeline and associated milestones to remediation (not to exceed one year), interim mitigation actions planned to address immediate vulnerabilities, and, if relevant, the identification of constraints related to policy, budget, workforce, and operations.This remediation plan must be signed by the designated SAORM prior to submission to CISA.\u003c/li\u003e\u003cli\u003eHHS reports the status of each remaining major or critical weakness to CISA every 30 days until full remediation is achieved. Status reports must address HVA assessment results through combined reporting and must be submitted every 30 days after the submission of the remediation plan described above.\u003c/li\u003e\u003cli\u003eHHS notifies CISA via monthly status reports of any modifications to remediate plan timelines and when full remediation has been achieved. The notifications for modifications and full remediation must be certified under signature of the designated SAORM.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eCISA will manage the progress and report submissions associated with these actions. If deadlines outlined above are not being met, CISA will enage the CMS CISO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVulnerability Scanning (RA-5)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA vulnerability is a weakness that can be accidentally triggered or intentionally exploited, usually due to misconfigurations. Vulnerability scanning is a non-destructive form of testing that provides an organized approach to the testing, identification, analysis and reporting of potential security issues on a network. Vulnerability scanners can be run against a host either locally or from the network. Some network-based scanners have administrator-level credentials on individual hosts and can extract vulnerability information from hosts using those credentials. Other network-based scanners do not have such credentials and must rely on conducting scanning of networks to locate hosts and then scan those hosts for vulnerabilities. In such cases, network-based scanning is primarily used to perform network discovery and identify open ports and related vulnerabilities. Network-based scanning without host credentials can be performed both internally and externally—and although internal scanning usually uncovers more vulnerabilities than external scanning, testing from both viewpoints is important. External scanning must contend with perimeter security devices that block traffic, limiting assessors to scanning only the ports authorized to pass traffic.\u003c/p\u003e\u003cp\u003eFor local vulnerability scanning, a scanner is installed on each host to be scanned. This is done primarily to identify host Operating Systems (OS) and application misconfigurations and vulnerabilities—both network-exploitable and locally exploitable. Local scanning is able to detect\u0026nbsp;vulnerabilities with a higher level of detail than network-based scanning because local scanning usually requires both host (local) access and a root or administrative account. Some scanners also offer the capability of repairing local misconfigurations.\u003c/p\u003e\u003cp\u003eThe foundation for effective vulnerability scanning includes having an asset inventory management process (e.g. automated tools and their processes) in place. Without a robust asset inventory management process in place there is an increased risk that the asset inventory is incomplete which may impact downstream processes to include vulnerability scanning and security configuration. This may lead to vulnerabilities and misconfigurations going unidentified and may result in exploitable conditions.\u003c/p\u003e\u003cp\u003eThe results from a vulnerability scan can show the path an adversary can take once they have gained access to the network and how much data they could collect. Vulnerability scans can also support penetration testing (CA-8) by providing information on targets for the penetration testing team to look into. Some examples of scanning activities are:\u003c/p\u003e\u003col\u003e\u003cli\u003escanning for patch levels;\u003c/li\u003e\u003cli\u003escanning for functions, ports, protocols, and services that should not be accessible to users or devices; and\u003c/li\u003e\u003cli\u003escanning for improperly configured or incorrectly operating information flow control mechanisms. Based on the information provided, the organization can then remediate vulnerabilities identified and work towards improving the security of the network.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eFor CMS, the security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. All data centers must have a vulnerability scanner in place before connecting to the CMS network, either through their own vendor-provided scanner or by establishing a connection with the \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e team at the CMS Cybersecurity Integration Center (CCIC). One of the services provided by the CCIC includes vulnerability scanning, with support in place for all scanning needed from infrastructure to endpoint. The CCIC supports risk analysis at CMS by ingesting scan logs and identifying risks through its Security Incident Event Management (SIEM) tool. In order to set up vulnerability scanning for new systems, please send an email to the CDM Manager using this email address: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-CMP@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIf a datacenter chooses not to utilize the vulnerability scanning service provided by the CCIC then they are able to choose a vendor-provided one. There are requirements that must be met for those System Owners who decide not to use the CCIC. These requirements include the baseline configurations that must be scanned against, such as those found in \u003cem\u003eRisk Management Handbook Chapter 5 Configuration Management\u0026nbsp;\u003c/em\u003e(CM-6). Information for meeting these requirements are\u0026nbsp;found in the \u003cem\u003eCMS CCIC Integration Requirements \u003c/em\u003edocument. For access to this document, please reach out to the CDM Manager by sending an email to: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-CMP@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eWhen vulnerabilities are discovered they must be mitigated within a given timeframe. This timeframe varies depending on the criticality of the vulnerability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical vulnerabilities within \u003cstrong\u003e15 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eHigh vulnerabilities within \u003cstrong\u003e30 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eModerate vulnerabilities within \u003cstrong\u003e90 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eLow vulnerabilities within \u003cstrong\u003e365 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the identified vulnerabilities cannot be mitigated within the given time frame and exceed those thresholds then they must be documented in the designated POA\u0026amp;M as weaknesses and mitigated through timelines defined for the corresponding level of weakness.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 2: CMS Defined Parameters Control RA-5\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003col\u003e\u003cli\u003eScans for vulnerabilities in the information system and hosted applications [\u003cem\u003eAssignment: organization- defined frequency and/or randomly in accordance with organization-defined process\u003c/em\u003e] and when new vulnerabilities potentially affecting the system/applications are identified and reported;\u003c/li\u003e\u003cli\u003eEmploys vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\u003c/li\u003e\u003cli\u003eEnumerating platforms, software flaws, and improper configurations;\u003c/li\u003e\u003cli\u003eFormatting checklists and test procedures; and\u003c/li\u003e\u003cli\u003eMeasuring vulnerability impact;\u003c/li\u003e\u003cli\u003eAnalyzes vulnerability scan reports and results from security control assessments;\u003c/li\u003e\u003cli\u003eRemediates legitimate vulnerabilities [\u003cem\u003eAssignment: organization-defined response times\u003c/em\u003e] in accordance with an organizational assessment of risk; and\u003c/li\u003e\u003cli\u003eShares information obtained from the vulnerability scanning process and security control assessments with [\u003cem\u003eAssignment: organization-defined personnel or roles\u003c/em\u003e] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003col\u003e\u003cli\u003eScans for vulnerabilities in the information system and hosted applications no less often than once every 72 hours and when new vulnerabilities potentially affecting the system/applications are identified and reported;\u003c/li\u003e\u003cli\u003eComplies with DHS Continuous Diagnostics and Mitigation program and CMS requirements; and 5. Complying with required reporting metrics (e.g., CyberScope).\u003c/li\u003e\u003cli\u003eRemediates legitimate vulnerabilities based on the Business Owners risk prioritization in accordance with the guidance defined under security control SI- 02; and\u003c/li\u003e\u003cli\u003eShares information obtained from the vulnerability scanning process and security control assessments with affected/related stakeholders on a “need to know” basis to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eUpdate Tool Capability (RA-5(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS has the capability to update the scanning tools it uses for vulnerability scanning efforts. New vulnerabilities are a constant and it is essential to update the capability of the tools used as new vulnerabilities are discovered, announced, and published. Better scanning methods are therefore developed in response to the ever-changing threat landscape. As new updates and versions of the vulnerability scanning tools become available, they must be updated in order to ensure that the latest capabilities are deployed in scanning the CMS network. Vendor-provided tools will include a process to update as agreed between the vendor and datacenter.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eUpdate Frequency/Prior to New Scan/When Identified (RA-5(2))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS is updating the vulnerabilities it is scanning for on a regular basis through a defined frequency, prior to each new scan, and when identified. Readily updating the vulnerabilities that are scanned helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for updating the information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: CMS Defined Parameters Control RA-5(2)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(2)\u003c/td\u003e\u003ctd\u003eThe organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].\u003c/td\u003e\u003ctd\u003eThe organization updates the database of known information system vulnerabilities to be used in the scanning process no less often than every 72 hours, immediately prior to a new scan, and when new vulnerabilities are identified and reported.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eSystem Owners whose systems are not covered by the CCIC must provide documentation to demonstrate their vendor-provided tools are updated no less often once every 72 hours, immediately prior to a new scan, and when new vulnerabilities are identified and reported.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e\u0026nbsp;Discoverable Information (RA-5(4))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS is determining the information that potential adversaries can discover in the event of malicious activities against the CMS network. In addition, this control requires that corrective actions are identified and then taken to eliminate the information discoverable to adversaries. In order to ensure that vulnerability scans are prompting appropriate corrective actions, organizations must be able to determine what information is discoverable by adversaries. For systems that are scanned by the CCIC, the CDM team utilizes a Security Intelligence Hub (SIH) that acts as a central repository of vulnerability information and holds such data specific to that scan for one (1) year. Included in this information are corrective actions that the ISSO can take to remedy the identified vulnerabilities in their systems. The ISSO may request access to this repository by sending an email to the CDM Manager at: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-\u003c/a\u003e \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eCMP@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSystem Owners whose systems are not scanned by the CCIC must provide documentation to the CDM team detailing the information discoverable on their systems to adversaries. This can be done by performing annual searches of common internet locations to find out what information is available on the internet about your system. The procedures for documenting this discoverable information should follow the basic who, what, when, where, and why format. Once this information is determined and documented, the Division of Cyber Threat and Security Operations, System Owner, and Contractor Staff will establish a meeting to identify and carry out the appropriate corrective actions.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5(4):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters Control RA-5(4)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(4)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment:\u003c/p\u003e\u003cp\u003eorganization-defined corrective actions].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization determines what information about the information system is discoverable by adversaries, and subsequently takes appropriate corrective\u003c/p\u003e\u003cp\u003eactions to limit discoverable system information.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003e\u0026nbsp;Privileged Access (RA-5(5))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThere are systems on the CMS network that require privileged access. In order to conduct vulnerability scans on these systems, there must be an ability for the scanners to receive privileged access to these systems. A complete analysis of the privileged areas of system appliances cannot be performed without the necessary privileged access. The purpose of this control is to ensure that CMS identifies the information system components that require privileged access and the vulnerability scanning activities that require such access, as well as ensuring that privileged access is implemented for these activities.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5(5):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters Control RA-5(5)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(5)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-\u003c/p\u003e\u003cp\u003edefined vulnerability scanning activities].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe information system implements privileged access authorization to operating system, telecommunications, and configuration components for selected vulnerability scanning activities to facilitate more thorough scanning.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThis can be achieved by obtaining appropriate management approval to allow privileged users such as Firewall Privileged Users and Intrusion Detection Privileged Users to perform vulnerability assessment from the privileged accounts perspective.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"24f:T9f00,"])</script><script>self.__next_f.push([1,"\u003ch2\u003eIntroduction\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Risk Management Handbook (RMH) Chapter 14: Risk Assessment provides the procedures for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).\u0026nbsp;This document describes procedures that facilitate the implementation of security controls associated with the Risk Assessment (RA) family of controls. To promote consistency among all RMH Chapters, CMS intends for Chapter 14.\u0026nbsp;\u003c/p\u003e\u003ch2\u003eRisk Assessment controls\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eSecurity Categorization (RA-2)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are compromised through a loss of confidentiality, integrity, and/or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Security categories are used in conjunction with vulnerability and threat information in assessing the risk to an organization. The security category of an information type can be associated with both user information and system information. Establishing an appropriate security category of an information type requires determining the potential impact level for each security objectives of confidentiality, integrity, and availability (CIA) associated with the particular information type.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eSecurity Objective\u003c/th\u003e\u003cth\u003eLow impact potential\u003c/th\u003e\u003cth\u003eModerate impact potential\u003c/th\u003e\u003cth\u003eHigh impact potential\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eConfidentiality\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003ePreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e\u0026nbsp;adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized disclosures of information could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eIntegrity\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eGuarding against improper information modification or destruction\u0026nbsp;and includes ensuring information non-repudiation and authenticity.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe unauthorized modification or destruction\u0026nbsp;of information could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eAvailability\u003c/strong\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eEnsuring timely and reliable access to and use of information.\u003c/p\u003e\u003cp\u003e\u003cem\u003e[44 U.S.C., Sec. 3542]\u003c/em\u003e\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003elimited\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003eserious\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003ctd\u003eThe disruption of access to or use of information or an information system could be expected to have a \u003cstrong\u003esevere or catastrophic\u003c/strong\u003e adverse effect on organizational operations, assets, or individuals.\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eAt CMS, each new system must define its security categorization within the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Controls Tracking System (CFACTS)\u003c/a\u003e. Before the \u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e can be developed, the information system and the information resident within that system must be categorized based on the Federal Information Processing Standards Publication 199 (FIPS 199). NIST Special Publication 800-60 Volume I: \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories \u003c/em\u003eprovides a guideline for mapping types of information and information systems to security categories and works in conjunction with FIPS 199.\u003c/p\u003e\u003cp\u003eThe SSPP provides the detailed descriptions of all the implemented controls by the CMS ARS categories to minimize risks. Authorization boundaries are also developed and reviewed in correlation with the security categorization as the boundary has a direct effect on the categorization of the system. CMS has synthesized and identified the information types that apply to CMS into 11 information types:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 1: CMS Information Types\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eInformation Type\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eSystem Security Level\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003ee-Authentication Level\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInvestigation, intelligence-related, and security information (14 CFR PART 191.5(D))\u003c/td\u003e\u003ctd\u003eHigh\u003c/td\u003e\u003ctd\u003eLevel 4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMission Critical Information\u003c/td\u003e\u003ctd\u003eHigh\u003c/td\u003e\u003ctd\u003eLevel 4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation About Persons\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 2 or Level 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eFinancial, budgetary, commercial, proprietary and trade secret information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInternal Administration\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOther Federal Agency Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eNew technology controlled scientific information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOperational Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Configuration Management Information\u003c/td\u003e\u003ctd\u003eModerate\u003c/td\u003e\u003ctd\u003eLevel 3\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eOther Sensitive Information\u003c/td\u003e\u003ctd\u003eLow\u003c/td\u003e\u003ctd\u003eLevel 2\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePublic Information\u003c/td\u003e\u003ctd\u003eLow\u003c/td\u003e\u003ctd\u003eNone or Level 1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe security categorization for an information system is completed by the Information System Security Officer and approved by the Information System Owner. All CMS information systems categorized as High or Moderate are considered sensitive or contain sensitive information. All CMS information systems categorized as Low are considered non-sensitive or contain non- sensitive information. Organizations implement the minimum security requirements and controls as established in the current CMS Information Security ARS Standard, based on the system security categorization. When identifying information types and assigning appropriate security categorizations for CMS systems, it is essential that the Data Guardian, Information System Owner, Business Owner, Information System Security Officer, and Cyber Risk Advisor coordinate their efforts.\u003c/p\u003e\u003cp\u003eThe following steps detail the CMS specific process for conducting a security categorization on an information system using CFACTS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eStep 1\u003c/strong\u003e: Login to CFACTS and select the “Assessment \u0026amp; Authorization (A\u0026amp;A)” dropdown tab from the top menu.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 2\u003c/strong\u003e: Click on the “Authorization Package - Records” under the “Quick Links” section.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 3\u003c/strong\u003e: Select the appropriate information system. You may also find the information system by clicking on the search icon in the top right of the page and specifying search criteria.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 4\u003c/strong\u003e: Once the information system has been located, click on the system name to open the authorization package for the system.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 5\u003c/strong\u003e: Select the “Security Category” tab from the top navigation tab of the authorization package.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 6\u003c/strong\u003e: Click “Edit” at the top of the authorization package window.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 7\u003c/strong\u003e: Answer the following question in the Organizational Users Section: “Is this system accessed by non-organizational users?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 8\u003c/strong\u003e: Select the information types processed, stored or transmitted by the system.\u003cul\u003e\u003cli\u003eFor help determining who is considered an organizational user and a non- organizational user, see the help text by clicking on the question mark to the left of the question.\u003c/li\u003e\u003cli\u003eIn the Information Type section, click on the right hand side of the “Lookup” title bar in the upper right hand corner.\u003c/li\u003e\u003cli\u003eIn the “Record Lookup” pop up, select the checkbox to the left of each information type that is used by your information system.\u003c/li\u003e\u003cli\u003eClick “Ok” when done.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 9: \u003c/strong\u003eAnswer the following question in the Personally Identifiable Information (PII) section: “Does this FISMA system collect, maintain, use or share Personally Identifiable Information (PII)?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 10: \u003c/strong\u003eAnswer the following question in the Protected Health Information (PHI) section: “Is the data maintained in this FISMA system considered electronic Protected Health Information (PHI)?”\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eStep 11\u003c/strong\u003e: Click “Save” at the top of the screen to save all changes.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe SOP ultimately reviews and approves the categorization of information systems that process, store, or transmit PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Assessment (RA-3)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRisk assessment is the process of identifying risks, both business and technical, to organizational operations mission, functions, image, and reputation, including individuals, organizational assets, other organizations, and the Nation, resulting from the operation of an information system. As part of risk management, risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by security and privacy controls planned or in place.\u003c/p\u003e\u003cp\u003eThis publication focuses on the risk assessment component of risk management—providing a step-by-step process for organizations on: (i) how to prepare for risk assessments; (ii) how to conduct risk assessments; (iii) how to communicate risk assessment results to key organizational personnel; and (iv) how to maintain the risk assessments over time. Risk assessments are not simply one-time activities that provide permanent and definitive information for decision makers to guide and inform responses to information security and privacy risks. Rather, organizations employ risk assessments on an ongoing basis throughout the system development life cycle and across all of the tiers in the risk management hierarchy—with the frequency of the risk assessments and the resources applied during the assessments, commensurate with the expressly defined purpose and scope of the assessments.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eBasic Risk Management\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRisk assessment is a key component of a holistic, organization-wide risk management process as defined in NIST Special Publication 800-39, \u003cem\u003eManaging Information Security Risk: Organization, Mission, and Information System View\u003c/em\u003e. Risk management processes include: (i) framing risk; (ii) assessing risk; (iii) responding to risk; and (iv) monitoring risk. Figure 2 illustrates the four steps in the risk management process—including the risk assessment step and the information and communications flows necessary to make the process work effectively.\u003c/p\u003e\u003cp\u003eAs laid out by NIST in 800-30, the first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.\u003c/p\u003e\u003cp\u003eThe second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation; (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., adverse impact) that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur. The end result is a determination of risk (i.e., typically a function of the degree of harm, i.e., impact to the organization, and likelihood of harm occurring).\u003c/p\u003e\u003cp\u003eThe third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of a risk assessment. The purpose of the risk response component is to provide a consistent, organization-wide response to risk, or “risk mitigation plan”, in accordance with the organizational risk frame by: (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action.\u003c/p\u003e\u003cp\u003eThe fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to: (i) determine the ongoing effectiveness of risk responses (consistent with the organizational risk frame); (ii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate; and (iii) verify that planned risk responses are implemented and information security and privacy requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied.\u003c/p\u003e\u003cp\u003eEffective information security and privacy-related risk management is a holistic activity and requires integration of risk input from the information system level (Tier 3) through the organizations business processes (Tier 2) and up through the governance of the enterprise (Tier 1). Risk management among the top and bottom tier are bi-directional as the highest tier directs the lower tiers through policy and processes, and the lower tier feeds tactical risk back up the enterprise. The RMF primarily operates at Tier 3 but does involve interactions in the other two tiers through feedback from ongoing authorization decisions, dissemination of updated threat and risk information to authorizing officials and information system owners.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eRisk Models\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eRisk models define the risk factors to be assessed and the relationships among those factors. Risk factors are characteristics used in risk models as inputs to determining levels of risk in risk assessments. Risk factors are also used extensively in risk communications to highlight what strongly affects the levels of risk in particular situations, circumstances, or contexts. Typical risk factors include threat, vulnerability, impact, likelihood, and predisposing condition. Risk factors\u0026nbsp;can be decomposed into more detailed characteristics (e.g., threats decomposed into threat sources and threat events). These definitions are important for organizations to document prior to conducting risk assessments because the assessments rely upon well-defined attributes of threats, vulnerabilities, impact, and other risk factors to effectively determine risk.\u003c/p\u003e\u003cp\u003eAs noted above, risk is a function of the likelihood of a threat events occurrence and potential adverse impact should the event occur. This definition accommodates many types of adverse impacts at all tiers in the risk management hierarchy described in NIST Special Publication 800- 3910 (e.g., damage to image or reputation of the organization or financial loss at Tier 1; inability to successfully execute a specific mission/business process at Tier 2; or the resources expended in responding to an information system incident at Tier 3). It also accommodates relationships among impacts (e.g., loss of current or future mission/business effectiveness due to the loss of data confidentiality; loss of confidence in critical information due to loss of data or system integrity; or unavailability or degradation of information or information systems). For purposes of risk communication, risk is generally grouped according to the types of adverse impacts and possibly the time frames in which those impacts are likely to be experienced.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHigh Value Assets\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePer OMB Memorandum M-19-0311 Federal Agencies must extend their risk management approach to include \u003ca href=\"https://policy.cio.gov/hva/definition/\"\u003eHigh Value Assets (HVA).\u003c/a\u003e HVAs are assets, information systems, information, and data which unauthorized use could cause a significant impact to the United States national security interests. HVA risk assessments require the agency to incorporate enterprise- wide risk considerations to include operational, business, mission, and continuity. Agencies' assessment of risk should consider not only the risk that an HVA poses to the agency itself, but also the risk of interconnectivity and interdependencies leading to significant adverse impact on the functions, operations, and mission of other agencies. Agencies' assessment of risk to an HVA should be informed by an up-to-date awareness of threat intelligence regarding agencies' Federal information and information systems; the evolving behaviors and interests of malicious actors; and the likelihood that certain agencies and their HVAs are at risk owing to demonstrated adversary interest in agencies' actual, related, or similar assets.\u003c/p\u003e\u003cp\u003eCMS information systems are encouraged to implement the requirements mentioned in the HHS High Value Asset Program Policy , the controls from the \u003ca href=\"https://www.cisa.gov/publication/high-value-asset-control-overlay\"\u003eCybersecurity and Infrastructure Security\u003c/a\u003e \u003ca href=\"https://www.cisa.gov/publication/high-value-asset-control-overlay\"\u003eAgency (CISA) High Value Assest Control Overlay\u003c/a\u003e and the CMS Acceptable Risk Safeguards (ARS) which specifies security control implementations that aim to make HVAs more resistant to attacks, limit the damage from attacks when they occur, and improve resiliency and survivability.\u003c/p\u003e\u003cp\u003eCMS must conduct independent third party or CISA led HVA assessments within the CISA defined frequency, methodology standards and assessment specific requirements. CISA has established Tier Designations 1, 2 and 3 which determines the above frequency, standard and requirement.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eHVA Assessment Process\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eIn accordance with FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems and the HHS IS2P, CMS are responsible for the ongoing assessment and authorization of all information systems classified as HVAs. In coordination with the Division of Security \u0026amp; Privacy Compliance (DSPC), assessments are conducted to ensure the accuracy of the information pertaining to the security posture of information systems, and the tailoring and implementation of security and privacy controls following the selection of the appropriate baseline mapped to the CMS IS2P2. CMS HVA assessements are required to include and be consistent with CISA HVA assessment requirements and expectations.\u003c/p\u003e\u003cp\u003eThe Information System Security Officer (ISSO) is responsible for preparing their information system for upcoming assessments by\u003c/p\u003e\u003col\u003e\u003cli\u003eParticipating in assessment activities as detailed in the assessment schedule\u003c/li\u003e\u003cli\u003eRequest access to the CISA file repository for RVA artifacts requests (HSIN).\u003c/li\u003e\u003cli\u003eRemediating identified issues in a timely manner as stated in the HVA Assessment Report.\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003cstrong\u003eCISA-Led HVA Assessment Process\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eCMS, in co-ordination with the Office of Management and Budget (OMB), Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS), must perform certain actions to ensure effective identification and timely remediation of weaknesses based on HVA system assessments. All Tier 1 designated HVAs are to be assessed by CISA once every three (3) years. The below actions follow the \u003ca href=\"https://cyber.dhs.gov/bod/18-02/\"\u003eBinding Operational Directive 18-\u003c/a\u003e \u003ca href=\"https://cyber.dhs.gov/bod/18-02/\"\u003e02\u003c/a\u003e with CMS specific additions:\u003c/p\u003e\u003col\u003e\u003cli\u003eSubmit to CISA a single Rules of Engagement (ROE) and complete an RVA intake form once the system has been identified for a CISA RVA.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eThe applicable ROE is maintained between HHS and CISA and applies to all HVA assesments across the departments\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFor each HVA and related system(s) to be assessed, one ROE Appendix A titled \u003cem\u003e“RVA Services for High Value Assets and Related Systems,” \u003c/em\u003eauthorizing CISA to conduct a HVA Risk and Vulnerability Assessment (RVA) on the CMS HVA and related systems.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS:\u003c/strong\u003e\u003cul\u003e\u003cli\u003eAppendix A specifies all of the IPs in scope for the assessment. Note that it will likely be necessary for the assessment to stop and the Appendix to be revised if IPs must be added during the assessment.\u003c/li\u003e\u003cli\u003eAppendix B will also be necessary if third party contractor os involved in the assessment\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFully participate in the HVA assessment activities authorized by the ROE.\u003c/li\u003e\u003cli\u003eFully participate in a Security Assessment Report (SAR) after RVA completion.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eAs of FY2021, CISA has revised the HVA assessment methodology to include both the security architecture (previously SAR) and technical assessment (previously RVA) during a single engagement.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS systems shall impose no restrictions on the timing and/or frequency of the assessments, the services to be provided by CISA, or the scope of the systems that are part of or related ot the HVA being assessed.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS: \u003c/strong\u003eThe expected scope of the HVA assessment will be the full operational “footprint” of the HVA. The hosting site and supporting services should expect to be involved. Generally any systems that are providing inheritable controls to the HVA will be included in the assessment.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eAfter completion of the assessment, the BO and ISSO must ensure timely remediation of identified vulnerabilities and report remediation plans and progress by following the below\u003c/p\u003e\u003col\u003e\u003cli\u003eWithin 30 days of receipt of the HVA asessment reports identifying major or critical weakness to an assessed CISA, remediate all major critical weaknesses and provide notification to CISA that each identified weakness was addressed.\u003cul\u003e\u003cli\u003e\u003cstrong\u003eFor CMS:\u003c/strong\u003e\u003cul\u003e\u003cli\u003eHigh, Major or Critical findings must be reported to CISA as remediated within 30 days. This is in addition to HHS requirements specified in the HHS HVA Policy and CMS POA\u0026amp;M requirements.\u003c/li\u003e\u003cli\u003eThe 30 days timing is considered to be in relation to the final assessment report. Remediation efforts should be undertaken as soon as possible afterthe potential finding is identified to maximize the available remediation time.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eIf it is determined by the designated Senior Accountable Official for Risk Management (SAORM) that full remediation cannot be completed within the initial 30 day timeframe, develop and submit to CISA a remediation plan with remaining major or critical weaknesses within 30 days of the receipt of the RVA and/or SAR reports.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003ei. \u003cstrong\u003eFor CMS: \u003c/strong\u003eThe HHS SAORM is the HHS CIO, and must approve anything other than full remediation within the initial 30 days after the final report is issued, in addition to all CMS approvals.\u003c/p\u003e\u003col\u003e\u003cli\u003eThis remediation plan shall include justification for the extended timeline, the proposed timeline and associated milestones to remediation (not to exceed one year), interim mitigation actions planned to address immediate vulnerabilities, and, if relevant, the identification of constraints related to policy, budget, workforce, and operations.This remediation plan must be signed by the designated SAORM prior to submission to CISA.\u003c/li\u003e\u003cli\u003eHHS reports the status of each remaining major or critical weakness to CISA every 30 days until full remediation is achieved. Status reports must address HVA assessment results through combined reporting and must be submitted every 30 days after the submission of the remediation plan described above.\u003c/li\u003e\u003cli\u003eHHS notifies CISA via monthly status reports of any modifications to remediate plan timelines and when full remediation has been achieved. The notifications for modifications and full remediation must be certified under signature of the designated SAORM.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eCISA will manage the progress and report submissions associated with these actions. If deadlines outlined above are not being met, CISA will enage the CMS CISO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eVulnerability Scanning (RA-5)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA vulnerability is a weakness that can be accidentally triggered or intentionally exploited, usually due to misconfigurations. Vulnerability scanning is a non-destructive form of testing that provides an organized approach to the testing, identification, analysis and reporting of potential security issues on a network. Vulnerability scanners can be run against a host either locally or from the network. Some network-based scanners have administrator-level credentials on individual hosts and can extract vulnerability information from hosts using those credentials. Other network-based scanners do not have such credentials and must rely on conducting scanning of networks to locate hosts and then scan those hosts for vulnerabilities. In such cases, network-based scanning is primarily used to perform network discovery and identify open ports and related vulnerabilities. Network-based scanning without host credentials can be performed both internally and externally—and although internal scanning usually uncovers more vulnerabilities than external scanning, testing from both viewpoints is important. External scanning must contend with perimeter security devices that block traffic, limiting assessors to scanning only the ports authorized to pass traffic.\u003c/p\u003e\u003cp\u003eFor local vulnerability scanning, a scanner is installed on each host to be scanned. This is done primarily to identify host Operating Systems (OS) and application misconfigurations and vulnerabilities—both network-exploitable and locally exploitable. Local scanning is able to detect\u0026nbsp;vulnerabilities with a higher level of detail than network-based scanning because local scanning usually requires both host (local) access and a root or administrative account. Some scanners also offer the capability of repairing local misconfigurations.\u003c/p\u003e\u003cp\u003eThe foundation for effective vulnerability scanning includes having an asset inventory management process (e.g. automated tools and their processes) in place. Without a robust asset inventory management process in place there is an increased risk that the asset inventory is incomplete which may impact downstream processes to include vulnerability scanning and security configuration. This may lead to vulnerabilities and misconfigurations going unidentified and may result in exploitable conditions.\u003c/p\u003e\u003cp\u003eThe results from a vulnerability scan can show the path an adversary can take once they have gained access to the network and how much data they could collect. Vulnerability scans can also support penetration testing (CA-8) by providing information on targets for the penetration testing team to look into. Some examples of scanning activities are:\u003c/p\u003e\u003col\u003e\u003cli\u003escanning for patch levels;\u003c/li\u003e\u003cli\u003escanning for functions, ports, protocols, and services that should not be accessible to users or devices; and\u003c/li\u003e\u003cli\u003escanning for improperly configured or incorrectly operating information flow control mechanisms. Based on the information provided, the organization can then remediate vulnerabilities identified and work towards improving the security of the network.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eFor CMS, the security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. All data centers must have a vulnerability scanner in place before connecting to the CMS network, either through their own vendor-provided scanner or by establishing a connection with the \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e team at the CMS Cybersecurity Integration Center (CCIC). One of the services provided by the CCIC includes vulnerability scanning, with support in place for all scanning needed from infrastructure to endpoint. The CCIC supports risk analysis at CMS by ingesting scan logs and identifying risks through its Security Incident Event Management (SIEM) tool. In order to set up vulnerability scanning for new systems, please send an email to the CDM Manager using this email address: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-CMP@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIf a datacenter chooses not to utilize the vulnerability scanning service provided by the CCIC then they are able to choose a vendor-provided one. There are requirements that must be met for those System Owners who decide not to use the CCIC. These requirements include the baseline configurations that must be scanned against, such as those found in \u003cem\u003eRisk Management Handbook Chapter 5 Configuration Management\u0026nbsp;\u003c/em\u003e(CM-6). Information for meeting these requirements are\u0026nbsp;found in the \u003cem\u003eCMS CCIC Integration Requirements \u003c/em\u003edocument. For access to this document, please reach out to the CDM Manager by sending an email to: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-CMP@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eWhen vulnerabilities are discovered they must be mitigated within a given timeframe. This timeframe varies depending on the criticality of the vulnerability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCritical vulnerabilities within \u003cstrong\u003e15 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eHigh vulnerabilities within \u003cstrong\u003e30 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eModerate vulnerabilities within \u003cstrong\u003e90 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003cli\u003eLow vulnerabilities within \u003cstrong\u003e365 days \u003c/strong\u003efrom discovery\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf the identified vulnerabilities cannot be mitigated within the given time frame and exceed those thresholds then they must be documented in the designated POA\u0026amp;M as weaknesses and mitigated through timelines defined for the corresponding level of weakness.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 2: CMS Defined Parameters Control RA-5\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003col\u003e\u003cli\u003eScans for vulnerabilities in the information system and hosted applications [\u003cem\u003eAssignment: organization- defined frequency and/or randomly in accordance with organization-defined process\u003c/em\u003e] and when new vulnerabilities potentially affecting the system/applications are identified and reported;\u003c/li\u003e\u003cli\u003eEmploys vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\u003c/li\u003e\u003cli\u003eEnumerating platforms, software flaws, and improper configurations;\u003c/li\u003e\u003cli\u003eFormatting checklists and test procedures; and\u003c/li\u003e\u003cli\u003eMeasuring vulnerability impact;\u003c/li\u003e\u003cli\u003eAnalyzes vulnerability scan reports and results from security control assessments;\u003c/li\u003e\u003cli\u003eRemediates legitimate vulnerabilities [\u003cem\u003eAssignment: organization-defined response times\u003c/em\u003e] in accordance with an organizational assessment of risk; and\u003c/li\u003e\u003cli\u003eShares information obtained from the vulnerability scanning process and security control assessments with [\u003cem\u003eAssignment: organization-defined personnel or roles\u003c/em\u003e] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization:\u003c/p\u003e\u003col\u003e\u003cli\u003eScans for vulnerabilities in the information system and hosted applications no less often than once every 72 hours and when new vulnerabilities potentially affecting the system/applications are identified and reported;\u003c/li\u003e\u003cli\u003eComplies with DHS Continuous Diagnostics and Mitigation program and CMS requirements; and 5. Complying with required reporting metrics (e.g., CyberScope).\u003c/li\u003e\u003cli\u003eRemediates legitimate vulnerabilities based on the Business Owners risk prioritization in accordance with the guidance defined under security control SI- 02; and\u003c/li\u003e\u003cli\u003eShares information obtained from the vulnerability scanning process and security control assessments with affected/related stakeholders on a “need to know” basis to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003eUpdate Tool Capability (RA-5(1))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS has the capability to update the scanning tools it uses for vulnerability scanning efforts. New vulnerabilities are a constant and it is essential to update the capability of the tools used as new vulnerabilities are discovered, announced, and published. Better scanning methods are therefore developed in response to the ever-changing threat landscape. As new updates and versions of the vulnerability scanning tools become available, they must be updated in order to ensure that the latest capabilities are deployed in scanning the CMS network. Vendor-provided tools will include a process to update as agreed between the vendor and datacenter.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eUpdate Frequency/Prior to New Scan/When Identified (RA-5(2))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS is updating the vulnerabilities it is scanning for on a regular basis through a defined frequency, prior to each new scan, and when identified. Readily updating the vulnerabilities that are scanned helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for updating the information system vulnerabilities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 3: CMS Defined Parameters Control RA-5(2)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(2)\u003c/td\u003e\u003ctd\u003eThe organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].\u003c/td\u003e\u003ctd\u003eThe organization updates the database of known information system vulnerabilities to be used in the scanning process no less often than every 72 hours, immediately prior to a new scan, and when new vulnerabilities are identified and reported.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eSystem Owners whose systems are not covered by the CCIC must provide documentation to demonstrate their vendor-provided tools are updated no less often once every 72 hours, immediately prior to a new scan, and when new vulnerabilities are identified and reported.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003e\u0026nbsp;Discoverable Information (RA-5(4))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe purpose of this control is to ensure that CMS is determining the information that potential adversaries can discover in the event of malicious activities against the CMS network. In addition, this control requires that corrective actions are identified and then taken to eliminate the information discoverable to adversaries. In order to ensure that vulnerability scans are prompting appropriate corrective actions, organizations must be able to determine what information is discoverable by adversaries. For systems that are scanned by the CCIC, the CDM team utilizes a Security Intelligence Hub (SIH) that acts as a central repository of vulnerability information and holds such data specific to that scan for one (1) year. Included in this information are corrective actions that the ISSO can take to remedy the identified vulnerabilities in their systems. The ISSO may request access to this repository by sending an email to the CDM Manager at: \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eEVM-\u003c/a\u003e \u003ca href=\"mailto:EVM-CMP@cms.hhs.gov\"\u003eCMP@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eSystem Owners whose systems are not scanned by the CCIC must provide documentation to the CDM team detailing the information discoverable on their systems to adversaries. This can be done by performing annual searches of common internet locations to find out what information is available on the internet about your system. The procedures for documenting this discoverable information should follow the basic who, what, when, where, and why format. Once this information is determined and documented, the Division of Cyber Threat and Security Operations, System Owner, and Contractor Staff will establish a meeting to identify and carry out the appropriate corrective actions.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5(4):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 4: CMS Defined Parameters Control RA-5(4)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(4)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment:\u003c/p\u003e\u003cp\u003eorganization-defined corrective actions].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization determines what information about the information system is discoverable by adversaries, and subsequently takes appropriate corrective\u003c/p\u003e\u003cp\u003eactions to limit discoverable system information.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch4\u003e\u003cstrong\u003e\u0026nbsp;Privileged Access (RA-5(5))\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThere are systems on the CMS network that require privileged access. In order to conduct vulnerability scans on these systems, there must be an ability for the scanners to receive privileged access to these systems. A complete analysis of the privileged areas of system appliances cannot be performed without the necessary privileged access. The purpose of this control is to ensure that CMS identifies the information system components that require privileged access and the vulnerability scanning activities that require such access, as well as ensuring that privileged access is implemented for these activities.\u003c/p\u003e\u003cp\u003eThe table below outlines the CMS ODPs for RA-5(5):\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTable 5: CMS Defined Parameters Control RA-5(5)\u003c/strong\u003e\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eControl\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eControl Requirement\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eCMS Parameter\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRA-5(5)\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-\u003c/p\u003e\u003cp\u003edefined vulnerability scanning activities].\u003c/p\u003e\u003c/td\u003e\u003ctd\u003eThe information system implements privileged access authorization to operating system, telecommunications, and configuration components for selected vulnerability scanning activities to facilitate more thorough scanning.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThis can be achieved by obtaining appropriate management approval to allow privileged users such as Firewall Privileged Users and Intrusion Detection Privileged Users to perform vulnerability assessment from the privileged accounts perspective.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"24d:{\"value\":\"$24e\",\"format\":\"body_text\",\"processed\":\"$24f\",\"summary\":\"\"}\n252:[]\n251:{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS) \",\"options\":\"$252\",\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"}\n254:[]\n253:{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":\"$254\",\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}\n256:[]\n255:{\"uri\":\"entity:node/676\",\"title\":\"Continuous Diagnostics and Mitigation (CDM) \",\"options\":\"$256\",\"url\":\"/learn/continuous-diagnostics-and-mitigation-cdm\"}\n250:[\"$251\",\"$253\",\"$255\"]\n257:{\"value\":\"RMH Chapter 14 identifies the policies and standards for the Risk Management family of controls\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eRMH Chapter 14 identifies the policies and standards for the Risk Management family of controls\u003c/p\u003e\\n\"}\n24b:{\"drupal_internal__nid\":501,\"drupal_internal__vid\":5752,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:52:22+00:00\",\"status\":true,\"title\":\"Risk Management Handbook Chapter 14: Risk Assessment (RA)\",\"created\":\"2022-08-29T18:04:54+00:00\",\"changed\":\"2024-08-05T15:52:22+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$24c\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$24d\",\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2021-04-13\",\"field_related_resources\":\"$250\",\"field_short_description\":\"$257\"}\n25b:{\"drupal_internal__target_id\":\"library\"}\n25a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$25b\"}\n25d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/node_type?resourceVersion=id%3A5752\"}\n25e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/node_type?resourceVersio"])</script><script>self.__next_f.push([1,"n=id%3A5752\"}\n25c:{\"related\":\"$25d\",\"self\":\"$25e\"}\n259:{\"data\":\"$25a\",\"links\":\"$25c\"}\n261:{\"drupal_internal__target_id\":159}\n260:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$261\"}\n263:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/revision_uid?resourceVersion=id%3A5752\"}\n264:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/revision_uid?resourceVersion=id%3A5752\"}\n262:{\"related\":\"$263\",\"self\":\"$264\"}\n25f:{\"data\":\"$260\",\"links\":\"$262\"}\n267:{\"drupal_internal__target_id\":26}\n266:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$267\"}\n269:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/uid?resourceVersion=id%3A5752\"}\n26a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/uid?resourceVersion=id%3A5752\"}\n268:{\"related\":\"$269\",\"self\":\"$26a\"}\n265:{\"data\":\"$266\",\"links\":\"$268\"}\n26d:{\"drupal_internal__target_id\":91}\n26c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":\"$26d\"}\n26f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/field_resource_type?resourceVersion=id%3A5752\"}\n270:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/field_resource_type?resourceVersion=id%3A5752\"}\n26e:{\"related\":\"$26f\",\"self\":\"$270\"}\n26b:{\"data\":\"$26c\",\"links\":\"$26e\"}\n274:{\"drupal_internal__target_id\":66}\n273:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$274\"}\n276:{\"drupal_internal__target_id\":81}\n275:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$276\"}\n278:{\"drupal_internal__target_id\":61}\n277:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$278\"}\n27a:{\"drupal_internal__target_id\":76}\n279:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-a"])</script><script>self.__next_f.push([1,"f66-7998a3329f34\",\"meta\":\"$27a\"}\n27c:{\"drupal_internal__target_id\":71}\n27b:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$27c\"}\n272:[\"$273\",\"$275\",\"$277\",\"$279\",\"$27b\"]\n27e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/field_roles?resourceVersion=id%3A5752\"}\n27f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/field_roles?resourceVersion=id%3A5752\"}\n27d:{\"related\":\"$27e\",\"self\":\"$27f\"}\n271:{\"data\":\"$272\",\"links\":\"$27d\"}\n283:{\"drupal_internal__target_id\":16}\n282:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$283\"}\n285:{\"drupal_internal__target_id\":36}\n284:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$285\"}\n281:[\"$282\",\"$284\"]\n287:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/field_topics?resourceVersion=id%3A5752\"}\n288:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/field_topics?resourceVersion=id%3A5752\"}\n286:{\"related\":\"$287\",\"self\":\"$288\"}\n280:{\"data\":\"$281\",\"links\":\"$286\"}\n258:{\"node_type\":\"$259\",\"revision_uid\":\"$25f\",\"uid\":\"$265\",\"field_resource_type\":\"$26b\",\"field_roles\":\"$271\",\"field_topics\":\"$280\"}\n248:{\"type\":\"node--library\",\"id\":\"3ca47d54-92ca-4015-b7a3-6875f0d42bb6\",\"links\":\"$249\",\"attributes\":\"$24b\",\"relationships\":\"$258\"}\n28b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}\n28a:{\"self\":\"$28b\"}\n28d:{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"}\n28e:{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"}\n28f:[\"#ccic_sec_eng_and_soc\"]\n28c:{\"drupal_internal__ni"])</script><script>self.__next_f.push([1,"d\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$28d\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_name\":\"Penetration Testing Team\",\"field_short_description\":\"$28e\",\"field_slack_channel\":\"$28f\"}\n293:{\"drupal_internal__target_id\":\"explainer\"}\n292:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$293\"}\n295:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"}\n296:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}\n294:{\"related\":\"$295\",\"self\":\"$296\"}\n291:{\"data\":\"$292\",\"links\":\"$294\"}\n299:{\"drupal_internal__target_id\":122}\n298:{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":\"$299\"}\n29b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"}\n29c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}\n29a:{\"related\":\"$29b\",\"self\":\"$29c\"}\n297:{\"data\":\"$298\",\"links\":\"$29a\"}\n29f:{\"drupal_internal__target_id\":26}\n29e:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$29f\"}\n2a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"}\n2a2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?r"])</script><script>self.__next_f.push([1,"esourceVersion=id%3A5886\"}\n2a0:{\"related\":\"$2a1\",\"self\":\"$2a2\"}\n29d:{\"data\":\"$29e\",\"links\":\"$2a0\"}\n2a6:{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}\n2a5:{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":\"$2a6\"}\n2a8:{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}\n2a7:{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":\"$2a8\"}\n2a4:[\"$2a5\",\"$2a7\"]\n2aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"}\n2ab:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}\n2a9:{\"related\":\"$2aa\",\"self\":\"$2ab\"}\n2a3:{\"data\":\"$2a4\",\"links\":\"$2a9\"}\n2af:{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}\n2ae:{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":\"$2af\"}\n2b1:{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}\n2b0:{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":\"$2b1\"}\n2b3:{\"target_revision_id\":19221,\"drupal_internal__target_id\":2031}\n2b2:{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":\"$2b3\"}\n2b5:{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}\n2b4:{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":\"$2b5\"}\n2b7:{\"target_revision_id\":19223,\"drupal_internal__target_id\":3388}\n2b6:{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":\"$2b7\"}\n2b9:{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}\n2b8:{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":\"$2b9\"}\n2ad:[\"$2ae\",\"$2b0\",\"$2b2\",\"$2b4\",\"$2b6\",\"$2b8\"]\n2bb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"}\n2bc:{\"href\":\"https://cybergeek.cms"])</script><script>self.__next_f.push([1,".gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}\n2ba:{\"related\":\"$2bb\",\"self\":\"$2bc\"}\n2ac:{\"data\":\"$2ad\",\"links\":\"$2ba\"}\n2bf:{\"drupal_internal__target_id\":121}\n2be:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$2bf\"}\n2c1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"}\n2c2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_resource_type?resourceVersion=id%3A5886\"}\n2c0:{\"related\":\"$2c1\",\"self\":\"$2c2\"}\n2bd:{\"data\":\"$2be\",\"links\":\"$2c0\"}\n2c6:{\"drupal_internal__target_id\":66}\n2c5:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2c6\"}\n2c8:{\"drupal_internal__target_id\":61}\n2c7:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2c8\"}\n2ca:{\"drupal_internal__target_id\":76}\n2c9:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2ca\"}\n2cc:{\"drupal_internal__target_id\":71}\n2cb:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$2cc\"}\n2c4:[\"$2c5\",\"$2c7\",\"$2c9\",\"$2cb\"]\n2ce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"}\n2cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_roles?resourceVersion=id%3A5886\"}\n2cd:{\"related\":\"$2ce\",\"self\":\"$2cf\"}\n2c3:{\"data\":\"$2c4\",\"links\":\"$2cd\"}\n2d3:{\"drupal_internal__target_id\":6}\n2d2:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$2d3\"}\n2d5:{\"drupal_internal__target_id\":46}\n2d4:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$2d5\"}\n2d1:[\"$2d2\",\"$2d4\"]\n2d7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?"])</script><script>self.__next_f.push([1,"resourceVersion=id%3A5886\"}\n2d8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}\n2d6:{\"related\":\"$2d7\",\"self\":\"$2d8\"}\n2d0:{\"data\":\"$2d1\",\"links\":\"$2d6\"}\n290:{\"node_type\":\"$291\",\"revision_uid\":\"$297\",\"uid\":\"$29d\",\"field_page_section\":\"$2a3\",\"field_related_collection\":\"$2ac\",\"field_resource_type\":\"$2bd\",\"field_roles\":\"$2c3\",\"field_topics\":\"$2d0\"}\n289:{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":\"$28a\",\"attributes\":\"$28c\",\"relationships\":\"$290\"}\n2db:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345?resourceVersion=id%3A5569\"}\n2da:{\"self\":\"$2db\"}\n2dd:{\"alias\":\"/learn/cms-information-system-risk-assessment-isra\",\"pid\":351,\"langcode\":\"en\"}\n2de:{\"value\":\"Documentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDocumentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe\u003c/p\u003e\\n\"}\n2df:[\"#cfacts_community \"]\n2dc:{\"drupal_internal__nid\":361,\"drupal_internal__vid\":5569,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-07T20:13:41+00:00\",\"status\":true,\"title\":\"CMS Information System Risk Assessment (ISRA)\",\"created\":\"2022-08-29T16:38:23+00:00\",\"changed\":\"2024-06-06T16:33:51+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$2dd\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":\"$2de\",\"field_slack_channel\":\"$2df\"}\n2e3:{\"drupal_internal__target_id\":\"explainer\"}\n2e2:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2e3\"}\n2e5:{\"href\":\"https://cybergeek."])</script><script>self.__next_f.push([1,"cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/node_type?resourceVersion=id%3A5569\"}\n2e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/node_type?resourceVersion=id%3A5569\"}\n2e4:{\"related\":\"$2e5\",\"self\":\"$2e6\"}\n2e1:{\"data\":\"$2e2\",\"links\":\"$2e4\"}\n2e9:{\"drupal_internal__target_id\":110}\n2e8:{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":\"$2e9\"}\n2eb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/revision_uid?resourceVersion=id%3A5569\"}\n2ec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/revision_uid?resourceVersion=id%3A5569\"}\n2ea:{\"related\":\"$2eb\",\"self\":\"$2ec\"}\n2e7:{\"data\":\"$2e8\",\"links\":\"$2ea\"}\n2ef:{\"drupal_internal__target_id\":26}\n2ee:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$2ef\"}\n2f1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/uid?resourceVersion=id%3A5569\"}\n2f2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/uid?resourceVersion=id%3A5569\"}\n2f0:{\"related\":\"$2f1\",\"self\":\"$2f2\"}\n2ed:{\"data\":\"$2ee\",\"links\":\"$2f0\"}\n2f6:{\"target_revision_id\":18217,\"drupal_internal__target_id\":476}\n2f5:{\"type\":\"paragraph--page_section\",\"id\":\"feb4d8d9-ed3e-43c2-b62b-f77023f548e9\",\"meta\":\"$2f6\"}\n2f8:{\"target_revision_id\":18218,\"drupal_internal__target_id\":3477}\n2f7:{\"type\":\"paragraph--page_section\",\"id\":\"b08b1d31-0c03-4be6-8cf9-f50c60301736\",\"meta\":\"$2f8\"}\n2f4:[\"$2f5\",\"$2f7\"]\n2fa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_page_section?resourceVersion=id%3A5569\"}\n2fb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_page_section?resourceVersion=id%3A5569\"}\n2f9:{\"related\":\"$2fa\",\"self\":\"$2fb\"}\n2f3:{\"data\":\"$2f4\",\"links\":\"$2f9\"}\n2ff:{\"target_revision_id\":18219,\"dr"])</script><script>self.__next_f.push([1,"upal_internal__target_id\":1856}\n2fe:{\"type\":\"paragraph--internal_link\",\"id\":\"15c0be8e-28f3-4243-81c4-b3fde7bfe552\",\"meta\":\"$2ff\"}\n301:{\"target_revision_id\":18220,\"drupal_internal__target_id\":1861}\n300:{\"type\":\"paragraph--internal_link\",\"id\":\"944c647d-37f9-4d4d-8a1e-f5e9983042c4\",\"meta\":\"$301\"}\n303:{\"target_revision_id\":18221,\"drupal_internal__target_id\":1866}\n302:{\"type\":\"paragraph--internal_link\",\"id\":\"8719d442-16f0-42ef-a4c6-2c807896ddb8\",\"meta\":\"$303\"}\n2fd:[\"$2fe\",\"$300\",\"$302\"]\n305:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_related_collection?resourceVersion=id%3A5569\"}\n306:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_related_collection?resourceVersion=id%3A5569\"}\n304:{\"related\":\"$305\",\"self\":\"$306\"}\n2fc:{\"data\":\"$2fd\",\"links\":\"$304\"}\n309:{\"drupal_internal__target_id\":131}\n308:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$309\"}\n30b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_resource_type?resourceVersion=id%3A5569\"}\n30c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_resource_type?resourceVersion=id%3A5569\"}\n30a:{\"related\":\"$30b\",\"self\":\"$30c\"}\n307:{\"data\":\"$308\",\"links\":\"$30a\"}\n310:{\"drupal_internal__target_id\":66}\n30f:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$310\"}\n312:{\"drupal_internal__target_id\":61}\n311:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$312\"}\n314:{\"drupal_internal__target_id\":76}\n313:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$314\"}\n316:{\"drupal_internal__target_id\":71}\n315:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$316\"}\n30e:[\"$30f\",\"$311\",\"$313\",\"$315\"]\n318:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28"])</script><script>self.__next_f.push([1,"b1e5871345/field_roles?resourceVersion=id%3A5569\"}\n319:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_roles?resourceVersion=id%3A5569\"}\n317:{\"related\":\"$318\",\"self\":\"$319\"}\n30d:{\"data\":\"$30e\",\"links\":\"$317\"}\n31d:{\"drupal_internal__target_id\":36}\n31c:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$31d\"}\n31f:{\"drupal_internal__target_id\":11}\n31e:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$31f\"}\n31b:[\"$31c\",\"$31e\"]\n321:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_topics?resourceVersion=id%3A5569\"}\n322:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_topics?resourceVersion=id%3A5569\"}\n320:{\"related\":\"$321\",\"self\":\"$322\"}\n31a:{\"data\":\"$31b\",\"links\":\"$320\"}\n2e0:{\"node_type\":\"$2e1\",\"revision_uid\":\"$2e7\",\"uid\":\"$2ed\",\"field_page_section\":\"$2f3\",\"field_related_collection\":\"$2fc\",\"field_resource_type\":\"$307\",\"field_roles\":\"$30d\",\"field_topics\":\"$31a\"}\n2d9:{\"type\":\"node--explainer\",\"id\":\"5b6426b9-0294-40a7-9777-28b1e5871345\",\"links\":\"$2da\",\"attributes\":\"$2dc\",\"relationships\":\"$2e0\"}\n325:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb?resourceVersion=id%3A5771\"}\n324:{\"self\":\"$325\"}\n327:{\"alias\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"pid\":621,\"langcode\":\"en\"}\n329:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"32a:T9014,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eAccess the ARS\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCurrent version of the ARS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/informationsecurity/information/acceptable-risk-safeguards-50x\"\u003eARS 5.1\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003eAbout the ARS\u003c/h2\u003e\u003cp\u003eThe Centers for Medicare \u0026amp; Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.\u003c/p\u003e\u003cp\u003eThe ARS also provides supplemental controls and control enhancements for Business Owners to consider. Many of the mandatory and supplemental controls are customizable (tailorable) by the Business Owner when necessary to meet missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. Business Owners must review all controls since all are relevant and should be considered even if they are not required to implement because these controls may help to reduce overall risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow ARS works at CMS\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP). Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CISO as the CMS authority for implementing the CMS- wide information security program. HHS IS2P also designates the SOP as the CMS authority for implementing the CMS-wide privacy program.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003cp\u003eThrough the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate. All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eISPG is responsible for ensuring the information security and privacy program defines baselines that are compliant with authoritative legislation, statute, directives, mandates, and overarching policies. The program must also provide:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCyber Risk Advisor (CRA) and Privacy Advisor (PA) services to Business Owners and Information System Security Officers (ISSOs)\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/authorization-operate-ato\"\u003eAuthority to Operate (ATO)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA process for \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Actions and Milestones (POA\u0026amp;M)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA common set of security and privacy controls (e.g., policy) that can be inherited across CMS (i.e., Office of the Chief Information Security Officer [OCISO] control catalog)\u003c/li\u003e\u003cli\u003eAn inheritable (common) control process that facilitates control inheritance from CMS control providers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe CMS CISO or SOP must review any waivers or deviations from the published baselines and make appropriate recommendations to the CIO for risk acceptance.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS used?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe goal of the ARS is to \u003cstrong\u003edefine a baseline of minimum information security and privacy assurance\u003c/strong\u003e. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.\u003c/p\u003e\u003cp\u003eProtecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS information and information systems is the primary purpose of the CMS information security and privacy assurance program. In compliance with the \u003ca href=\"/policy-guidance/cms-information-systems-security-and-privacy-policy-is2p2\"\u003eCMS Information Systems Security and Privacy Policy (IS2P2)\u003c/a\u003e, the ARS provides a defense-in-depth security architecture along with a least-privilege, need-to-know basis for all information access.\u003c/p\u003e\u003cp\u003eIncorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systems meet a \u003cstrong\u003eminimum level of information security and privacy assurance\u003c/strong\u003e. CMS systems are also subject to technical security protections defined under CMS other governance documents, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003cli\u003eApplicable TRA Supplements\u003c/li\u003e\u003cli\u003eCIO/CTO/CISO Memorandums\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e (TLC)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese documents, managed under the Office of the CMS CIO, describe architecture and lifecycle standards required of CMS systems.\u003c/p\u003e\u003cp\u003eThe controls within the ARS are not intended to be an all-inclusive list of information security and privacy requirements nor are they intended to replace a Business Owners due diligence and due care to incorporate additional controls to mitigate risk. The ARS controls are the \u003cstrong\u003eminimum security and privacy requirements\u003c/strong\u003e to be considered and employed where applicable throughout the risk management process and the CMS TLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWho needs to follow ARS?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS must observe the baseline policy statements described in the CMS IS2P2. \u003cstrong\u003eThe ARS controls provide a roadmap to compliance\u003c/strong\u003e with the CMS IS2P2 and \u003cstrong\u003eserve as a guideline\u003c/strong\u003e to be used throughout the TLC to ensure that CMS information systems are adequately secured and CMS information is appropriately protected.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe Business Owner, assisted by the Information System Owner and\u0026nbsp; System Developer/Maintainer, has primary responsibility for evaluating the ARS, determining the appropriateness of each control for their system, and ensuring their proper implementation and effectiveness.\u003c/p\u003e\u003cp\u003eBusiness Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS and controls and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select for inclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only as non-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist in reducing risks to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHow is ARS structured?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe information security and privacy controls have a well-defined organization and structure. They are organized into 20 control families for ease of use in the control selection and specification process. The families are established by NIST SP 800-53. Each family contains controls that are related to the specific topic of the family. A two-character identifier uniquely identifies each control family (e.g., AC for Access Control). Security and privacy controls may involve aspects of policy, oversight, supervision, manual processes, organizationally defined parameters, and automated mechanisms that are implemented by systems or actions by individuals.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eControl Requirements Structure\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS-tailored information security and privacy controls include and encompass the NIST and HHS IS2P control baselines and serve as the starting point for organizations in determining the appropriate controls and countermeasures necessary to protect their information systems.\u003c/p\u003e\u003cp\u003eMany of the baseline controls may be customized (tailored) to the needs of specific missions, business, information system operations, and operating environments.\u003c/p\u003e\u003cp\u003eThe term “organization” is used throughout the control requirements and associated elements. NIST SP 800-53 defines an organization as “\u003cem\u003e…an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements)\u003c/em\u003e”. CMS extends and clarifies this to include applicable supporting organizations (that is, “\u003cem\u003e…operational elements\u003c/em\u003e”) including contractor organizations.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen assigning minimum roles and responsibilities within control requirements, text may refer to organizational leaders such as the CIO. For the purposes of control requirements, these terms are to be interpreted as follows:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor roles preceded by the term CMS, such as “\u003cem\u003eapproved by the CMS CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the CMS agency official that holds that role or title. In this case, the CMS CIO is the CIO for the Centers for Medicare \u0026amp; Medicaid Services.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eFor roles not preceded by the term CMS, such as “\u003cem\u003eapproved by the CIO\u003c/em\u003e”: These roles and responsibilities are to be interpreted to refer to the local official that holds that equivalent role or title. In the case of a contractor organization, the CIO might refer to a corporate Chief Information Officer, Chief Technology Officer, or Director of Information Technology for Medicare Programs. The “CIO” must be understood to be whatever corporate/organizational role is the equivalent of the “Chief Information Officer” within the applicable organizational structure and scope. Within the CMS government organizational structure, “CIO” will always refer to the CMS CIO.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and privacy controls\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA security or privacy control is the concise statement specifying specific activities or actions needed to protect an aspect of the CMS information or information system at the applicable system security level. Controls are mandatory when defined under the baseline associated with each \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e security categorization. However, security or privacy controls may be selected by the Business Owner to strengthen the level of protection provided if deemed appropriate to mitigate or reduce risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe CMS privacy program is responsible for managing the risk and ensuring information systems processing PII are in compliance with security requirements. When a system processes PII, there is a shared responsibility or collaboration between the security and privacy programs in implementing controls. Security or privacy controls within the ARS are identified by security control family identifier and convey CMS policy, which are based on minimum federal requirements. They employ and correlate directly to NIST SP 800-53 numbering (e.g., AC-1, AC-2, …). The control enhancements are structured the same as the base controls, following the same security control family identifier and correlating directly to NIST SP 800-53 (e.g. AC-2(1), AC- 2(2), AC-2(3)). Each security or privacy control and enhancement section includes the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControl Family\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Number\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eControl Name\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS 5.0 Control\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS ARS Redline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003c/li\u003e\u003cli\u003eImplementation Standards (not available for all controls)\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003cul\u003e\u003cli\u003eWhen an implementation standard is indicated, it is associated with a security or privacy control or control enhancement. The purpose of the implementation standard is to provide a common standard for implementation across CMS for the associated control or control enhancement.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eResponsibility (suggested control responsibility)\u003cul\u003e\u003cli\u003eA control or control enhancement may be implemented at the Enterprise (OCISO), Infrastructure/Control Provider or the System levels or a combination of two or more of these entities. Organizations designate the responsibility for control development, implementation, assessment, and monitoring. They implement controls selected in whatever manner satisfies organizational mission or business needs consistent with law, regulation, and policy. Organizations have the flexibility to implement their selected controls and control enhancements in the most cost-effective and efficient manner while simultaneously complying with the intent of the controls or control enhancements, so the indication that a certain control or control enhancement is implemented by just a system or by an organization is notional.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eControl Review Frequency\u0026nbsp;\u003cul\u003e\u003cli\u003eFrequency in which the ISSO must review or evaluate the control.\u0026nbsp;Evidence of this review may be requested during an assessment.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Frequency\u003cul\u003e\u003cli\u003eFrequency in which the control must be assessed by a third-party assessor.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Baseline\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eCMS Discussion\u003cul\u003e\u003cli\u003eThe ARS may include additional Discussion to explain the intent of the control or control enhancement. Information within the Discussion may refer to NIST and other federal publications for further guidance. It is a recommended security practice to refer to the guidance and procedures for additional information. This results in a clearer and more detailed understanding of requirement specifics to assist the organization meeting the CMS security requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003ePriority\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eRelated Controls\u003cul\u003e\u003cli\u003eMany (but not all) controls and control enhancements are related to one or more other controls and control enhancements. Additionally, the related controls and control enhancements may provide additional safeguards that can be leveraged to better meet requirements. When addressing some controls, it may be important that their implementation documentation during an assessment or audit be consistent with one or more related controls. At the very least, organizations must take care to ensure that related control implementations do not conflict.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReference Policy\u003cul\u003e\u003cli\u003eThe references section identifies the section or paragraph designations of the federal source documents which are the basis for the applicable control requirements.\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAssessment Procedures\u003cul\u003e\u003cli\u003eAssessment Objective\u0026nbsp;\u003c/li\u003e\u003cli\u003eAssessment Methods and Objects (These help determine if the security and privacy control implementations in the information system are effective (i.e., implemented correctly, operating as intended, and producing the desired outcome). They provide a foundation to support the security and privacy assessment and authorization process. The “Assessment Procedure” section consists of two sub-sections that are designated to achieve one or more objectives by applying methods to assessment objects.)\u0026nbsp;\u003cbr\u003e\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eMajor Change designation and explanations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach of the above sections of each security or privacy control may contain, in this order: a general statement; a statement concerning systems that contain PII; a statement concerning systems that contain PHI; and a statement concerning systems that are HVAs. Not all controls will contain all statements.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow can ARS be customized?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe security and privacy controls and control enhancements are broadly designed for applicability to the entire CMS organization. Following Section 3 of NIST SP 800-53, the process is:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCategorize the system using \u003ca href=\"https://www.nist.gov/privacy-framework/fips-199\"\u003eFIPS 199\u003c/a\u003e (i.e., High, Moderate, or Low)\u003c/li\u003e\u003cli\u003eSelect the control baseline and determine applicability of controls within the baseline\u003c/li\u003e\u003cli\u003eIdentify inheritable common security and privacy controls (e.g., through the Infrastructure/Control Provider and the OCISO inheritable control catalogs)\u003c/li\u003e\u003cli\u003eIdentify and select overlay controls for systems designated as High Value Asset (HVA), or Privacy (It is recommended that the base control associated with these enhancements should be implemented alongside.)\u003c/li\u003e\u003cli\u003eCustomize/tailor controls as appropriate by applying additional controls, providing compensation for controls that cannot be met, and defining parameters/values/attributes. Ensure the implemented controls and control enhancements are effective within your environment.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS recognizes that some programs are subject to authorities, both internal and external to CMS, that impose additional requirements on information systems and business processes. Controls and control enhancements that are not listed within the baselines may be selected and implemented as needed by individual systems to meet these requirements. Additionally, Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk.\u003c/p\u003e\u003cp\u003eA Business Owner may choose to strengthen the control beyond the minimum requirement defined within the ARS to provide the best possible protection of CMS information and information systems. In some cases, a Business Owner may not need to directly implement some specific controls if they can adequately demonstrate (i.e., show the implementation is effective within their environment) and document that the requirement is satisfied by a parent system (inherited).\u003c/p\u003e\u003cp\u003eSometimes Business Owners will be unable to implement information security and privacy controls, even at a minimum level, due to design, resource issues such as funding restrictions, personnel constraints, or hardware/software/facility limitations. Under these circumstances, Business Owners may use compensating controls to reduce the risk to CMS information, information systems, assets, and reputation. Business Owners must consider implementation of compensating controls as part of a \u003cstrong\u003erisk-based decision process\u003c/strong\u003e. These decisions must go through the risk acceptance and risk management processes as a part of the CMS security assessment and authorization program.\u003c/p\u003e\u003cp\u003eThe compensating controls must be documented in the System Security and Privacy Plan (SSPP), and any remaining risk must be documented in accordance with current risk assessment procedure within the Information Security Risk Assessment (ISRA), and approved by the Authorizing Official (AO) (i.e., the CMS CIO) or his/her designated representative using appropriate policy waiver mechanisms.\u003c/p\u003e\u003cp\u003eAny security and privacy control and control enhancement customization must be documented within the SSPP to address the systems mission and operational environment. Business Owners wishing to tailor information security or privacy controls must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify the set of controls that would be applicable to that FISMA system\u003c/li\u003e\u003cli\u003eIdentify which controls they wish to tailor\u003c/li\u003e\u003cli\u003eSelect and implement alternative or compensating controls, when needed\u003c/li\u003e\u003cli\u003eImpose stronger or more restrictive parameters on the implementation of controls\u003c/li\u003e\u003cli\u003eAssign specific values to organization-defined (i.e., FISMA System) information security and privacy control parameters via explicit assignment and selection statements\u003c/li\u003e\u003cli\u003eSupplement baselines with additional security controls and control enhancements in response to mission requirements, security objectives, technology-driven needs, and other considerations\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHowever, while tailoring implementation may make selected controls and control enhancements more stringent, tailoring may not be used to make the controls and control enhancements identified as part of the CMSR baselines less stringent without appropriate documentation (within the SSPP and ISRA) and approval from the Authorizing Official (i.e., the CMS CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 1\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements Customizations to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eSystem specific customizing of the system implementations within the SSPP is reflected within CFACTS. Examples of customizing controls are provided below:\u003c/p\u003e\u003cp\u003eThis is an extraction from Control AC-2 (Account Management) and associated FIPS 199 Implementation Standards, and provides an example on how tailoring may be leveraged to better meet mission/system needs. This example is for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eControl from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe organization:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary;\u003c/p\u003e\u003cp\u003e. . .c.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Establishes conditions for group and role membership;\u003c/p\u003e\u003cp\u003e. . .e.\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts;\u003c/p\u003e\u003cp\u003e. . .j. Reviews accounts for compliance with account management requirements at least every 90 days for High and Moderate systems or 365 days for Low systems; and\u003c/p\u003e\u003cp\u003ek. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.\u003c/p\u003e\u003cp\u003e\u003cem\u003eImplementation Standards (High, Moderate, \u0026amp; Low):\u003c/em\u003e\u003c/p\u003e\u003cp\u003e. . .STD.3\u0026nbsp; \u0026nbsp;Regulate the access provided to contractors and define security requirements for contractors.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp; Notify account managers within an organization-defined timeframe when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTailored control implementation (e.g., private implementation details)\u003c/td\u003e\u003ctd\u003e\u003cp\u003e\u003cstrong\u003eThe CMS XYZ Program:\u003c/strong\u003e\u003c/p\u003e\u003cp\u003ea. Requires the following types of information system accounts to support CMS XYZ Program missions/business functions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIndividual/Organizational user accounts (federal and contractor employees),\u003c/li\u003e\u003cli\u003eSystem accounts (required by underlying operating system),\u003c/li\u003e\u003cli\u003eApplication accounts (required by installed applications),\u003c/li\u003e\u003cli\u003eGuest/anonymous accounts (general users such as beneficiaries and providers)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEmergency and Temporary accounts (to provide emergency/temporary access) Shared/group accounts are not permitted under the XYZ Program. . ..\u003c/p\u003e\u003cp\u003ec. The following group and role memberships apply to the CMS XYZ Program;\u003c/p\u003e\u003cul\u003e\u003cli\u003eGroup/roles associated with individual/organizational users:\u003cul\u003e\u003cli\u003ea. Employee I (maintaining/managing system)\u003c/li\u003e\u003cli\u003eb. Employee II (elevated privileges for maintaining/managing system)\u003c/li\u003e\u003cli\u003ec. Organizational Administration\u003c/li\u003e\u003cli\u003ed. Application Administration\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eSystem group/roles (required by underlying Operating System)\u003c/li\u003e\u003cli\u003eApplication group/roles (required by installed applications)\u003c/li\u003e\u003cli\u003eGuest/Anonymous (required for general user accounts for beneficiaries and providers). . .\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ee. Except for the general user account, the CMS XYZ Program Information System Security Officer (ISSO) or designee must approve all requests and modifications for an information system account before an account is created or group and role memberships are modified.\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmergency accounts may be authorized by the ISSO via phone. Approval must be logged within the Program XYZ system log book.\u003c/li\u003e\u003cli\u003eAll approvals are logged.\u003c/li\u003e\u003cli\u003eThe general user account is created by the general user (i.e., beneficiaries and providers) and is subject to the guidance defined under NIST SP 800-63 (latest) and Program XYZ processes and procedures for creating a general user account;. .\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ej. Reviews non-general user accounts for compliance with account management requirements no less often than every 30 days; and\u003c/p\u003e\u003cul\u003e\u003cli\u003eGeneral user accounts are reviewed every 90 days in accordance with NIST SP 800-63 (latest) and Program XYZ processes and procedures;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003ek. Not applicable: Processes associated with shared/group account credentials are not applicable since shared/group accounts are not permitted.\u003c/p\u003e\u003cp\u003e\u003cem\u003eProgram XYZ Customizations of Implementation Standards:\u003c/em\u003e\u003c/p\u003e\u003cp\u003eSTD.3\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ contractors and subcontractors are subject to CMS acquisition and contractor personnel requirements.\u003c/p\u003e\u003cp\u003e. . .STD.6\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; All Program XYZ systems will notify account managers within 24 hours when temporary accounts are no longer required or when information system users are terminated or transferred or information system usage or need-to-know/need-to-share changes.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eThe clauses listed in the bottom row have been customized to better describe how account management is implemented within the example program. In some cases, the implementation customizations defer to external processes and procedures. In another case, the customization is requiring a more frequent review cycle than CMS specified within the ARS. The customized implementation of the control and implementation standards would be included within the CMS XYZ Program SSP. Both the risk and deployed compensations associated with guest/anonymous accounts (e.g., for beneficiaries and providers) would be discussed within the XYZ Program ISRA.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS tailoring example 2\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIdentifying Controls and Control Enhancements as Not Applicable to a System Environment\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eBelow provides three examples of controls being identified as not applicable in the example environment. The first two are security controls: Control AC-18 (Wireless Access) and PE- 13 (Emergency Lighting). This same process applies to control enhancements. As was stated in the previous section, the examples are for a fictitious program known as CMS XYZ that provides an interface for beneficiaries and providers.\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003e\u003cp\u003eThe organization monitors for unauthorized wireless access to information systems and prohibits the installation of wireless access points (WAP) to information systems unless explicitly authorized, in writing, by the CMS CIO or his/her designated representative. If wireless access is authorized, the organization:\u003c/p\u003e\u003cp\u003ea. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access;\u003c/p\u003e\u003cp\u003eb. Authorizes wireless access to the information system prior to allowing such connections;\u003c/p\u003e\u003cp\u003ec. The organization ensures that:\u003c/p\u003e\u003col\u003e\u003cli\u003eThe CMS CIO must approve and distribute the overall wireless plan for his or her respective organization;\u003c/li\u003e\u003cli\u003eOrganizations adhere to the HHS Standard for IEEE 802.11 Wireless Local Area Network (WLAN); and\u003c/li\u003e\u003cli\u003eMobile and wireless devices, systems, and networks are not connected to wired HHS/CMS networks except through appropriate controls (e.g., VPN port) or unless specific authorization from HHS/CMS network management has been received.\u003c/li\u003e\u003c/ol\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eNot Applicable: The CMS XYZ Program does not permit the use of wireless technology within its facilities.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity control from ARS\u003c/td\u003e\u003ctd\u003eThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControl implementation (e.g., allocation status \u0026amp; private implementation details)\u003c/td\u003e\u003ctd\u003eInherited: The CMS XYZ Program is entirely housed within Baltimore Data Center (BDC) facilities. All lighting is managed and maintained by BDC. It should be noted that BDC performs regular (quarterly) tests to ensure emergency lighting is operational.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eControl mapping\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eARS control mapping (from 3.1 to 5.0)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEleven controls from ARS 3.1 map to the most recent version of the ARS 5.0.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eControl\u003c/th\u003e\u003cth\u003eMaps to\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMP-CMS-01 - Media Related Records\u003c/td\u003e\u003ctd\u003eMP-6, MP-6(1), MP-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-01 - Electronic Mail\u003c/td\u003e\u003ctd\u003eSC-08\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSC-CMS-02 - Website Usage\u003c/td\u003e\u003ctd\u003eAC-14, AC-22, PL-4\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-CMS-01 - Authority and Purpose Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-CMS-01 - Accountability, Audit, and Risk Management Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003eAU-1, RA-1, PT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-CMS-01 - Data Quality and Integrity Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, SI-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-CMS-01 - Data Minimization and Retention Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, (PM-25, CM-13, MP-6(1), SI-12)\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-CMS-01 - Individual Participation and Redress Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1, IR-7\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-CMS-01 - Security Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-CMS-01 - Transparency Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-CMS-01 - Use Limitation Control Family Policy and Procedures\u003c/td\u003e\u003ctd\u003ePT-1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003ePrivacy control mapping\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eNIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThis table is intended to support organizations who have been using the privacy controls in Appendix J in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST Special Publication (SP) 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to transition to the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determination most directly address the elements of Appendix J controls.\u0026nbsp;\u003c/p\u003e\u003cp\u003eVery few of the Appendix J controls were transferred to Revision 5 in their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls to improve the integration and the text was changed to conform to the standardized control format or to enable the controls to be more usable within a risk management program. Organizations can use the Related Controls section for each Revision 5 control to identify other controls that may also support the transition.\u0026nbsp;\u003c/p\u003e\u003cp\u003eNote: This table is only intended to provide pointers to how Appendix J controls evolved in the integrated catalog of security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection plan for a privacy program. More information on selecting controls can be found in the following resources:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/privacy-framework/nist-sp-800-37\"\u003eNIST SP 800-37\u003c/a\u003e, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eSP 800-53\u003c/a\u003e, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.nist.gov/news-events/news/2020/10/control-baselines-information-systems-and-organizations-nist-publishes-sp\"\u003eSP 800-53B\u003c/a\u003e, Control Baselines for Information Systems and Organizations\u003c/li\u003e\u003c/ul\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e800-53 Rev. 4 (Appendix J) Control\u003c/th\u003e\u003cth\u003e800-53 Rev. 5 Controls\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAP-1: Authority to Collect\u003c/td\u003e\u003ctd\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAP-2: Purpose Specification\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-1: Governance and Privacy Program\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-3: Information Security and Privacy Resources\u003c/p\u003e\u003cp\u003ePM-18: Privacy Program Plan\u003c/p\u003e\u003cp\u003ePM-19: Privacy Program Leadership Role\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-2: Privacy Impact and Risk Assessment\u003c/td\u003e\u003ctd\u003e\u003cp\u003eRA-3: Risk Assessment\u003c/p\u003e\u003cp\u003eRA-8: Privacy Impact Assessment\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-3: Privacy Requirements for Contractors and Service Providers\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eSA-4: Acquisition Process\u003c/p\u003e\u003cp\u003eSA-9: External System Services\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-4: Privacy Monitoring and Auditing\u003c/td\u003e\u003ctd\u003eCA-2: Control Assessments\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-5: Privacy Awareness and Training\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAT-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAT-2: Literacy Training and Awareness\u003c/p\u003e\u003cp\u003eAT-3: Role-based Training\u003c/p\u003e\u003cp\u003ePL-4: Rules of Behavior\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-6: Privacy Reporting\u003c/td\u003e\u003ctd\u003ePM-27: Privacy Reporting\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-7: Privacy-Enhanced System Design and Development\u003c/td\u003e\u003ctd\u003eNo specific control reflects AR-7, but there are discretionary control enhancements that relate to automation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAR-8: Accounting of Disclosures\u003c/td\u003e\u003ctd\u003ePM-21:\u0026nbsp;Accounting of Disclosures\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-1: Data Quality\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDI-2: Data Integrity and Data Integrity Board\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-24: Data Integrity Board\u003c/p\u003e\u003cp\u003eSI-1: Policies and Procedures\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-1: Minimization of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSA-8(33): Security and Privacy Engineering Principles | Minimization\u003c/p\u003e\u003cp\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/p\u003e\u003cp\u003eSI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-2: Data Retention and Disposal\u003c/td\u003e\u003ctd\u003e\u003cp\u003eMP-6: Media Sanitization\u003c/p\u003e\u003cp\u003eSI-12: Information Management and Retention\u003c/p\u003e\u003cp\u003eSI-12(3): Information Management and Retention |Information Disposal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDM-3: Minimization of PII used in Testing, Training, and Research\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-25: Minimization of Personally Identifiable Information used in Testing, Training, and Research\u003c/p\u003e\u003cp\u003eSI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training and Research\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-1: Consent\u003c/td\u003e\u003ctd\u003ePT-4: Consent\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-2: Individual Access\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-1: Policies and Procedures\u003c/p\u003e\u003cp\u003eAC-3(14): Access Enforcement | Individual Access\u003c/p\u003e\u003cp\u003ePM-20: Dissemination of Privacy Program Information\u003c/p\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-3: Redress\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePM-22: Personally Identifiable Information Quality Management\u003c/p\u003e\u003cp\u003eSI-18: Personally Identifiable Information Quality Operations\u003c/p\u003e\u003cp\u003eSI-18(4): Personally Identifiable Information Quality Operations | Individual Requests\u003c/p\u003e\u003cp\u003eSI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIP-4: Complaint Management\u003c/td\u003e\u003ctd\u003ePM-26: Complaint Management\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-1: Inventory of Personally Identifiable Information\u003c/td\u003e\u003ctd\u003ePM-5(1): System Inventory | Inventory of Personally Identifiable Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSE-2: Privacy Incident Response\u003c/td\u003e\u003ctd\u003e\u003cp\u003eIR-8: Incident Response Plan\u003c/p\u003e\u003cp\u003eIR-8(1): Incident Response Plan | Breaches\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-1: Privacy Notice\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5: Privacy Notice\u003c/p\u003e\u003cp\u003ePT-5(1): Privacy Notice | Just-In-Time Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-2: System of Records Notices and Privacy Act Statements\u003c/td\u003e\u003ctd\u003e\u003cp\u003ePT-5(2): Privacy Notice | Privacy Act Statements\u003c/p\u003e\u003cp\u003ePT-6: System of Records Notice\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTR-3: Dissemination of Privacy Program Information\u003c/td\u003e\u003ctd\u003ePM-20:\u0026nbsp;Dissemination of Privacy Program Information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-1: Internal Use\u003c/td\u003e\u003ctd\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eUL-2: Information Sharing With Third Parties\u003c/td\u003e\u003ctd\u003e\u003cp\u003eAC-21: Information Sharing\u003c/p\u003e\u003cp\u003eAT-3(5): Role Based Training | Processing Personally Identifiable Information\u003c/p\u003e\u003cp\u003eAU-2: Event Logging\u003c/p\u003e\u003cp\u003ePT-2: Authority to Process Personally Identifiable Information\u003c/p\u003e\u003cp\u003ePT-3: Personally Identifiable Information Processing Purposes\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003eRecord of changes\u003c/h3\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003c/th\u003e\u003cth\u003eDate\u003c/th\u003e\u003cth\u003eChanges\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e5.0\u003c/td\u003e\u003ctd\u003e1/6/2022\u003c/td\u003e\u003ctd\u003eInitial release\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.01\u003c/td\u003e\u003ctd\u003e4/22/2022\u003c/td\u003e\u003ctd\u003eUpdates to Implementation Standards for CM and CP control families\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"328:{\"value\":\"$329\",\"format\":\"body_text\",\"processed\":\"$32a\",\"summary\":\"\"}\n32d:[]\n32c:{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2) \",\"options\":\"$32d\",\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"}\n32f:[]\n32e:{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks\",\"options\":\"$32f\",\"url\":\"/learn/cms-security-and-privacy-handbooks\"}\n32b:[\"$32c\",\"$32e\"]\n330:{\"value\":\"Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eStandards for the minimum security and privacy controls required to mitigate risk for CMS information systems\u003c/p\u003e\\n\"}\n326:{\"drupal_internal__nid\":631,\"drupal_internal__vid\":5771,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:58+00:00\",\"status\":true,\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"created\":\"2023-01-17T18:18:03+00:00\",\"changed\":\"2024-08-05T16:01:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$327\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$328\",\"field_contact_email\":\"CISO@cms.hhs.org\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-04-22\",\"field_related_resources\":\"$32b\",\"field_short_description\":\"$330\"}\n334:{\"drupal_internal__target_id\":\"library\"}\n333:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$334\"}\n336:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/node_type?resourceVersion=id%3A5771\"}\n337:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/node_type?resourceVersion=id%3A5771\"}\n335:{\"related\":\"$336\",\"self\":\"$337\"}\n332:{\"data\":\"$333\",\"links\":\"$335\"}\n33a:{\"drupal_internal__target_id\":159}\n339:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8"])</script><script>self.__next_f.push([1,"d-5bd1329e5e64\",\"meta\":\"$33a\"}\n33c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/revision_uid?resourceVersion=id%3A5771\"}\n33d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/revision_uid?resourceVersion=id%3A5771\"}\n33b:{\"related\":\"$33c\",\"self\":\"$33d\"}\n338:{\"data\":\"$339\",\"links\":\"$33b\"}\n340:{\"drupal_internal__target_id\":6}\n33f:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$340\"}\n342:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/uid?resourceVersion=id%3A5771\"}\n343:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/uid?resourceVersion=id%3A5771\"}\n341:{\"related\":\"$342\",\"self\":\"$343\"}\n33e:{\"data\":\"$33f\",\"links\":\"$341\"}\n346:{\"drupal_internal__target_id\":96}\n345:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":\"$346\"}\n348:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_resource_type?resourceVersion=id%3A5771\"}\n349:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_resource_type?resourceVersion=id%3A5771\"}\n347:{\"related\":\"$348\",\"self\":\"$349\"}\n344:{\"data\":\"$345\",\"links\":\"$347\"}\n34d:{\"drupal_internal__target_id\":66}\n34c:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$34d\"}\n34f:{\"drupal_internal__target_id\":81}\n34e:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$34f\"}\n351:{\"drupal_internal__target_id\":61}\n350:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$351\"}\n353:{\"drupal_internal__target_id\":76}\n352:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$353\"}\n355:{\"drupal_internal__target_id\":71}\n354:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$355\"}\n34b:[\"$34c\",\"$"])</script><script>self.__next_f.push([1,"34e\",\"$350\",\"$352\",\"$354\"]\n357:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_roles?resourceVersion=id%3A5771\"}\n358:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_roles?resourceVersion=id%3A5771\"}\n356:{\"related\":\"$357\",\"self\":\"$358\"}\n34a:{\"data\":\"$34b\",\"links\":\"$356\"}\n35c:{\"drupal_internal__target_id\":16}\n35b:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$35c\"}\n35e:{\"drupal_internal__target_id\":36}\n35d:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$35e\"}\n35a:[\"$35b\",\"$35d\"]\n360:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_topics?resourceVersion=id%3A5771\"}\n361:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_topics?resourceVersion=id%3A5771\"}\n35f:{\"related\":\"$360\",\"self\":\"$361\"}\n359:{\"data\":\"$35a\",\"links\":\"$35f\"}\n331:{\"node_type\":\"$332\",\"revision_uid\":\"$338\",\"uid\":\"$33e\",\"field_resource_type\":\"$344\",\"field_roles\":\"$34a\",\"field_topics\":\"$359\"}\n323:{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"links\":\"$324\",\"attributes\":\"$326\",\"relationships\":\"$331\"}\n364:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675?resourceVersion=id%3A5970\"}\n363:{\"self\":\"$364\"}\n366:{\"alias\":\"/learn/cms-security-and-privacy-handbooks\",\"pid\":671,\"langcode\":\"en\"}\n367:{\"value\":\"Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\u003c/p\u003e\\n\"}\n368:[\"#ispg-sec_privacy-policy\"]\n365:{\"drupal_internal__nid\":681,\"drupal_internal__vid\":5970,\"langcode\":\"en\",\"revision_timestamp\":\"2024-11-21T20:30:37+00:00\",\"status\":true,\"title\":\"CMS Security and Privacy Handbo"])</script><script>self.__next_f.push([1,"oks\",\"created\":\"2023-02-04T16:50:42+00:00\",\"changed\":\"2024-11-21T20:30:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$366\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$367\",\"field_slack_channel\":\"$368\"}\n36c:{\"drupal_internal__target_id\":\"explainer\"}\n36b:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$36c\"}\n36e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/node_type?resourceVersion=id%3A5970\"}\n36f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/node_type?resourceVersion=id%3A5970\"}\n36d:{\"related\":\"$36e\",\"self\":\"$36f\"}\n36a:{\"data\":\"$36b\",\"links\":\"$36d\"}\n372:{\"drupal_internal__target_id\":6}\n371:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$372\"}\n374:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/revision_uid?resourceVersion=id%3A5970\"}\n375:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/revision_uid?resourceVersion=id%3A5970\"}\n373:{\"related\":\"$374\",\"self\":\"$375\"}\n370:{\"data\":\"$371\",\"links\":\"$373\"}\n378:{\"drupal_internal__target_id\":6}\n377:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$378\"}\n37a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/uid?resourceVersion=id%3A5970\"}\n37b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/uid?resourceVersion=id%3A5970\"}\n379:{\"related\":\"$37a\",\"self\":\"$37b\"}\n376:{\"data\":\"$377\",\"links\":\"$379\"}\n37f:{\"target_revision_id\":19550,\"drupal_internal__target_id\":556}\n37e:{\"type\":\"p"])</script><script>self.__next_f.push([1,"aragraph--page_section\",\"id\":\"6348291e-48d1-4a0e-9a57-ac86d40af43e\",\"meta\":\"$37f\"}\n381:{\"target_revision_id\":19551,\"drupal_internal__target_id\":1031}\n380:{\"type\":\"paragraph--page_section\",\"id\":\"f5048b9a-b22a-4e67-abde-e964ff928b22\",\"meta\":\"$381\"}\n37d:[\"$37e\",\"$380\"]\n383:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_page_section?resourceVersion=id%3A5970\"}\n384:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_page_section?resourceVersion=id%3A5970\"}\n382:{\"related\":\"$383\",\"self\":\"$384\"}\n37c:{\"data\":\"$37d\",\"links\":\"$382\"}\n388:{\"target_revision_id\":19552,\"drupal_internal__target_id\":566}\n387:{\"type\":\"paragraph--internal_link\",\"id\":\"0f74c41a-2461-4cf5-b11e-ff7ce0b96f66\",\"meta\":\"$388\"}\n38a:{\"target_revision_id\":19553,\"drupal_internal__target_id\":571}\n389:{\"type\":\"paragraph--internal_link\",\"id\":\"fe6656d7-9b88-4a4c-a27f-e41c610ab068\",\"meta\":\"$38a\"}\n38c:{\"target_revision_id\":19554,\"drupal_internal__target_id\":576}\n38b:{\"type\":\"paragraph--internal_link\",\"id\":\"80d4e83c-5a1f-466b-9518-5400af425d7f\",\"meta\":\"$38c\"}\n38e:{\"target_revision_id\":19555,\"drupal_internal__target_id\":2776}\n38d:{\"type\":\"paragraph--internal_link\",\"id\":\"9967f006-5e08-4568-b636-63e8e8050a8f\",\"meta\":\"$38e\"}\n390:{\"target_revision_id\":19556,\"drupal_internal__target_id\":1871}\n38f:{\"type\":\"paragraph--internal_link\",\"id\":\"e0709a54-90c1-4f0d-b02a-5e8dce6acc17\",\"meta\":\"$390\"}\n392:{\"target_revision_id\":19557,\"drupal_internal__target_id\":3512}\n391:{\"type\":\"paragraph--internal_link\",\"id\":\"9c79715c-bf72-4433-9d27-f6a64a297c18\",\"meta\":\"$392\"}\n386:[\"$387\",\"$389\",\"$38b\",\"$38d\",\"$38f\",\"$391\"]\n394:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_related_collection?resourceVersion=id%3A5970\"}\n395:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_related_collection?resourceVersion=id%3A5970\"}\n393:{\"related\":\"$394\",\"self\":\"$395\"}\n385:{\"data\":\""])</script><script>self.__next_f.push([1,"$386\",\"links\":\"$393\"}\n398:{\"drupal_internal__target_id\":131}\n397:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$398\"}\n39a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_resource_type?resourceVersion=id%3A5970\"}\n39b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_resource_type?resourceVersion=id%3A5970\"}\n399:{\"related\":\"$39a\",\"self\":\"$39b\"}\n396:{\"data\":\"$397\",\"links\":\"$399\"}\n39f:{\"drupal_internal__target_id\":66}\n39e:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$39f\"}\n3a1:{\"drupal_internal__target_id\":81}\n3a0:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$3a1\"}\n3a3:{\"drupal_internal__target_id\":61}\n3a2:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$3a3\"}\n3a5:{\"drupal_internal__target_id\":76}\n3a4:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$3a5\"}\n3a7:{\"drupal_internal__target_id\":71}\n3a6:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$3a7\"}\n39d:[\"$39e\",\"$3a0\",\"$3a2\",\"$3a4\",\"$3a6\"]\n3a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_roles?resourceVersion=id%3A5970\"}\n3aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_roles?resourceVersion=id%3A5970\"}\n3a8:{\"related\":\"$3a9\",\"self\":\"$3aa\"}\n39c:{\"data\":\"$39d\",\"links\":\"$3a8\"}\n3ae:{\"drupal_internal__target_id\":16}\n3ad:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$3ae\"}\n3ac:[\"$3ad\"]\n3b0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_topics?resourceVersion=id%3A5970\"}\n3b1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_topics?resourceVersion=id%3A5970\"}\n"])</script><script>self.__next_f.push([1,"3af:{\"related\":\"$3b0\",\"self\":\"$3b1\"}\n3ab:{\"data\":\"$3ac\",\"links\":\"$3af\"}\n369:{\"node_type\":\"$36a\",\"revision_uid\":\"$370\",\"uid\":\"$376\",\"field_page_section\":\"$37c\",\"field_related_collection\":\"$385\",\"field_resource_type\":\"$396\",\"field_roles\":\"$39c\",\"field_topics\":\"$3ab\"}\n362:{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"links\":\"$363\",\"attributes\":\"$365\",\"relationships\":\"$369\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}},\"attributes\":{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":{\"drupal_internal__target_id\":95}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/revision_uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"meta\":{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}},{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}},{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}},{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}},{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}},{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section?resourceVersion=id%3A5941\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}},{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}},{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}},{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"meta\":{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}},{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}},{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/39240c69-3096-49cd-a07c-3843b6c48c5f\"}},\"attributes\":{\"display_name\":\"dwheeler\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}},\"attributes\":{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674?resourceVersion=id%3A6\"}},\"attributes\":{\"drupal_internal__tid\":6,\"drupal_internal__revision_id\":6,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:04:59+00:00\",\"status\":true,\"name\":\"Assessments \u0026 Audits\",\"description\":null,\"weight\":1,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/vid?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/vid?resourceVersion=id%3A6\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/revision_user?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/revision_user?resourceVersion=id%3A6\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/parent?resourceVersion=id%3A6\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/7917cea4-02d7-4ebd-93a3-4c39d5f24674/relationships/parent?resourceVersion=id%3A6\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305?resourceVersion=id%3A36\"}},\"attributes\":{\"drupal_internal__tid\":36,\"drupal_internal__revision_id\":36,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:55+00:00\",\"status\":true,\"name\":\"Risk Management \u0026 Reporting\",\"description\":null,\"weight\":5,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/vid?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/vid?resourceVersion=id%3A36\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/revision_user?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/revision_user?resourceVersion=id%3A36\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/parent?resourceVersion=id%3A36\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/65ef6410-4066-4db4-be03-c8eb26b63305/relationships/parent?resourceVersion=id%3A36\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0?resourceVersion=id%3A19433\"}},\"attributes\":{\"drupal_internal__id\":3501,\"drupal_internal__revision_id\":19433,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:33:34+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0/paragraph_type?resourceVersion=id%3A19433\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0/relationships/paragraph_type?resourceVersion=id%3A19433\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0/field_specialty_item?resourceVersion=id%3A19433\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/f36fb6d1-0795-400f-8a15-36d1979118b0/relationships/field_specialty_item?resourceVersion=id%3A19433\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8?resourceVersion=id%3A19434\"}},\"attributes\":{\"drupal_internal__id\":611,\"drupal_internal__revision_id\":19434,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T16:55:19+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2 dir=\\\"ltr\\\"\u003eRoles and responsibilities for CSRAP\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eThe designated Information System Security Officer (ISSO) initiates the CSRAP process, and is supported by the Cyber Risk Advisor (CRA), the System/Business Owner, and the Application Development Organization (ADO) team. The assessment process is led by the CSRAP team.\u0026nbsp;\u003c/p\u003e\u003cp dir=\\\"ltr\\\"\u003eEvery FISMA system and team has unique needs. The CSRAP team will work with your team to ensure that your assessment is completed correctly and promptly, while your team completes required paperwork and tests.\u0026nbsp;\u003c/p\u003e\u003cp\u003eMore information about each team member's specific roles and responsibilities can be found in the\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2 dir=\\\"ltr\\\"\u003eRoles and responsibilities for CSRAP\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eThe designated Information System Security Officer (ISSO) initiates the CSRAP process, and is supported by the Cyber Risk Advisor (CRA), the System/Business Owner, and the Application Development Organization (ADO) team. The assessment process is led by the CSRAP team.\u0026nbsp;\u003c/p\u003e\u003cp dir=\\\"ltr\\\"\u003eEvery FISMA system and team has unique needs. The CSRAP team will work with your team to ensure that your assessment is completed correctly and promptly, while your team completes required paperwork and tests.\u0026nbsp;\u003c/p\u003e\u003cp\u003eMore information about each team member's specific roles and responsibilities can be found in the\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8/paragraph_type?resourceVersion=id%3A19434\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8/relationships/paragraph_type?resourceVersion=id%3A19434\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8/field_specialty_item?resourceVersion=id%3A19434\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/eb5b28d8-8825-43c5-a889-513068f48fd8/relationships/field_specialty_item?resourceVersion=id%3A19434\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a?resourceVersion=id%3A19435\"}},\"attributes\":{\"drupal_internal__id\":651,\"drupal_internal__revision_id\":19435,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:00:27+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a/paragraph_type?resourceVersion=id%3A19435\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a/relationships/paragraph_type?resourceVersion=id%3A19435\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a/field_specialty_item?resourceVersion=id%3A19435\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/269aaf52-85f1-411f-a67e-e9d9ad620d8a/relationships/field_specialty_item?resourceVersion=id%3A19435\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893?resourceVersion=id%3A19442\"}},\"attributes\":{\"drupal_internal__id\":3502,\"drupal_internal__revision_id\":19442,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:40:45+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2 dir=\\\"ltr\\\"\u003eScheduling your CSRAP\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eComplete the following steps to schedule and prepare for your CSRAP assessment:\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2 dir=\\\"ltr\\\"\u003eScheduling your CSRAP\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eComplete the following steps to schedule and prepare for your CSRAP assessment:\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893/paragraph_type?resourceVersion=id%3A19442\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893/relationships/paragraph_type?resourceVersion=id%3A19442\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"116789c0-3ace-45d4-85ec-ef9e0aa216c5\",\"meta\":{\"target_revision_id\":19441,\"drupal_internal__target_id\":3511}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893/field_specialty_item?resourceVersion=id%3A19442\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/3a3615ff-9d53-40d6-8291-fd4516dbc893/relationships/field_specialty_item?resourceVersion=id%3A19442\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa?resourceVersion=id%3A19443\"}},\"attributes\":{\"drupal_internal__id\":3503,\"drupal_internal__revision_id\":19443,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:42:07+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2\u003eImportant due dates\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eOnce you have met with the CSRAP Assessment Team at the Preliminary Discussion, you will begin preparing other required artifacts. Some of these need to be prepared before your system assessment can begin. Required artifacts and their due dates are summarized below. You can find more details about the artifacts in the\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTier 1 Artifacts\u003c/strong\u003e: 3 weeks before Preliminary Discussion Meeting\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTier 2 Artifacts\u003c/strong\u003e: 2 weeks before Assessment Kickoff Meeting\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTechnical Outputs\u003c/strong\u003e: 2 weeks before Assessment Kickoff Meeting\u003c/li\u003e\u003c/ul\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003eImportant due dates\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eOnce you have met with the CSRAP Assessment Team at the Preliminary Discussion, you will begin preparing other required artifacts. Some of these need to be prepared before your system assessment can begin. Required artifacts and their due dates are summarized below. You can find more details about the artifacts in the\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eCSRAP Handbook\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\u003cul\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTier 1 Artifacts\u003c/strong\u003e: 3 weeks before Preliminary Discussion Meeting\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTier 2 Artifacts\u003c/strong\u003e: 2 weeks before Assessment Kickoff Meeting\u003c/li\u003e\u003cli dir=\\\"ltr\\\"\u003e\u003cstrong\u003eTechnical Outputs\u003c/strong\u003e: 2 weeks before Assessment Kickoff Meeting\u003c/li\u003e\u003c/ul\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa/paragraph_type?resourceVersion=id%3A19443\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa/relationships/paragraph_type?resourceVersion=id%3A19443\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa/field_specialty_item?resourceVersion=id%3A19443\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa/relationships/field_specialty_item?resourceVersion=id%3A19443\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d?resourceVersion=id%3A19444\"}},\"attributes\":{\"drupal_internal__id\":3504,\"drupal_internal__revision_id\":19444,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:42:52+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2 dir=\\\"ltr\\\"\u003eNeed help?\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eIf you have questions or need assistance, contact the CSRAP team via email: \u003ca href=\\\"mailto:CSRAP@cms.hhs.gov\\\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eYou can also review the CSRAP Handbook for all details on the process.\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eReview the handbook here\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2 dir=\\\"ltr\\\"\u003eNeed help?\u003c/h2\u003e\u003cp dir=\\\"ltr\\\"\u003eIf you have questions or need assistance, contact the CSRAP team via email: \u003ca href=\\\"mailto:CSRAP@cms.hhs.gov\\\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e\u003c/p\u003e\u003cp\u003eYou can also review the CSRAP Handbook for all details on the process.\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eReview the handbook here\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d/paragraph_type?resourceVersion=id%3A19444\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d/relationships/paragraph_type?resourceVersion=id%3A19444\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d/field_specialty_item?resourceVersion=id%3A19444\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/a46d03b7-7478-40f1-a7da-3171ffcfaa2d/relationships/field_specialty_item?resourceVersion=id%3A19444\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"116789c0-3ace-45d4-85ec-ef9e0aa216c5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5?resourceVersion=id%3A19441\"}},\"attributes\":{\"drupal_internal__id\":3511,\"drupal_internal__revision_id\":19441,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:11:46+00:00\",\"parent_id\":\"3502\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5/paragraph_type?resourceVersion=id%3A19441\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5/relationships/paragraph_type?resourceVersion=id%3A19441\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"8a1d84c1-95c5-48b5-86b9-4c882407749a\",\"meta\":{\"target_revision_id\":19436,\"drupal_internal__target_id\":3506}},{\"type\":\"paragraph--process_list_item\",\"id\":\"4141ae6a-5815-4a57-a071-1db86f64f189\",\"meta\":{\"target_revision_id\":19437,\"drupal_internal__target_id\":3507}},{\"type\":\"paragraph--process_list_item\",\"id\":\"d5c26c96-7000-4819-a38a-1bc09ccb4411\",\"meta\":{\"target_revision_id\":19438,\"drupal_internal__target_id\":3508}},{\"type\":\"paragraph--process_list_item\",\"id\":\"54a9fc7e-b81a-43c2-8ff3-e61f938d74b3\",\"meta\":{\"target_revision_id\":19439,\"drupal_internal__target_id\":3509}},{\"type\":\"paragraph--process_list_item\",\"id\":\"ae035b1f-08b9-41ab-bc34-28fe8261b666\",\"meta\":{\"target_revision_id\":19440,\"drupal_internal__target_id\":3510}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5/field_process_list_item?resourceVersion=id%3A19441\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/116789c0-3ace-45d4-85ec-ef9e0aa216c5/relationships/field_process_list_item?resourceVersion=id%3A19441\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8a1d84c1-95c5-48b5-86b9-4c882407749a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8a1d84c1-95c5-48b5-86b9-4c882407749a?resourceVersion=id%3A19436\"}},\"attributes\":{\"drupal_internal__id\":3506,\"drupal_internal__revision_id\":19436,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:11:46+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp dir=\\\"ltr\\\"\u003eThe CSRAP Handbook provides guidance for every aspect of the CSRAP process from start to finish, and tells you what to expect.\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eReview the handbook here\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp dir=\\\"ltr\\\"\u003eThe CSRAP Handbook provides guidance for every aspect of the CSRAP process from start to finish, and tells you what to expect.\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/download/attachments/214794255/CSRAP%20Assessment%20Handbook%20v3.1.pdf?version=1\u0026amp;modificationDate=1711993052415\u0026amp;api=v2\\\"\u003eReview the handbook here\u003c/a\u003e (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).\u003c/p\u003e\"},\"field_list_item_title\":\"Review CSRAP Handbook\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8a1d84c1-95c5-48b5-86b9-4c882407749a/paragraph_type?resourceVersion=id%3A19436\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8a1d84c1-95c5-48b5-86b9-4c882407749a/relationships/paragraph_type?resourceVersion=id%3A19436\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"4141ae6a-5815-4a57-a071-1db86f64f189\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4141ae6a-5815-4a57-a071-1db86f64f189?resourceVersion=id%3A19437\"}},\"attributes\":{\"drupal_internal__id\":3507,\"drupal_internal__revision_id\":19437,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:12:16+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp dir=\\\"ltr\\\"\u003eYou will need your\u0026nbsp;\u003cstrong\u003eTier 1 CSRAP Artifacts\u003c/strong\u003e to proceed with CSRAP activities. Start gathering these artifacts as soon as possible since they take a lot of time and coordination to complete. Tier 1 Artifacts are due at least two weeks prior to the scheduled CSRAP Preliminary Discussion. The Tier 1, Tier 2, and Technical Output Artifacts lists are available in the CSRAP Handbook, and in the Preliminary Intake section of the SIGNAL Application.\u0026nbsp;\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp dir=\\\"ltr\\\"\u003eYou will need your\u0026nbsp;\u003cstrong\u003eTier 1 CSRAP Artifacts\u003c/strong\u003e to proceed with CSRAP activities. Start gathering these artifacts as soon as possible since they take a lot of time and coordination to complete. Tier 1 Artifacts are due at least two weeks prior to the scheduled CSRAP Preliminary Discussion. The Tier 1, Tier 2, and Technical Output Artifacts lists are available in the CSRAP Handbook, and in the Preliminary Intake section of the SIGNAL Application.\u0026nbsp;\u003c/p\u003e\"},\"field_list_item_title\":\"Prepare required artifacts\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4141ae6a-5815-4a57-a071-1db86f64f189/paragraph_type?resourceVersion=id%3A19437\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4141ae6a-5815-4a57-a071-1db86f64f189/relationships/paragraph_type?resourceVersion=id%3A19437\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"d5c26c96-7000-4819-a38a-1bc09ccb4411\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/d5c26c96-7000-4819-a38a-1bc09ccb4411?resourceVersion=id%3A19438\"}},\"attributes\":{\"drupal_internal__id\":3508,\"drupal_internal__revision_id\":19438,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:12:41+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp dir=\\\"ltr\\\"\u003eVisit the CMS CSRAP Confluence page (CMS Log-in Required) using the following URLs to select your preferred and secondary dates for the type of CSRAP assessment you require:\u003cbr\u003e·\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Security Assessment \u003ca href=\\\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813098\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eSchedule Available Slots\u003c/a\u003e\u003cbr\u003e·\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Risk Assessment \u003ca href=\\\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813170\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eSchedule Available Slots\u003c/a\u003e\u003cbr\u003eEmail the CSRAP Team at \u003ca href=\\\"mailto:CSRAP@cms.hhs.gov\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e with your requested dates.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp dir=\\\"ltr\\\"\u003eVisit the CMS CSRAP Confluence page (CMS Log-in Required) using the following URLs to select your preferred and secondary dates for the type of CSRAP assessment you require:\u003cbr\u003e·\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Security Assessment \u003ca href=\\\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813098\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eSchedule Available Slots\u003c/a\u003e\u003cbr\u003e·\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; Risk Assessment \u003ca href=\\\"https://confluenceent.cms.gov/pages/viewpage.action?pageId=760813170\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eSchedule Available Slots\u003c/a\u003e\u003cbr\u003eEmail the CSRAP Team at \u003ca href=\\\"mailto:CSRAP@cms.hhs.gov\\\" target=\\\"_blank\\\" rel=\\\"noopener noreferrer\\\"\u003eCSRAP@cms.hhs.gov\u003c/a\u003e with your requested dates.\u003c/p\u003e\"},\"field_list_item_title\":\"Check the Available Slots in Confluence\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/d5c26c96-7000-4819-a38a-1bc09ccb4411/paragraph_type?resourceVersion=id%3A19438\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/d5c26c96-7000-4819-a38a-1bc09ccb4411/relationships/paragraph_type?resourceVersion=id%3A19438\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"54a9fc7e-b81a-43c2-8ff3-e61f938d74b3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/54a9fc7e-b81a-43c2-8ff3-e61f938d74b3?resourceVersion=id%3A19439\"}},\"attributes\":{\"drupal_internal__id\":3509,\"drupal_internal__revision_id\":19439,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:13:22+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp dir=\\\"ltr\\\"\u003eCSRAP Team will confirm the dates via email and schedule a date for Preliminary meeting for assessment along with sending CSRAP intake form and Tier 1 document list to be completed and directly uploaded to CFACTS under Assessment Tab.\u0026nbsp;\u003c/p\u003e\u003cp dir=\\\"ltr\\\"\u003eAfter \\\"intake form\\\" is uploaded, notify CSRAP Team so they can review that.\u0026nbsp;\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp dir=\\\"ltr\\\"\u003eCSRAP Team will confirm the dates via email and schedule a date for Preliminary meeting for assessment along with sending CSRAP intake form and Tier 1 document list to be completed and directly uploaded to CFACTS under Assessment Tab.\u0026nbsp;\u003c/p\u003e\u003cp dir=\\\"ltr\\\"\u003eAfter \\\"intake form\\\" is uploaded, notify CSRAP Team so they can review that.\u0026nbsp;\u003c/p\u003e\"},\"field_list_item_title\":\"Complete CSRAP intake Form\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/54a9fc7e-b81a-43c2-8ff3-e61f938d74b3/paragraph_type?resourceVersion=id%3A19439\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/54a9fc7e-b81a-43c2-8ff3-e61f938d74b3/relationships/paragraph_type?resourceVersion=id%3A19439\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"ae035b1f-08b9-41ab-bc34-28fe8261b666\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ae035b1f-08b9-41ab-bc34-28fe8261b666?resourceVersion=id%3A19440\"}},\"attributes\":{\"drupal_internal__id\":3510,\"drupal_internal__revision_id\":19440,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-12T18:13:37+00:00\",\"parent_id\":\"3511\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eYour team will begin formal involvement with the CSRAP team at the Preliminary Discussion Meeting. You will need to provide your completed\u0026nbsp;\u003cstrong\u003eTier 1 Artifacts\u003c/strong\u003e at the meeting. Those artifacts, and the CSRAP Intake Form you completed in SIGNAL, will be used to provide information about your systems needs. The CSRAP team will make sure you are on track with the documentation and preparation needed for your CSRAP assessment.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eYour team will begin formal involvement with the CSRAP team at the Preliminary Discussion Meeting. You will need to provide your completed\u0026nbsp;\u003cstrong\u003eTier 1 Artifacts\u003c/strong\u003e at the meeting. Those artifacts, and the CSRAP Intake Form you completed in SIGNAL, will be used to provide information about your systems needs. The CSRAP team will make sure you are on track with the documentation and preparation needed for your CSRAP assessment.\u003c/p\u003e\"},\"field_list_item_title\":\"Prep for Preliminary Discussion Meeting\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ae035b1f-08b9-41ab-bc34-28fe8261b666/paragraph_type?resourceVersion=id%3A19440\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ae035b1f-08b9-41ab-bc34-28fe8261b666/relationships/paragraph_type?resourceVersion=id%3A19440\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926?resourceVersion=id%3A19445\"}},\"attributes\":{\"drupal_internal__id\":656,\"drupal_internal__revision_id\":19445,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:06:24+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926/paragraph_type?resourceVersion=id%3A19445\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926/relationships/paragraph_type?resourceVersion=id%3A19445\"}}},\"field_link\":{\"data\":{\"type\":\"node--blog\",\"id\":\"d1446997-1d1b-4b7d-aa29-4e35dcd79dc2\",\"meta\":{\"drupal_internal__target_id\":1187}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926/field_link?resourceVersion=id%3A19445\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/28dbad4c-79e6-4f83-bc5e-965ba6aa4926/relationships/field_link?resourceVersion=id%3A19445\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2?resourceVersion=id%3A19446\"}},\"attributes\":{\"drupal_internal__id\":661,\"drupal_internal__revision_id\":19446,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:06:55+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2/paragraph_type?resourceVersion=id%3A19446\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2/relationships/paragraph_type?resourceVersion=id%3A19446\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"3ca47d54-92ca-4015-b7a3-6875f0d42bb6\",\"meta\":{\"drupal_internal__target_id\":501}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2/field_link?resourceVersion=id%3A19446\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2/relationships/field_link?resourceVersion=id%3A19446\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a?resourceVersion=id%3A19447\"}},\"attributes\":{\"drupal_internal__id\":671,\"drupal_internal__revision_id\":19447,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:06:16+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a/paragraph_type?resourceVersion=id%3A19447\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a/relationships/paragraph_type?resourceVersion=id%3A19447\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"meta\":{\"drupal_internal__target_id\":391}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a/field_link?resourceVersion=id%3A19447\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/77c203ce-2da8-4200-986c-1093acc2ff5a/relationships/field_link?resourceVersion=id%3A19447\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a?resourceVersion=id%3A19448\"}},\"attributes\":{\"drupal_internal__id\":676,\"drupal_internal__revision_id\":19448,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:06:01+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a/paragraph_type?resourceVersion=id%3A19448\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a/relationships/paragraph_type?resourceVersion=id%3A19448\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"5b6426b9-0294-40a7-9777-28b1e5871345\",\"meta\":{\"drupal_internal__target_id\":361}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a/field_link?resourceVersion=id%3A19448\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a/relationships/field_link?resourceVersion=id%3A19448\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5?resourceVersion=id%3A19449\"}},\"attributes\":{\"drupal_internal__id\":681,\"drupal_internal__revision_id\":19449,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-07T17:09:14+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5/paragraph_type?resourceVersion=id%3A19449\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5/relationships/paragraph_type?resourceVersion=id%3A19449\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"meta\":{\"drupal_internal__target_id\":631}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5/field_link?resourceVersion=id%3A19449\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/c4a332dc-02ea-48f6-9c08-c12ca06e62b5/relationships/field_link?resourceVersion=id%3A19449\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9?resourceVersion=id%3A19450\"}},\"attributes\":{\"drupal_internal__id\":3505,\"drupal_internal__revision_id\":19450,\"langcode\":\"en\",\"status\":true,\"created\":\"2024-06-06T17:45:13+00:00\",\"parent_id\":\"201\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9/paragraph_type?resourceVersion=id%3A19450\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9/relationships/paragraph_type?resourceVersion=id%3A19450\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"meta\":{\"drupal_internal__target_id\":681}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9/field_link?resourceVersion=id%3A19450\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5cc61db4-e2f7-43ad-b914-3661d73886e9/relationships/field_link?resourceVersion=id%3A19450\"}}}}},{\"type\":\"node--blog\",\"id\":\"d1446997-1d1b-4b7d-aa29-4e35dcd79dc2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2?resourceVersion=id%3A5922\"}},\"attributes\":{\"drupal_internal__nid\":1187,\"drupal_internal__vid\":5922,\"langcode\":\"en\",\"revision_timestamp\":\"2024-09-18T18:12:36+00:00\",\"status\":true,\"title\":\"Avoid database breaches with ISPGs free vulnerability scanning service\",\"created\":\"2024-05-01T14:38:06+00:00\",\"changed\":\"2024-09-18T18:12:36+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/posts/avoid-database-breaches-ispgs-free-vulnerability-scanning-service\",\"pid\":1192,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_short_description\":{\"value\":\"Before your next CSRAP assessment, scan your databases using Trustwave DbProtect Vulnerability Management (VM) — offered by ISPG for free!\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eBefore your next CSRAP assessment, scan your databases using Trustwave DbProtect Vulnerability Management (VM) — offered by ISPG for free!\u003c/p\u003e\\n\"},\"field_video_link\":null},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"f382c03e-0cc5-4892-aa46-653a2d90fc05\",\"meta\":{\"drupal_internal__target_id\":\"blog\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/node_type?resourceVersion=id%3A5922\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/node_type?resourceVersion=id%3A5922\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/revision_uid?resourceVersion=id%3A5922\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/revision_uid?resourceVersion=id%3A5922\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/uid?resourceVersion=id%3A5922\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/uid?resourceVersion=id%3A5922\"}}},\"field_cover_image\":{\"data\":{\"type\":\"media--blog_cover_image\",\"id\":\"72738a9d-42bb-4ba9-90c2-635a49ceeb81\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_cover_image?resourceVersion=id%3A5922\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_cover_image?resourceVersion=id%3A5922\"}}},\"field_publisher_group\":{\"data\":{\"type\":\"group--team\",\"id\":\"3fd7f823-5271-484b-b015-377d55251796\",\"meta\":{\"drupal_internal__target_id\":20}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_publisher_group?resourceVersion=id%3A5922\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_publisher_group?resourceVersion=id%3A5922\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"cccd136f-b478-40f0-8ff8-fd73f75f4ab0\",\"meta\":{\"drupal_internal__target_id\":106}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_resource_type?resourceVersion=id%3A5922\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_resource_type?resourceVersion=id%3A5922\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_roles?resourceVersion=id%3A5922\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_roles?resourceVersion=id%3A5922\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/field_topics?resourceVersion=id%3A5922\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/blog/d1446997-1d1b-4b7d-aa29-4e35dcd79dc2/relationships/field_topics?resourceVersion=id%3A5922\"}}}}},{\"type\":\"node--library\",\"id\":\"3ca47d54-92ca-4015-b7a3-6875f0d42bb6\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6?resourceVersion=id%3A5752\"}},\"attributes\":{\"drupal_internal__nid\":501,\"drupal_internal__vid\":5752,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:52:22+00:00\",\"status\":true,\"title\":\"Risk Management Handbook Chapter 14: Risk Assessment (RA)\",\"created\":\"2022-08-29T18:04:54+00:00\",\"changed\":\"2024-08-05T15:52:22+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/risk-management-handbook-chapter-14-risk-assessment-ra\",\"pid\":491,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1e\",\"format\":\"body_text\",\"processed\":\"$1f\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2021-04-13\",\"field_related_resources\":[{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS) \",\"options\":[],\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"},{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2)\",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/676\",\"title\":\"Continuous Diagnostics and Mitigation (CDM) \",\"options\":[],\"url\":\"/learn/continuous-diagnostics-and-mitigation-cdm\"}],\"field_short_description\":{\"value\":\"RMH Chapter 14 identifies the policies and standards for the Risk Management family of controls\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eRMH Chapter 14 identifies the policies and standards for the Risk Management family of controls\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/node_type?resourceVersion=id%3A5752\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/node_type?resourceVersion=id%3A5752\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/revision_uid?resourceVersion=id%3A5752\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/revision_uid?resourceVersion=id%3A5752\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/uid?resourceVersion=id%3A5752\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/uid?resourceVersion=id%3A5752\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/field_resource_type?resourceVersion=id%3A5752\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/field_resource_type?resourceVersion=id%3A5752\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/field_roles?resourceVersion=id%3A5752\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/field_roles?resourceVersion=id%3A5752\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/field_topics?resourceVersion=id%3A5752\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/3ca47d54-92ca-4015-b7a3-6875f0d42bb6/relationships/field_topics?resourceVersion=id%3A5752\"}}}}},{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}},\"attributes\":{\"drupal_internal__nid\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_name\":\"Penetration Testing Team\",\"field_short_description\":{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ccic_sec_eng_and_soc\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":{\"drupal_internal__target_id\":122}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?resourceVersion=id%3A5886\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}},{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}},{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}},{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":{\"target_revision_id\":19221,\"drupal_internal__target_id\":2031}},{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}},{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":{\"target_revision_id\":19223,\"drupal_internal__target_id\":3388}},{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_resource_type?resourceVersion=id%3A5886\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_roles?resourceVersion=id%3A5886\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}}}}},{\"type\":\"node--explainer\",\"id\":\"5b6426b9-0294-40a7-9777-28b1e5871345\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345?resourceVersion=id%3A5569\"}},\"attributes\":{\"drupal_internal__nid\":361,\"drupal_internal__vid\":5569,\"langcode\":\"en\",\"revision_timestamp\":\"2024-06-07T20:13:41+00:00\",\"status\":true,\"title\":\"CMS Information System Risk Assessment (ISRA)\",\"created\":\"2022-08-29T16:38:23+00:00\",\"changed\":\"2024-06-06T16:33:51+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-information-system-risk-assessment-isra\",\"pid\":351,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":{\"value\":\"Documentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDocumentation of a systems vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cfacts_community \"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/node_type?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/node_type?resourceVersion=id%3A5569\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":{\"drupal_internal__target_id\":110}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/revision_uid?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/revision_uid?resourceVersion=id%3A5569\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/uid?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/uid?resourceVersion=id%3A5569\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"feb4d8d9-ed3e-43c2-b62b-f77023f548e9\",\"meta\":{\"target_revision_id\":18217,\"drupal_internal__target_id\":476}},{\"type\":\"paragraph--page_section\",\"id\":\"b08b1d31-0c03-4be6-8cf9-f50c60301736\",\"meta\":{\"target_revision_id\":18218,\"drupal_internal__target_id\":3477}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_page_section?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_page_section?resourceVersion=id%3A5569\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"15c0be8e-28f3-4243-81c4-b3fde7bfe552\",\"meta\":{\"target_revision_id\":18219,\"drupal_internal__target_id\":1856}},{\"type\":\"paragraph--internal_link\",\"id\":\"944c647d-37f9-4d4d-8a1e-f5e9983042c4\",\"meta\":{\"target_revision_id\":18220,\"drupal_internal__target_id\":1861}},{\"type\":\"paragraph--internal_link\",\"id\":\"8719d442-16f0-42ef-a4c6-2c807896ddb8\",\"meta\":{\"target_revision_id\":18221,\"drupal_internal__target_id\":1866}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_related_collection?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_related_collection?resourceVersion=id%3A5569\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_resource_type?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_resource_type?resourceVersion=id%3A5569\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_roles?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_roles?resourceVersion=id%3A5569\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/field_topics?resourceVersion=id%3A5569\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/5b6426b9-0294-40a7-9777-28b1e5871345/relationships/field_topics?resourceVersion=id%3A5569\"}}}}},{\"type\":\"node--library\",\"id\":\"5077403d-f7aa-4bc8-b274-7af05e7134bb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb?resourceVersion=id%3A5771\"}},\"attributes\":{\"drupal_internal__nid\":631,\"drupal_internal__vid\":5771,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:01:58+00:00\",\"status\":true,\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"created\":\"2023-01-17T18:18:03+00:00\",\"changed\":\"2024-08-05T16:01:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"pid\":621,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$20\",\"format\":\"body_text\",\"processed\":\"$21\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.org\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2022-04-22\",\"field_related_resources\":[{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security and Privacy Policy (IS2P2) \",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/681\",\"title\":\"CMS Security and Privacy Handbooks\",\"options\":[],\"url\":\"/learn/cms-security-and-privacy-handbooks\"}],\"field_short_description\":{\"value\":\"Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eStandards for the minimum security and privacy controls required to mitigate risk for CMS information systems\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/node_type?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/node_type?resourceVersion=id%3A5771\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/revision_uid?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/revision_uid?resourceVersion=id%3A5771\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/uid?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/uid?resourceVersion=id%3A5771\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":{\"drupal_internal__target_id\":96}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_resource_type?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_resource_type?resourceVersion=id%3A5771\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_roles?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_roles?resourceVersion=id%3A5771\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/field_topics?resourceVersion=id%3A5771\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/5077403d-f7aa-4bc8-b274-7af05e7134bb/relationships/field_topics?resourceVersion=id%3A5771\"}}}}},{\"type\":\"node--explainer\",\"id\":\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675?resourceVersion=id%3A5970\"}},\"attributes\":{\"drupal_internal__nid\":681,\"drupal_internal__vid\":5970,\"langcode\":\"en\",\"revision_timestamp\":\"2024-11-21T20:30:37+00:00\",\"status\":true,\"title\":\"CMS Security and Privacy Handbooks\",\"created\":\"2023-02-04T16:50:42+00:00\",\"changed\":\"2024-11-21T20:30:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-security-and-privacy-handbooks\",\"pid\":671,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eProcedures to help CMS staff and contractors implement federal policies and standards for information security and privacy\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/node_type?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/node_type?resourceVersion=id%3A5970\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/revision_uid?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/revision_uid?resourceVersion=id%3A5970\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/uid?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/uid?resourceVersion=id%3A5970\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"6348291e-48d1-4a0e-9a57-ac86d40af43e\",\"meta\":{\"target_revision_id\":19550,\"drupal_internal__target_id\":556}},{\"type\":\"paragraph--page_section\",\"id\":\"f5048b9a-b22a-4e67-abde-e964ff928b22\",\"meta\":{\"target_revision_id\":19551,\"drupal_internal__target_id\":1031}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_page_section?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_page_section?resourceVersion=id%3A5970\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"0f74c41a-2461-4cf5-b11e-ff7ce0b96f66\",\"meta\":{\"target_revision_id\":19552,\"drupal_internal__target_id\":566}},{\"type\":\"paragraph--internal_link\",\"id\":\"fe6656d7-9b88-4a4c-a27f-e41c610ab068\",\"meta\":{\"target_revision_id\":19553,\"drupal_internal__target_id\":571}},{\"type\":\"paragraph--internal_link\",\"id\":\"80d4e83c-5a1f-466b-9518-5400af425d7f\",\"meta\":{\"target_revision_id\":19554,\"drupal_internal__target_id\":576}},{\"type\":\"paragraph--internal_link\",\"id\":\"9967f006-5e08-4568-b636-63e8e8050a8f\",\"meta\":{\"target_revision_id\":19555,\"drupal_internal__target_id\":2776}},{\"type\":\"paragraph--internal_link\",\"id\":\"e0709a54-90c1-4f0d-b02a-5e8dce6acc17\",\"meta\":{\"target_revision_id\":19556,\"drupal_internal__target_id\":1871}},{\"type\":\"paragraph--internal_link\",\"id\":\"9c79715c-bf72-4433-9d27-f6a64a297c18\",\"meta\":{\"target_revision_id\":19557,\"drupal_internal__target_id\":3512}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_related_collection?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_related_collection?resourceVersion=id%3A5970\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_resource_type?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_resource_type?resourceVersion=id%3A5970\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_roles?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_roles?resourceVersion=id%3A5970\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/field_topics?resourceVersion=id%3A5970\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/e58a0846-aa6a-43bf-a0a8-a40cfafe0675/relationships/field_topics?resourceVersion=id%3A5970\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$22\",\"39240c69-3096-49cd-a07c-3843b6c48c5f\":\"$2c\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$30\",\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\":\"$34\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$4e\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$68\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$82\",\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\":\"$9c\",\"65ef6410-4066-4db4-be03-c8eb26b63305\":\"$b6\",\"f36fb6d1-0795-400f-8a15-36d1979118b0\":\"$d0\",\"eb5b28d8-8825-43c5-a889-513068f48fd8\":\"$e3\",\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\":\"$f4\",\"3a3615ff-9d53-40d6-8291-fd4516dbc893\":\"$107\",\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\":\"$11a\",\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\":\"$12b\",\"116789c0-3ace-45d4-85ec-ef9e0aa216c5\":\"$13c\",\"8a1d84c1-95c5-48b5-86b9-4c882407749a\":\"$157\",\"4141ae6a-5815-4a57-a071-1db86f64f189\":\"$164\",\"d5c26c96-7000-4819-a38a-1bc09ccb4411\":\"$171\",\"54a9fc7e-b81a-43c2-8ff3-e61f938d74b3\":\"$17e\",\"ae035b1f-08b9-41ab-bc34-28fe8261b666\":\"$18b\",\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\":\"$198\",\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\":\"$1aa\",\"77c203ce-2da8-4200-986c-1093acc2ff5a\":\"$1bc\",\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\":\"$1ce\",\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\":\"$1e0\",\"5cc61db4-e2f7-43ad-b914-3661d73886e9\":\"$1f2\",\"d1446997-1d1b-4b7d-aa29-4e35dcd79dc2\":\"$204\",\"3ca47d54-92ca-4015-b7a3-6875f0d42bb6\":\"$248\",\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\":\"$289\",\"5b6426b9-0294-40a7-9777-28b1e5871345\":\"$2d9\",\"5077403d-f7aa-4bc8-b274-7af05e7134bb\":\"$323\",\"e58a0846-aa6a-43bf-a0a8-a40cfafe0675\":\"$362\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Cybersecurity and Risk Assessment Program (CSRAP) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Cybersecurity and Risk Assessment Program (CSRAP) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Cybersecurity and Risk Assessment Program (CSRAP) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink