publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/email-encryption-requirements-cms
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
1.2 MiB
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Email Encryption Requirements at CMS | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe"/><link rel="canonical" href="https://security.cms.gov/learn/email-encryption-requirements-cms"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Email Encryption Requirements at CMS | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe"/><meta property="og:url" content="https://security.cms.gov/learn/email-encryption-requirements-cms"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/email-encryption-requirements-cms/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Email Encryption Requirements at CMS | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/email-encryption-requirements-cms/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Email Encryption Requirements at CMS</h1><p class="hero__description">Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#ispg-sec_privacy-policy</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is considered “sensitive information”?</h2><p>CMS sensitive information is any kind of data or information that, if accessed by the wrong people or used improperly, could:</p><ul><li>Compromise the security or privacy of CMS employees or customers</li><li>Negatively impact CMS or its programs</li><li>Compromise the security of proprietary CMS information or systems</li></ul><p>Another way to think of it is, “any information that is not public or is sensitive.” When in doubt, its best to be cautious and treat the information as sensitive.</p><p>Emails containing CMS sensitive information should only be sent to people on a “need to know” basis.</p><h2>When do I need to encrypt my email?</h2><p>You <strong>do not</strong> need to encrypt emails that will remain within the CMS email environment (i.e.,“jane.doe@cms.hhs.gov”) or trusted domain — even if the email contains CMS sensitive information. If an email with sensitive information <strong>will go outside</strong> the CMS domain, it should be encrypted.</p><p>CMS is no longer part of the HHS email shared service environment.&nbsp; HHS and other OpDivs need to be treated the same as all other non-CMS entities.</p><h2>How do I encrypt my email?</h2><p>For recipients <strong>outside of the CMS email</strong> service environment or trusted domain:</p><ul><li>Encrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.</li><li>Place the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).</li><li>Step-by-step instructions for encrypting your email can be found on <a href="https://cmsitsm.servicenowservices.com/connect?page=search&amp;q=email%20encryption&amp;disableAllSuggestions=false&amp;search_application=35b361901b5191100888ed7bbc4bcba5&amp;disableSpellCheck=false&amp;spa=1">CMS Connect</a>.</li></ul><h2>Passwords for encrypted attachments</h2><p>Sometimes you may need to share a password for someone to access an encrypted email attachment.&nbsp; The method for sharing the password should protect it from compromise.</p><p>The following mediums <strong>are not</strong> acceptable for sharing these passwords:</p><ul><li>Email</li><li>Instant messaging clients that are integrated with Microsoft Outlook (e.g., Lync / Skype)</li></ul><p>The following mediums <strong>are</strong> acceptable for sharing these passwords:</p><ul><li>Over the phone</li><li>Text message</li><li>Shared secret (e.g., “Its the name of our citys baseball team”)</li></ul><h2>Who enforces email encryption policies?</h2><p>The Operations Executive is responsible for ensuring that CMS employees and contractors keep sensitive information safe. This includes making sure that sensitive emails are always encrypted when going outside the trusted domain.</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-enterprise-data-encryption-cede">CMS Enterprise Data Encryption (CEDE)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>How CMS satisfies federal requirements for the encryption of data to keep sensitive information safe</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS Information Systems Security &amp; Privacy Policy (IS2P2)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>The IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/zero-trust">Zero Trust </a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Security paradigm that requires the continuous verification of system users to promote system security</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"email-encryption-requirements-cms\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"email-encryption-requirements-cms\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"email-encryption-requirements-cms\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"email-encryption-requirements-cms\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:Tbd2,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is considered “sensitive information”?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS sensitive information is any kind of data or information that, if accessed by the wrong people or used improperly, could:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCompromise the security or privacy of CMS employees or customers\u003c/li\u003e\u003cli\u003eNegatively impact CMS or its programs\u003c/li\u003e\u003cli\u003eCompromise the security of proprietary CMS information or systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAnother way to think of it is, “any information that is not public or is sensitive.” When in doubt, its best to be cautious and treat the information as sensitive.\u003c/p\u003e\u003cp\u003eEmails containing CMS sensitive information should only be sent to people on a “need to know” basis.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhen do I need to encrypt my email?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eYou \u003cstrong\u003edo not\u003c/strong\u003e need to encrypt emails that will remain within the CMS email environment (i.e.,“jane.doe@cms.hhs.gov”) or trusted domain — even if the email contains CMS sensitive information. If an email with sensitive information \u003cstrong\u003ewill go outside\u003c/strong\u003e the CMS domain, it should be encrypted.\u003c/p\u003e\u003cp\u003eCMS is no longer part of the HHS email shared service environment.\u0026nbsp; HHS and other OpDivs need to be treated the same as all other non-CMS entities.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow do I encrypt my email?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor recipients \u003cstrong\u003eoutside of the CMS email\u003c/strong\u003e service environment or trusted domain:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEncrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.\u003c/li\u003e\u003cli\u003ePlace the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).\u003c/li\u003e\u003cli\u003eStep-by-step instructions for encrypting your email can be found on \u003ca href=\"https://cmsitsm.servicenowservices.com/connect?page=search\u0026amp;q=email%20encryption\u0026amp;disableAllSuggestions=false\u0026amp;search_application=35b361901b5191100888ed7bbc4bcba5\u0026amp;disableSpellCheck=false\u0026amp;spa=1\"\u003eCMS Connect\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003ePasswords for encrypted attachments\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSometimes you may need to share a password for someone to access an encrypted email attachment.\u0026nbsp; The method for sharing the password should protect it from compromise.\u003c/p\u003e\u003cp\u003eThe following mediums \u003cstrong\u003eare not\u003c/strong\u003e acceptable for sharing these passwords:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmail\u003c/li\u003e\u003cli\u003eInstant messaging clients that are integrated with Microsoft Outlook (e.g., Lync / Skype)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe following mediums \u003cstrong\u003eare\u003c/strong\u003e acceptable for sharing these passwords:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOver the phone\u003c/li\u003e\u003cli\u003eText message\u003c/li\u003e\u003cli\u003eShared secret (e.g., “Its the name of our citys baseball team”)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWho enforces email encryption policies?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Operations Executive is responsible for ensuring that CMS employees and contractors keep sensitive information safe. This includes making sure that sensitive emails are always encrypted when going outside the trusted domain.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Tbd2,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is considered “sensitive information”?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS sensitive information is any kind of data or information that, if accessed by the wrong people or used improperly, could:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCompromise the security or privacy of CMS employees or customers\u003c/li\u003e\u003cli\u003eNegatively impact CMS or its programs\u003c/li\u003e\u003cli\u003eCompromise the security of proprietary CMS information or systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAnother way to think of it is, “any information that is not public or is sensitive.” When in doubt, its best to be cautious and treat the information as sensitive.\u003c/p\u003e\u003cp\u003eEmails containing CMS sensitive information should only be sent to people on a “need to know” basis.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhen do I need to encrypt my email?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eYou \u003cstrong\u003edo not\u003c/strong\u003e need to encrypt emails that will remain within the CMS email environment (i.e.,“jane.doe@cms.hhs.gov”) or trusted domain — even if the email contains CMS sensitive information. If an email with sensitive information \u003cstrong\u003ewill go outside\u003c/strong\u003e the CMS domain, it should be encrypted.\u003c/p\u003e\u003cp\u003eCMS is no longer part of the HHS email shared service environment.\u0026nbsp; HHS and other OpDivs need to be treated the same as all other non-CMS entities.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow do I encrypt my email?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor recipients \u003cstrong\u003eoutside of the CMS email\u003c/strong\u003e service environment or trusted domain:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEncrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.\u003c/li\u003e\u003cli\u003ePlace the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).\u003c/li\u003e\u003cli\u003eStep-by-step instructions for encrypting your email can be found on \u003ca href=\"https://cmsitsm.servicenowservices.com/connect?page=search\u0026amp;q=email%20encryption\u0026amp;disableAllSuggestions=false\u0026amp;search_application=35b361901b5191100888ed7bbc4bcba5\u0026amp;disableSpellCheck=false\u0026amp;spa=1\"\u003eCMS Connect\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003ePasswords for encrypted attachments\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSometimes you may need to share a password for someone to access an encrypted email attachment.\u0026nbsp; The method for sharing the password should protect it from compromise.\u003c/p\u003e\u003cp\u003eThe following mediums \u003cstrong\u003eare not\u003c/strong\u003e acceptable for sharing these passwords:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmail\u003c/li\u003e\u003cli\u003eInstant messaging clients that are integrated with Microsoft Outlook (e.g., Lync / Skype)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe following mediums \u003cstrong\u003eare\u003c/strong\u003e acceptable for sharing these passwords:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOver the phone\u003c/li\u003e\u003cli\u003eText message\u003c/li\u003e\u003cli\u003eShared secret (e.g., “Its the name of our citys baseball team”)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWho enforces email encryption policies?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Operations Executive is responsible for ensuring that CMS employees and contractors keep sensitive information safe. This includes making sure that sensitive emails are always encrypted when going outside the trusted domain.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T34350,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs required under the Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35), and in compliance with the updated requirements of the National Institute of Standards and Technology's (NIST) Special Publications (SP) 800-53, Revision 5, and other federal requirements, this \u003cem\u003ePolicy \u003c/em\u003edefines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems. It also provides direction for all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information. As the federal agency responsible for administering the Medicare, Medicaid, Childrens Health Insurance Program (CHIP), and Health Insurance Exchange (HIX), CMS collects, creates, uses, discloses, maintains, and stores personal, healthcare, and other sensitive information subject to federal law, regulation, or guidance. All NIST Special Publication (SP) 800 series are applicable to CMS policy including the \u003cem\u003eIS2P2\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003erequires all CMS stakeholders, including Business Owners and System Security and Privacy Officer (previously known as ISSO) to implement adequate information security and privacy safeguards to protect all CMS-sensitive information. The Chief Information Officer (CIO), Chief Information Security Officer (CISO), and the Senior Official for Privacy (SOP) jointly develop and maintain this document. All references contained in this \u003cem\u003ePolicy \u003c/em\u003eare subject to periodic revision, update, and reissuance.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBackground\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS Information Security and Privacy Group (ISPG), under the direction of the CMS Chief Information Security Officer (CISO) and the Senior Official for Privacy (SOP), is tasked with overseeing the Cybersecurity and Privacy Programs for the agency. Following the Federal and HHS requirements, CMS ISPG identifies cybersecurity and privacy risks, implements mitigation strategies and ensures the confidentiality, integrity and availability of CMS-sensitive information and information systems. These activities are aimed at safeguarding and preventing unauthorized disclosure of Personally Identifiable Information (PII) and Protected Health Information (PHI) entrusted to CMS.\u003c/p\u003e\u003cp\u003eISPG recognized the need to develop a policy that references and incorporates the security and privacy requirements from authoritative sources while tailoring it to suit the CMS physical and information technology environments. This \u003cem\u003ePolicy \u003c/em\u003eexplains the scope and applicability of security and privacy requirements as it pertains to CMS information systems. This \u003cem\u003ePolicy \u003c/em\u003ealso defines the security and privacy control baselines as well as the supplemental controls available for selection and should be used in conjunction with the \u003cem\u003eAcceptable Risk Safeguards (ARS)\u003c/em\u003e, CMS process guidelines and other supporting CMS-established policies, procedures, and standards. The format of these requirements is scalable to accommodate modifications or the addition of new requirements over time as a result of the ever-changing cybersecurity landscape.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003esupersedes the \u003cem\u003eCMS Information System Security and Privacy Policy (IS2P2) v 3.3\u003c/em\u003e, and supplements the HHS-OCIO-OIS-2021-11-006, \u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P) v 1.1\u003c/em\u003e, and it applies to all CMS personnel or entities:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConducting business for CMS\u003c/li\u003e\u003cli\u003eCollecting or maintaining information for CMS\u003c/li\u003e\u003cli\u003eUsing or operating information systems on behalf of CMS whether directly or through contractual relationships.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe below list of CMS personnel or entities include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational components, centers, or offices\u003c/li\u003e\u003cli\u003eFederal employees, contractor personnel, interns, or other non-government employees operating on behalf of CMS.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003edoes not supersede any other applicable laws, higher-level agency directives, or the existing labor-management agreement in place.\u003c/p\u003e\u003cp\u003eThe contents of and the compliance with this \u003cem\u003ePolicy \u003c/em\u003emust be incorporated into the applicable contract language, as appropriate. Any contract, agreement, or other arrangement that collects, creates, uses, discloses, or maintains sensitive information, including but not limited to Personally Identifiable Information (PII) and Protected Health Information (PHI), must comply with this \u003cem\u003ePolicy\u003c/em\u003e. In some cases, other external agency policies may also apply (e.g., if a system processes, stores, or transmits Federal Tax Information [FTI]).\u003c/p\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003edoes not apply to any network or system that processes, stores, or transmits foreign intelligence or national security information under the cognizance of the Special Assistant to the Secretary (National Security) pursuant to Executive Order (E.O.) 12333, \u003cem\u003eUnited States Intelligence Activities, \u003c/em\u003eor subsequent orders. The Special Assistant to the Secretary (National Security) is the point of contact (POC) for issuing IT security and privacy policy and guidance for these systems. Privacy Act questions should be directed to the CMS Privacy Act Officer.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAuthorities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Office of Management and Budget (OMB) designated the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) as authorities to provide guidance to federal agencies for implementing information security and privacy laws and regulations, including FISMA, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Privacy Act of 1974 (“Privacy Act”). This \u003cem\u003ePolicy \u003c/em\u003eaddresses CMS applicable information security and privacy requirements arising from federal legislation, mandates, directives, executive orders, and the Department of Health and Human Services (HHS) policies by integrating NIST Special Publication (SP) 800-53 Revision 5, \u003cem\u003eSecurity and Privacy Controls for Federal Information Systems and Organizations \u003c/em\u003ewith the \u003cem\u003eDepartment of Health and Human Services Policy for Information Systems Security and Privacy Protection (HHS IS2P) \u003c/em\u003eand other specific programmatic legislations and CMS regulations. The authoritative references include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBuy American Act, 41 U.S.C §§ 8301-8305\u003c/li\u003e\u003cli\u003eDHS Binding Operational Directive 18-02, Securing High-Value Assets May 7, 2018\u003c/li\u003e\u003cli\u003eExecutive Order 13556, the Controlled Unclassified Information (CUI) program\u003c/li\u003e\u003cli\u003eE-Government Act of 2002 (44 U.S.C. Chapters 35 and 36)\u003c/li\u003e\u003cli\u003eFamily Educational Rights and Privacy Act (FERPA) 20 U.S.C. § 1232g\u003c/li\u003e\u003cli\u003eFederal Acquisition Supply Chain Security Act of 2018\u003c/li\u003e\u003cli\u003eFederal Information Processing Standards: FIPS 140-2, FIPS 199, FIPS 200, FIPS 201-1\u003c/li\u003e\u003cli\u003eFederal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C § 3551\u003c/li\u003e\u003cli\u003eFinancial Audit Manual (FAM), GAO-18-G01G: Published June 14, 2018\u003c/li\u003e\u003cli\u003eHealth Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub.L. 104191, 110 Stat. 1936, enacted August 21, 1996)\u003c/li\u003e\u003cli\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/li\u003e\u003cli\u003eHomeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004\u003c/li\u003e\u003cli\u003eHSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004\u003c/li\u003e\u003cli\u003eH.R. 1232 Federal Information Technology Acquisition Reform\u003c/li\u003e\u003cli\u003eNational Archives and Records Administration, CUI Registry\u003c/li\u003e\u003cli\u003eNIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u003c/li\u003e\u003cli\u003eNIST SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security\u003c/li\u003e\u003cli\u003eNIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003eNIST SP 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)\u003c/li\u003e\u003cli\u003eNIST SP 800-88 Revision 1, Guidelines for Media Sanitization\u003c/li\u003e\u003cli\u003eNIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices\u003c/li\u003e\u003cli\u003eNIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eNIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing\u003c/li\u003e\u003cli\u003eNIST SP 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)\u003c/li\u003e\u003cli\u003eNIST SP 800-171, Rev. 2, Protecting CUI in Nonfederal Systems\u003c/li\u003e\u003cli\u003eNIST SP 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies\u003c/li\u003e\u003cli\u003eNIST SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-130, Managing Information as a Strategic Resource\u003c/li\u003e\u003cli\u003eOMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information\u003c/li\u003e\u003cli\u003eOMB memorandums M-02-01, M-03-22, M-10-22, M-10-23, M-16-17. M-14-03, M-17-12\u003c/li\u003e\u003cli\u003eOPM Information systems security awareness training program, 5 CFR § 930.301\u003c/li\u003e\u003cli\u003ePublic Law 113-291, Title VIII, Subtitle D of the National Defense Authorization Act (NDAA) for Fiscal Year 2015\u003c/li\u003e\u003cli\u003ePublic Law 115-232 § 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, August 13, 2018\u003c/li\u003e\u003cli\u003eSection 508 of the Rehabilitation Act of 1973, as amended in 1998 (29 U.S.C 794d)\u003c/li\u003e\u003cli\u003eThe Privacy Act of 1974 as amended (5 U.S.C. 552a).\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eDocument Organization\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS CIO, CISO, and SOP designed this \u003cem\u003ePolicy \u003c/em\u003eto comply with the NIST 800-53, Revision 5, Program Management (PM) control family. This \u003cem\u003ePolicy \u003c/em\u003eintegrates information security and privacy roles, responsibilities, and controls into the CMS Information Security and Privacy Program. The key contents of this \u003cem\u003ePolicy \u003c/em\u003einclude:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn overall description of the Information Security and Privacy Program (Section 6)\u003c/li\u003e\u003cli\u003eDescriptions of specific roles and responsibilities of key CMS security and privacy Stakeholders (Section 7)\u003c/li\u003e\u003cli\u003eDefining HHS and CMS-specific tailored policies, policies associated with the security and privacy control families, and the consequences for non-compliance (Sections 8, 9, \u0026amp; 10)\u003c/li\u003e\u003cli\u003eSupporting Appendices provide references, a glossary of terms, and acronyms:\u003cul\u003e\u003cli\u003eAppendix A: References\u003c/li\u003e\u003cli\u003eAppendix B: Glossary of Terms and Acronyms.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn accordance with HHS policy, CMS must update this \u003cem\u003ePolicy \u003c/em\u003eat least every three years (36 months). In cases where existing policy is insufficient to address changes in governance (e.g., legislation, directives, mandates, executive orders, or HHS policy) or emerging technology, the CMS CIO may publish ad hoc or specialized interim directives or memorandums to address the area of concern. As appropriate, the interim directive or memorandum may be integrated into future releases of or incorporated as an appendix to this \u003cem\u003ePolicy\u003c/em\u003e. The CMS CISO and SOP may develop \u003cem\u003ememorandums \u003c/em\u003ethat provide actionable guidance that supports best practices and procedures in support of the implementation of CIO policies and directives, along with legislation, mandates, executive orders and other federal mandates.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eInformation Security and Privacy Program Summary\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS CISO and SOP are responsible for managing the Information Security and Privacy Program (henceforth “Program”). This section describes how specific functional areas of the Program help CMS stakeholders apply this \u003cem\u003ePolicy \u003c/em\u003ein protecting CMS information and information systems.\u003c/p\u003e\u003cp\u003eCMS security and privacy disciplines are now integrated into a single Program. However, there are requirements unique to each discipline. Privacy as well as security policies apply to CMS programs and activities at their inception, even before information systems are identified or defined. Business Owners must identify the security and privacy requirements, compliance documentation, and contract requirements prior to system development.\u003c/p\u003e\u003cp\u003ePrivacy policies apply to the collection, creation, use, disclosure, and retention of information that identifies an individual (i.e., PII, including PHI) in electronic or physical form. CMSs responsibility for protecting the privacy interests of individuals applies to all types of information, regardless of its form. All CMS standards, regulations, directives, practices, and procedures must clearly state that all forms of information must be protected.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePolicy and Governance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe policy and governance functional area establishes and implements the information security and privacy program which develops organizational security and privacy policies, standards, directives, practices, and procedures within the CMS environment. The responsibilities include developing, implementing, and disseminating this \u003cem\u003ePolicy \u003c/em\u003eto align with and supplement HHS policies, federal legislation, and best practices. The \u003cem\u003eCMS Acceptable Risk Safeguards (ARS) \u003c/em\u003eis the HHS Operating Division (OpDiv) of CMSs implementation of the National Institute of Standards and Technologys (NIST) Special Publications (SP) 800-53, Revision 5, and it contains detailed minimum control standards that are traceable to the policies contained herein. Each security and privacy control description provides CMS-specified implementation details for all the security and privacy controls allocated as a baseline to an identified CMS FISMA system based on the FIPS 199 Security Category. Additional CMS-established policies and procedures can serve as further guidance for administering CMS standards, requirements, directives, practices, and procedures for protecting CMS information and information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Management and Compliance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe risk management and compliance functional area provides a multi-level approach to managing information system-related security and privacy risks at the \u003cem\u003eenterprise level\u003c/em\u003e, the \u003cem\u003emission/business process \u003c/em\u003elevel, and the \u003cem\u003einformation system \u003c/em\u003elevel to protect CMS information system assets and individuals accessing these assets. CMS provides a risk-based approach for managing information system-related security and privacy risk which is based on NIST SP 800- 37, Revision 2, \u003cem\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. \u003c/em\u003eThis framework includes developing and updating risk management and compliance processes and procedures to align with HHS policies, federal legislation, and federal cybersecurity and privacy frameworks. The CMS security and privacy program, under the direction of the Chief Information Security Officer (CISO) and the Senior Official for Privacy (SOP) oversees the agency-wide implementation of this framework which includes Security Assessment and Authorization (SA\u0026amp;A), Continuous Diagnostics and Mitigation (CDM), FISMA reporting, internal assessments/audits, and other external assessments/audits.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe awareness and training functional area provides organizational security and privacy awareness training and specific role-based training (RBT) for all CMS stakeholders with Significant Security Responsibilities (SSR). The responsibilities include developing curriculum and content, delivering training, ensuring training policies and procedures are current, tracking training status, and reporting on completed security awareness and RBT courses.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCyber Threat and Incident Handling\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe cyber threat and incident handling functional area support CMSs cyber threat intelligence, information sharing, and incident handling, including breach response. The responsibilities include developing, updating, and disseminating processes and procedures to coordinate information sharing and investigating incidents across CMS, following established CMS incident Response (IR) procedures.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContinuity of Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe continuity of operations functional area provides plans and procedures to ensure continuity of operations for information systems that support CMS operations and assets. The responsibilities include developing processes and procedures for system contingency planning, disaster recovery, and participation in federal continuity exercises.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis section details significant information security and privacy roles and responsibilities for CMS stakeholders. The responsibilities, defined by role rather than position, are derived from the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, RBT requirements, and CMS-specific responsibilities. This section also enhances the responsibilities defined within the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, to address CMSs needs. Therefore, CMS stakeholders must also refer to the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003efor additional detail.\u003c/p\u003e\u003cp\u003eA current version of the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003emay be requested via the HHS Office of Information Security (OIS) mailbox at \u003ca href=\"mailto:HHSCybersecurityPolicy@hhs.gov\"\u003eHHSCybersecurityPolicy@hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eMost of the roles described in this section are restricted to federal employees based on the specific position and role they fulfill within the CMS organization, while others may be filled by either a federal employee or a contractor.\u003c/p\u003e\u003cp\u003eFor additional information, please check CMS Organizational Charts.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGeneral Roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS personnel, whether federal employees, contractors (including subcontractors), or entities operating on behalf of CMS, must adhere to the information security and privacy responsibilities defined within this section. This subsection describes CMS-specific responsibilities for the roles “All Users” and “Supervisors.”\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFederal Employees and Contractors (All Users)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAll CMS federal employees and contractors (including subcontractors) must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, Section 7.36, \u003cem\u003eAll Users\u003c/em\u003e. All users have the responsibility to protect CMSs information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction by complying with the information security and privacy requirements maintained in this Policy.\u003c/p\u003e\u003cp\u003eIn addition to the HHS IS2P the responsibilities of the CMS federal employees and contractors must include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConsider all \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf\"\u003ebrowsing activities sensitive\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNotify the CMS CISO and SOP of actual or suspected information security and privacy incidents and breaches, including CMS sensitive data, using CMS specified procedures established in the CMS Incident Response (IR) procedures and applicable Rules of Behavior (RoB).\u003c/li\u003e\u003cli\u003eComplete mandatory security and privacy awareness training before accessing CMS information systems and annually thereafter.\u003c/li\u003e\u003cli\u003eFor all newly hired personnel and staff, and those who transfer into a new position with significant security and/or privacy responsibilities, complete specialized security or privacy RBT as appropriate for their assigned roles within 60 days of entry on duty or upon assuming new responsibilities. Thereafter, they must complete RBT at least annually.\u003c/li\u003e\u003cli\u003eFor contractors with significant security and/or privacy responsibilities, complete specialized RBT within 60 days of beginning work on a contract. They must complete RBT at least annually thereafter.\u003c/li\u003e\u003cli\u003eReport anomalies when CMS programs, systems, or applications are collecting, creating, using, disclosing, or retaining more than the minimum data necessary.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSupervisors\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSupervisors may be federal employees or contractors2 and must fulfill all responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.37, \u003cem\u003eSupervisors\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eIn addition to the HHS IS2P, the responsibilities of Supervisors include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNotify the appropriate System Security and Privacy Officer (Previously known as ISSO) (or the CMS CISO or designee, if the System Security and Privacy Officer (Previously known as the ISSO) \u0026nbsp;is not available) within one hour of any unexpected departure or separation of a CMS employee or contractor.\u003c/li\u003e\u003cli\u003eEnsure personnel under their direct report complete all required information security training, including privacy and RBT, within the mandated time frames established in the CMS Incident Response (IR) procedures.\u003c/li\u003e\u003cli\u003eEnsure background checks are conducted on all individuals identified by system owners with access to CMS information systems in accordance with \u003ca href=\"https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/\"\u003eposition sensitivity\u003c/a\u003e\u0026nbsp;designation as derived by the use of the \u003ca href=\"https://nbib.opm.gov/e-qip-background-investigations/\"\u003eappropriate CMS tool\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eHuman Resource Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eHuman Resource Officer must be an agency official (federal government employee) and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinating with appropriate CMS CIO POCs and Office of Security, Facilities and Logistics Operations (OSFLO) POCs to ensure background checks are conducted for individuals with significant security responsibilities.\u003c/li\u003e\u003cli\u003eNotifying the appropriate CMS POC (Manager, Supervisor, COR or CIO designated official) within one business day when CMS personnel are separated from the Department.\u003c/li\u003e\u003cli\u003eEnsuring relevant paperwork, interviews, and notifications are sent to the appropriate CMS POC (Manager, Supervisor, COR or CIO designated official) when personnel join, transfer within, or leave the organization, either permanently or on detail.\u003c/li\u003e\u003cli\u003eParticipating at the request of the CMS CCIC in the investigation of \u003cstrong\u003eFederal employees \u003c/strong\u003ewith regard to security incidents.\u003c/li\u003e\u003cli\u003eParticipating at the request of the CMS CCIC in the investigation of \u003cstrong\u003eFederal employees\u003c/strong\u003e\u0026nbsp;relative to PII breaches and violations.\u003c/li\u003e\u003cli\u003eEnsuring all HR systems and records/data are maintained, used and shared in compliance with the Privacy Act of 1974, as amended (5 U.S.C. 552a) and the HHS implementing regulations and applicable Systems of Records Notices (SORNs), and, all other applicable laws, policies and procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Federal Executives\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of CMS Federal Executives, including the Administrator, Chief Financial Officer (CFO), Personnel and Physical Security Officers (PPSO), and Operations Executive (OE). Only agency officials (federal government employees) are authorized to fill these roles.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAdministrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Administrator must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.2, \u003cem\u003eOpDiv Heads, \u003c/em\u003eincluding “Delegating responsibility and authority for management of HHS Operating Division (OpDiv) IT security and privacy programs to the OpDiv CIOs,” and those identified in the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII). \u003c/em\u003eThese responsibilities include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDelegating responsibility and authority for making final decisions regarding external breach notification and issuing written notification to individuals affected by a privacy breach.\u003c/li\u003e\u003cli\u003eReceiving inquiries, investigations, or audits from enforcement authorities, such as any initiated by the HHS Office for Civil Rights related to compliance with HIPAA or the HIPAA Privacy and Security Rules and coordinating responses with the Chief Information Officer and other appropriate staff.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHHSs Continuity of Operations Program Policy also requires that the Administrator must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncorporate continuity of operations requirements into all CMS activities and operations\u003c/li\u003e\u003cli\u003eDesignate in writing an accountable official as the Agency Continuity Point of Contact, who is directly responsible to the Administrator for management oversight of the CMS continuity program and who is the single point of contact for coordination within CMS for continuity matters.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Financial Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CFO must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.3, \u003cem\u003eOffice of Finance (OF)/Assistant Secretary for Financial Resources (ASFR)/Chief Financial Officer (CFO).\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePersonnel and Physical Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe PPSO must fulfill the shared responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, Section 7.6, \u003cem\u003eOffice of National Security (ONS). \u003c/em\u003eIn addition to the HHS IS2P, the general and incident response responsibilities of the PPSO must include, but are not limited to:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProtect employees, visitors, and CMS-owned and CMS-occupied critical infrastructure\u003c/li\u003e\u003cli\u003eCoordinate national security information services to all components within the Office of the Administrator (OA).\u003c/li\u003e\u003cli\u003eCoordinate with appropriate CMS CIO POCs and HHS POCs to ensure background checks are conducted on all individuals identified by system owners with access to CMS information systems in accordance with \u003ca href=\"https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/\"\u003eposition sensitivity designation\u003c/a\u003e\u0026nbsp;as derived by the use of the \u003ca href=\"https://nbib.opm.gov/e-qip-background-investigations/\"\u003eappropriate CMS tool\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eParticipate at the request of law enforcement, the HHS Computer Security Incident Response Center (CSIRC), the HHS Office of the Inspector General (OIG), and/or the CMS Cybersecurity Integration Center (CCIC) in investigating security and privacy incidents and breaches involving federal employees and/or CMS contractor personnel.\u003c/li\u003e\u003cli\u003eParticipate at the request of the HHS Privacy Incident Response Team (PIRT) and/or the CMS Breach Analysis Team (BAT) in investigating incidents and/or violations involving federal employees, PII, PHI, and/or Federal Tax Information (FTI).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOperations Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Operations Executive must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOversee day-to-day information security and privacy operations for CMS employees.\u003cul\u003e\u003cli\u003eDevelop and maintain, in coordination with the CISO and SOP, the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resources Policy\u003c/em\u003e, to address, at a minimum, the following Acceptable Use standards:\u003cul\u003e\u003cli\u003ePrivacy requirements must be identified in contracts and acquisition-related documents.\u003c/li\u003e\u003cli\u003ePersonal use of CMS IT resources must comply with \u003cem\u003eHHS Policy for Personal Use of Information Technology Resources\u003c/em\u003e, such that personal use of CMS IT resources does not put CMS data at risk of unauthorized disclosure or dissemination.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure all CMS system users annually read and sign the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information Resources\u003c/em\u003e, which governs the appropriate use of CMS IT resources.\u003c/li\u003e\u003cli\u003eInform CMS employees and contractors that use of CMS information resources, other than for authorized purposes, is a violation of the HHS RoB and Article 35 of the Master Labor Agreement and is grounds for disciplinary action, up to and including removal from federal service, monetary fines, and/or criminal charges that could result in imprisonment. CMS bargaining unit employees must also adhere to Article 35 of the Master Labor Agreement.\u003c/li\u003e\u003cli\u003eEnsure CMS employees and contractors encrypt CMS sensitive information transmitted to a non-CMS controlled environment,7 including but not limited to email, using Federal Information Processing Standard (FIPS) 140-3 compliant encryption solutions/modules.\u003c/li\u003e\u003cli\u003eEnsure CMS employees and contractors are prohibited from transmitting sensitive CMS information using any non-CMS approved, Internet-based mechanism, including but not limited to, personal email, file-sharing, file transfer, or backup services.\u003c/li\u003e\u003cli\u003eEnsure that any CMS contractor, other person, or organization that performs functions or activities that involve the use or disclosure of PHI on behalf of CMS have Business Associate Agreement provisions in their contracts or agreements per OAGM standard contract language requirements.\u003c/li\u003e\u003cli\u003eEnsure CMS uses PII internally only for the purpose(s) that are authorized by statute, regulation, or Executive Order; and when the PII is also considered PHI for treatment, payment, healthcare operations, or as permitted under HIPAA (e.g., for research as permitted under 45 CFR §164.512).\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOffice Director, Office of Enterprise Data and Analytics and Chief Data Officer\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eThe Office Director of the Office of Enterprise Data and Analytics (OEDA) also serves as the CMS Chief Data Officer (CDO). The CDO must be an agency official (federal government employee). The CDO must establish and implement policies, practices, and standards for maximizing the value and impact of CMS data for internal and external stakeholders.\u003c/p\u003e\u003cp\u003eOEDA develops and implements a data services strategy to maximize use of data on all CMS programs, including issue papers, chart books, dashboards, interactive reports, data enclave services, public use files, and research identifiable files. OEDA oversees the creation of data sets that de-identify individuals and makes these data sets publicly available when there is legal authority permitting their creation. Methods for creating these data sets may include:\u003c/p\u003e\u003c/li\u003e\u003cli\u003eThe methodology set out at 45 CFR §164.514(b)(2) (the “Safe Harbor Rule”).\u003c/li\u003e\u003cli\u003eThe methodology set out at 45 CFR §164.514(b)(1) (the “Expert Determination Rule”)\u003c/li\u003e\u003cli\u003e\u003cp\u003eOEDA also oversees the creation of “limited data sets” (LDS), which are data sets to be used or disclosed for purposes of research, public health, or healthcare operations, using the methodology set out at 45 CFR §164.514(e).\u003c/p\u003e\u003cp\u003eThe Administrator may designate other specific responsibilities to the CDO as necessary.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eOffice Director, Office of Acquisition and Grants Management and Head of Contracting Activity\u003c/h4\u003e\u003cp\u003eThe Office Director of the Office of Acquisition and Grants Management (OAGM) and Head of Contracting Activity (HCA) also serve as the CMS Chief Acquisition Officer (CAO). The CAO must be an agency official (federal government employee) designated to advise and assist the head of the agency and other agency officials to ensure that the mission of CMS is achieved through the management of the agencys acquisition activities. The responsibilities of the Chief Acquisition Officer include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAdvise and assist the administrator and other agency officials to ensure that the mission of CMS is achieved through the management of the agency's acquisition activities.\u003c/li\u003e\u003cli\u003eCoordinate with the authorizing official, business owners, system owners, common control providers, chief information security officer, senior official for privacy, and risk executive (function) to ensure that security and privacy requirements are defined in organizational procurements and acquisitions.\u003c/li\u003e\u003cli\u003eMonitor the performance of the acquisition activities and programs.\u003c/li\u003e\u003cli\u003eEstablish clear lines of authority, accountability, and responsibility for acquisition decision-making within CMS.\u003c/li\u003e\u003cli\u003eManage the direction and implementation of the acquisition policy.\u003c/li\u003e\u003cli\u003eEstablish policies, procedures, and practices that promote full and open competition from responsible sources to fulfill best value requirements considering the nature of the property or service procured.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCenter and Office Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEach CMS Center and Office Executive must nominate an appropriately qualified staff member as a Data Guardian to the Senior Official for Privacy (SOP) for approval. The executive must ensure the Data Guardian meets the following qualifications:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe a proficient consumer advocate\u003c/li\u003e\u003cli\u003eHave experience in identifying information security and privacy requirements\u003c/li\u003e\u003cli\u003eBe trained in using the CMS Risk Management Framework (RMF)\u003c/li\u003e\u003cli\u003eUnderstand the CMS Center/Office business processes and operations\u003c/li\u003e\u003cli\u003eHave respect for the role and impact PII and PHI play within the Center/Office and across the CMS enterprise.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation Security and Privacy Officers\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of those federal employees with roles related to establishing this \u003cem\u003ePolicy \u003c/em\u003eand the associated Program designed to protect CMS information and information systems, including the CIO, CISO, SOP, Privacy Act Officer, Chief Technology Officer (CTO), Configuration Management Executive, Cyber Risk Advisor (CRA), Privacy Advisor, and Marketplace Senior Information Security Officer.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eChief Information Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CIO must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.11, \u003cem\u003eOpDiv CIOs, \u003c/em\u003eincluding serving as the Chief Risk Officer and Authorizing Official (AO) for all CMS FISMA systems. There is only one AO for all CMS FISMA systems.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CIO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDesignate the CISO as the authority for managing CMS incident response activities identified in the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDefine recommended minimum System Security and Privacy Officer (previously known as ISSO) qualifications commensurate with the System Security and Privacy Officer (previously known as ISSO) role within CMS for both federal employees and contractors defined with NIST Significant Information Security and Privacy Responsibilities (SISPRs)\u003c/li\u003e\u003cli\u003eDefine mandatory information security and privacy training, education, and awareness activities undertaken by all personnel, including contractors, commensurate with identified roles and responsibilities\u003c/li\u003e\u003cli\u003eShare threat information as mandated by the Cybersecurity Enhancement Act of 2014\u003c/li\u003e\u003cli\u003eCoordinate with the CISO to establish configuration management processes and procedures\u003c/li\u003e\u003cli\u003eCreate and manage the review and approval of changes through the appropriate IT governance; change control bodies/boards\u003c/li\u003e\u003cli\u003eCoordinate with the CISO, SOP, Data Guardian, System Security and Privacy Officer (previously know as ISSO), and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications\u003c/li\u003e\u003cli\u003eRespond to any inquiries, investigations, or audits received from enforcement authorities, such as any initiated by the HHS Office for Civil Rights related to compliance with HIPAA or the HIPAA Privacy and Security Rules\u003c/li\u003e\u003cli\u003eEnsure that all CMS key stakeholders, including the Chief Financial Officer (CFO); Office Director, Office of Acquisition and Grants Management (OAGM) and Head of Contracting Activity (HCA); Senior Official for Privacy (SOP); mission, business, and policy owners; as well as the CISO organizations, are aware of risks associated with High Value Assets (HVAs)\u003c/li\u003e\u003cli\u003eEnsure the establishment and implementation of an HHS-specific or CMS-specific HVA Policy and HVA Management Program.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Information Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CISO must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.12, \u003cem\u003eOpDiv CISOs. \u003c/em\u003eThe CISO carries out the CIOs information security responsibilities under federal requirements in conjunction with the SOP.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CISO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy control requirements through the \u003cem\u003eCMS ARS\u003c/em\u003e.\u003c/li\u003e\u003cli\u003ePublish CISO Directives as required to augment existing policy.\u003c/li\u003e\u003cli\u003eReview any requested waivers and deviations from this Policy and provide recommendations to the AO for risk acceptance.\u003c/li\u003e\u003cli\u003eServe as the security official who is responsible for the development and implementation of the policies and procedures that are required by the HIPAA Security Rule (please refer to 45 CFR §164.308(a)(2)).\u003c/li\u003e\u003cli\u003eDelegate the authority to approve system configuration deviations to the CRA and System Security and Privacy Officer (previously known as the ISSO), where appropriate.\u003c/li\u003e\u003cli\u003eEnsure CMS-wide implementation of HHS and CMS information security and privacy capabilities, policies, and procedures consistent with the NIST Risk Management Framework (RMF).\u003c/li\u003e\u003cli\u003eLead the investigation and resolution of information security and privacy incidents and breaches across CMS.\u003c/li\u003e\u003cli\u003eDefine and oversee the goals and requirements of Agency Security Operations.\u003c/li\u003e\u003cli\u003eCoordinate incident response and threat information sharing with the HHS CSIRC and/or HHS PIRT, as appropriate.\u003c/li\u003e\u003cli\u003eEnsure the information security continuous monitoring (ISCM) capabilities accomplish the goals identified in the ISCM strategy.\u003c/li\u003e\u003cli\u003ePublish an Ongoing Authorization process as part of the Program\u003c/li\u003e\u003cli\u003eApprove the appointment of the System Security and Privacy Officer (previously know as ISSO) by the Program Executive\u003c/li\u003e\u003cli\u003eApprove the independent security control assessment deliverables\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, SOP, Data Guardian, System Security and Privacy Officer (previously known as ISSO), and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of any interconnection by coordinating with the SOP and the CCIC Director to (1) disconnect or suspend interconnections and (2) ensure interconnections remain disconnected or suspended until the AO orders reconnection.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRisk Executive (Function)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Risk Executive must be an agency official (federal government employee). The Risk Executive must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.13. \u003cem\u003eRisk Executive (Function)\u003c/em\u003e. The Administrator may designate specific responsibilities to the RE as necessary.\u003c/p\u003e\u003cp\u003eThe Risk Executive must also fulfill the responsibilities for agency-wide risk management strategies that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinate with the CCIC to:\u003c/li\u003e\u003cli\u003eManage risk(s) identified in the threat landscape via; cyber threat intelligence, vulnerability assessment, penetration testing, forensics, malware, insider threat, etc., and security and privacy risk(s) identified via; risk assessments, security control assessments, internal/external audits, etc. (including supply chain risk[s] via the Division of Strategic Information [DSI]) information for organizational systems and the environments in which the systems operate.\u003c/li\u003e\u003cli\u003eUse the CDM program to identify and report on the risk posture of the portfolio of FISMA reported systems in near real time\u003c/li\u003e\u003cli\u003eUtilize the CFACTS system to report on the risk posture of the FISMA reported systems.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSenior Official for Privacy\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe SOP must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.18, \u003cem\u003eOpDiv SOP \u003c/em\u003ealso include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLead CMS privacy programs and promote proper information security and privacy practices.\u003c/li\u003e\u003cli\u003eLead the development and implementation of privacy policies and procedures, including the following actions:\u003cul\u003e\u003cli\u003eEvaluate any new legislation that obligates the Program to create any regulations, policies, procedures, or other documents concerning collecting, creating, using, disclosing, or retaining PII/PHI.\u003c/li\u003e\u003cli\u003eEnsure an appropriate party will develop all such required policies or other documents.\u003c/li\u003e\u003cli\u003eEnsure policies exist to impose criminal penalties and/or other sanctions on CMS employees (consistent with the CMS Master Labor Agreement) and non-employees, including contractors and researchers, for violations of law and policy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure privacy controls are implemented and enforced.\u003c/li\u003e\u003cli\u003eServe as the privacy official responsible for developing and implementing policies and procedures, receiving complaints, and providing further information related to the Notice of Privacy Practices, as required by the HIPAA Privacy Rule (please refer to 45 CFR §164.530(a)).\u003c/li\u003e\u003cli\u003eEnsure individuals are able to exercise their rights to access, inspect, request additions or amendments, and obtain copies of their PII/PHI in a designated record set or in a Privacy Act system of records (SOR).\u003c/li\u003e\u003cli\u003eEnsure individuals are able to exercise their right to an accounting of disclosures of their PII/PHI by CMS or its business associates.\u003c/li\u003e\u003cli\u003eEnsure any use or disclosure of PII/PHI that is not for treatment, payment, health operations, or otherwise permitted or required by the HIPAA Privacy Rule or Privacy Act is disclosed only with the individuals authorization.\u003c/li\u003e\u003cli\u003eEnsure the Program develops and documents a Notice of Privacy Practices for all Medicare Fee-for-Service beneficiaries, as required by the HIPAA Privacy Rule, that defines the uses and disclosures of PHI.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, Data Guardian, System Security and Privacy Officer (previously known as ISSO), and Website Owner / Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eCoordinate as the lead and collaborate with the CISO to:\u003cul\u003e\u003cli\u003eDocument privacy requirements and manage privacy implementation as CMS information systems are designed, built, operated, or updated\u003c/li\u003e\u003cli\u003eProvide recommendations to the CIO regarding the privacy posture of FISMA systems and the use/disclosure of CMS information\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCo-chair the CMS Data Governance Board.\u003c/li\u003e\u003cli\u003eApprove the appointment of Data Guardians by the Center or Office Executive.\u003c/li\u003e\u003cli\u003eProvide overall direction for incident handling, which includes all incidents involving PII/PHI.\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of any interconnection\u003cul\u003e\u003cli\u003eCoordinate with the CISO and the CCIC Director to disconnect or suspend interconnections\u003c/li\u003e\u003cli\u003eCoordinate with the CISO and the CCIC Director to ensure interconnections remain disconnected or suspended until the AO orders reconnection\u003c/li\u003e\u003cli\u003eReview HVAs and identify those that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII/PHI\u003c/li\u003e\u003cli\u003eEnsure that all required privacy documentation and materials are complete, accurate, and up to date.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Act Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Privacy Act Officer must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.20, \u003cem\u003eOpDiv Privacy Act Contact\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Privacy Act Officer must also include, but not be limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop, implement, and maintain policies and procedures related to the Privacy Act.\u003c/li\u003e\u003cli\u003eProcess Privacy Act requests, including requests requiring exceptions to the Privacy Act.\u003c/li\u003e\u003cli\u003eProvide guidance and advice on federal Privacy Act policies and procedures.\u003c/li\u003e\u003cli\u003eEvaluate the impact of the Privacy Act and regulations on the organizations activities.\u003c/li\u003e\u003cli\u003eCoordinate with CMS Offices and staff as needed.\u003c/li\u003e\u003cli\u003eRepresent CMS on issues related to the Privacy Act.\u003c/li\u003e\u003cli\u003eAssess Privacy Act-related risks associated with programs, operations, and technology.\u003c/li\u003e\u003cli\u003eSupport efforts across CMS to comply with the Privacy Act.\u003c/li\u003e\u003cli\u003ePlan and conduct training sessions on Privacy Act requirements.\u003c/li\u003e\u003cli\u003eEnsure procedures exist to:\u003cul\u003e\u003cli\u003eAuthenticate the identity of a person requesting PII/PHI and, as appropriate, the authority of any such person permitted access to PII/PHI\u003c/li\u003e\u003cli\u003eObtain any documentation, statements, or representations, as appropriate, whether oral or written, from the authorized person requesting the PII/PHI\u003c/li\u003e\u003cli\u003eIn responses to requests for disclosures, limit the PII/PHI disclosed to that which is the minimum amount reasonably necessary to achieve the intended purpose of the disclosure or request, relying (if such reliance is reasonable under the circumstances) on the precise scope of the requested disclosure to determine the minimum necessary information to be included in the disclosure\u003c/li\u003e\u003cli\u003eIn structuring all CMS processes, ensuring that to the greatest degree practicable each person receives only the PII/PHI data elements and records that the person needs (e.g., the data elements the person needs to perform all tasks within the scope of their assigned responsibilities); When CMS requests PII/PHI from third parties, ensure the PII/PHI requested is limited to the amount reasonably necessary to accomplish the purpose for which the request is made.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Technology Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Chief Technology Officer (CTO) must be an agency official (federal government employee). The CIO may designate specific responsibilities to a CTO as necessary.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eConfiguration Management Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Configuration Management Executive must be an agency official (federal government employee) and must provide executive-level oversight for configuration management and contingency planning.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCyber Risk Advisor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Cyber Risk Advisor (CRA) may be federal employees or contractors. The CISO may designate the authority to approve system configuration deviations to the CRA where appropriate.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CRA must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAct as the subject matter expert in all areas of the \u003cem\u003eCMS RMF.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEvaluate, maintain, and communicate the risk posture of each FISMA system to executive leadership and make risk-based recommendations to the AO.\u003c/li\u003e\u003cli\u003eSupport the CMS stakeholders in ensuring that all requirements specified by the \u003cem\u003eCMS ARS \u003c/em\u003eare implemented and enforced; serve as an active participant in the system development life cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs considering security, functionality, and cost.\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, Information System Owner (ISO), Business Owner, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eDetermine the privacy impacts and manage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure information security and privacy testing is performed throughout the SDLC as appropriate and results are considered during the development phase of the SDLC.\u003c/li\u003e\u003cli\u003eMonitor system security posture by reviewing all proposed information security and privacy artifacts to provide recommendations to the System Security and Privacy Officer (previously known as ISSO).\u003c/li\u003e\u003cli\u003eProvide guidance to CMS stakeholders on required actions, potential strategies, and best practices for closure of identified weaknesses.\u003c/li\u003e\u003cli\u003eUpload findings spreadsheets to the CMS FISMA Controls Tracking System (CFACTS).\u003c/li\u003e\u003cli\u003eEnsure AO-issued authorization is updated in CFACTS.\u003c/li\u003e\u003cli\u003eServe as the authority to approve selected system configuration deviations from the required baseline.\u003c/li\u003e\u003cli\u003eRemind System Security and Privacy Officer (previously known as ISSO) with expiring or expired letters to resubmit their appointment letters using a new letter.\u003c/li\u003e\u003cli\u003eUpload signed System Security and Privacy Officer (previously known as ISSO) appointment letter(s) to CFACTS.\u003c/li\u003e\u003cli\u003eCoordinate with the BO, ISO, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact the organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Advisor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePrivacy Advisors may be federal employees or contractors and work under the direction of the SOP. The Privacy Advisor must fulfill responsibilities that include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify opportunities to integrate Fair Information Practice Principles (FIPP) into CMS business processes and information systems.\u003c/li\u003e\u003cli\u003eEvaluate legislation, regulations, and policies that may affect how CMS collects, uses, stores, discloses, or retires PII; identify their potential impacts on CMS; and recommend responsive actions to the CMS management or others that request guidance.\u003c/li\u003e\u003cli\u003eFor IT systems, coordinate with the Business Owner, CRA, Data Guardian, ISO, and System Security and Privacy Officer (previously known as ISSO) to identify the types of information processed, assign the appropriate security categorizations to the information systems, determine the privacy impacts, and manage information security and privacy risk, including:\u003cul\u003e\u003cli\u003eReview the Privacy Impact Assessment (PIA) and existing CFACTS documentation to verify that the PIA follows HHS/CMS guidance and verify that privacy risks have been appropriately documented\u003c/li\u003e\u003cli\u003eEvaluate privacy-related agreements (e.g., Computer Matching Agreements [CMA], Information Exchange Agreements [IEAs], and Memoranda of Agreement / Understanding [MOA/MOU]) to verify that privacy requirements are satisfied and privacy risks are adequately addressed, both initially and when periodically reviewed, and provide guidance and advice on these agreements to Business Owners, ISOs, and other CMS staff as needed\u003c/li\u003e\u003cli\u003eContinuously monitor all findings of privacy risk or deficiency, including by monitoring progress against privacy-related POA\u0026amp;Ms\u003c/li\u003e\u003cli\u003eTrack the progress of enterprise privacy risk mitigation activities across portfolios\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eProvide ISPG perspective during TRB reviews to assess the impact of changes to IT systems on privacy issues and work to mitigate those impacts.\u003c/li\u003e\u003cli\u003eWork with System Security and Privacy Officer (previously known as ISSO) to evaluate system changes to determine whether privacy risks are sufficiently significant to require updates to Authority To Operate (ATO) documents.\u003c/li\u003e\u003cli\u003eWork with BO, ISO, CRA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003cli\u003eWorks with CRAs to verify that decommission and disposition plans for IT systems do not create significant privacy risks.\u003c/li\u003e\u003cli\u003eAssist in developing reports on any aspect of privacy requested by CMS senior management, HHS, external auditors, or any other party authorized to request and receive such information.\u003c/li\u003e\u003cli\u003eProvide recommendations concerning the privacy risks and practices relevant to IT systems.\u003c/li\u003e\u003cli\u003eProvide incident handling support for incidents involving PII.\u003c/li\u003e\u003cli\u003eAdvise CMS healthcare programs on compliance with privacy and related cybersecurity requirements.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAffordable Care Act (ACA) Senior Information Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe ACA Senior Information Security Officer must be an agency official (federal government employee).\u003c/p\u003e\u003cp\u003eThe responsibilities of the ACA Senior Information Security Officer must include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the overall information security and privacy of the Health Insurance Marketplace (HIM) by driving integration, collaboration, and innovation across disparate groups under the HIM program.\u003c/li\u003e\u003cli\u003eRepresent the interests of the CCIIO, as well as the CIO, CISO, and SOP by integrating the work of the managers and staff of multiple units to ensure an acceptable information security and privacy posture through visibility, compatibility, and situational awareness.\u003c/li\u003e\u003cli\u003eProvide technical and policy guidance during all phases of the SDLC to balance risk-based tradeoffs among information security, privacy, functionality, and cost.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Records Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Records Officer must be an agency official (federal government employee), and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsuring compliance with the Federal Records Act of 1950, National Archives and Records Administration (NARA) regulations and/or guidance, OMB directives, and Government Accountability Office (GAO) audit requirements.\u003c/li\u003e\u003cli\u003eServing as Chairperson of the CMS Records Management Office.\u003c/li\u003e\u003cli\u003eDevelop CMS records management policies and procedures.\u003c/li\u003e\u003cli\u003eProviding agency-wide guidance, training, and assistance for compliance with laws and regulations\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSupply Chain Risk Management (SCRM) Manager\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe SCRM Manager must be an agency official (federal government employee), and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eManaging the development, documentation, and dissemination of the supply chain risk management policy and procedures.\u003c/li\u003e\u003cli\u003eAnalyze and assess the effects and impacts of existing and proposed federal legislation on CMS policies as it relates to supply chain risk management.\u003c/li\u003e\u003cli\u003eFacilitate or attend SCRM-related working group meetings to promote supply chain risk management program and share policy updates and supply chain risk challenges and solutions to relevant CMS stakeholders.\u003c/li\u003e\u003cli\u003eResearch, identify, analyze and recommend countermeasures and mitigations for supply chain risks that promote supply chain resilience.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eProgram and Information System Roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of those with roles related to CMS programs and the associated information systems. Program Executives oversee CMS programs and may also serve as ISOs and/or Business Owners. ISOs, referred to as “System Owners” in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e(IS2P)\u003c/em\u003e, take responsibility for the operation of information systems required by the CMS program. Business Owners, referred to in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eas “Data Owners/Business Owners,” take primary responsibility for the information and data processed by the CMS program.\u003c/p\u003e\u003cp\u003eThis subsection also identifies specific information security and privacy responsibilities of the ISOs, Data Guardians, Business Owners, Contracting Officers (CO), Contracting Officers Representatives (COR), and Program/Project Managers. This subsection also describes the responsibilities of the System Security and Privacy Officer (previously known as ISSO), including auxiliary responsibilities of the Security Control Assessor and Contingency Planning Coordinator (CPC) that may be filled by the System Security and Privacy Officer (previously known as ISSO). The final subsection describes specific responsibilities of the Security Operations Center/Incident Response Team (SOC/IRT).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Owner\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISO must be an agency official (federal government employee) and must fulfill all of the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.23 IS2P, \u003cem\u003eSystem Owner\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS ISO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIn coordination with the Data Guardian and Business Owner\u003cul\u003e\u003cli\u003eNominate appropriately qualified System Security and Privacy Officer (previously known as ISSO) appointees, as defined under FISMA, to the CISO for approval.\u003c/li\u003e\u003cli\u003eEnsure that information security and privacy for each information system are planned, documented, and integrated from project inception through all phases of the CMS SDLC.\u003c/li\u003e\u003cli\u003eConsult and coordinate with the CIO and SOP to identify, negotiate, and execute appropriate governing artifacts and agreements before sharing CMS information.\u003c/li\u003e\u003cli\u003eIdentify program or system roles that have NIST Significant Information Security or Privacy Responsibilities (SISPRs) within their purview and oversee the system-specific Rules of Behavior (RoB) training applicable to system(s) in their portfolio.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, Business Owner, CRA, Privacy Steward, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS or the component of CMS conducting the collection of PII/PHI has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, sharing, and disclosure of PII/PHI and subsequent appropriate disposal after disposition and retirement\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure each systems Change Control Board (CCB):\u003c/li\u003e\u003cli\u003eIs an integral part of the information system change management process.\u003c/li\u003e\u003cli\u003eImplements applicable governing standards as defined in the \u003cem\u003eARS.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eSupports the creation of baseline configuration documentation to reflect ongoing implementation of the operational configuration baseline updates.\u003c/li\u003e\u003cli\u003eSupports the change management processes to address change requests (CRs) for each system so that an appropriate Security Impact Analysis is performed by the System Security and Privacy Officer (previously known as ISSO) or designated staff\u003c/li\u003e\u003cli\u003eApproves System Security and Privacy Officer (previously known as ISSO) information security configuration recommendations to address weaknesses and system deficiencies.\u003c/li\u003e\u003cli\u003eEnsure employees and contractors receive the appropriate training and education regarding relevant information security and privacy laws, regulations, and policies governing the information assets they are responsible for protecting.\u003c/li\u003e\u003cli\u003eServe as the attestation official for approving the common controls provided by the system.\u003c/li\u003e\u003cli\u003eInclude the Security Control Assessor or representative from the system as a member of the CCB in all configuration management processes that include the system. If the System Security and Privacy Officer (previously known as ISSO) or Security Control Assessor acts as a voting member of the CCB, they must be federal employees.\u003c/li\u003e\u003cli\u003eMaintain change documentation in accordance with the CMS Records Retention Policy\u003c/li\u003e\u003cli\u003eCoordinate with BO, CRA, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Data Guardian must be an agency official (federal government employee) and must fulfill shared responsibilities with the CMS Business Owner identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.27, \u003cem\u003eData Owner/Business Owner\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Data Guardian must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRepresent the Center or Office on the Data Guardian Committee under the auspices of the CMS Data Governance Board to ensure a coordinated and consistent approach to protecting PII across the CMS enterprise.\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the ISO, Business Owner, CRA, and ISSO (Now referred to as Security and Privacy Officer) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eIdentify and pursue opportunities to proactively enhance information security and privacy controls and increase awareness of the evolving information security and privacy threats to the information assets of the Center or Office.\u003c/li\u003e\u003cli\u003eAttend quarterly Data Guardian Meetings.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSafeguard PII by creating an information security and privacy awareness culture that adheres to information security and privacy standards and requirements designed to protect CMS data assets as directed by the CISO and SOP.\u003c/li\u003e\u003cli\u003eGather lessons learned and communicate best practices for protecting PII to their Center or Office.\u003c/li\u003e\u003cli\u003eParticipate in incident response activities affecting the Center or Office information security and privacy posture.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Business Owner must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.27, \u003cem\u003eData Owner/Business Owner \u003c/em\u003ein coordination with the Data Guardian. CMS Business Owners are the Group Directors or Deputy Group Directors who have the primary business needs that are or will be addressed by CMS IT investments/projects. The responsibilities of the CMS Business Owner must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eComply with the requirements of the CMS Policy for IT Investment Management \u0026amp; Governance or its successor policy.\u003c/li\u003e\u003cli\u003eFor each FISMA system and collection of PII/PHI, coordinate with the Data Guardian, ISO, CRA, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the information security and privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eWork with the COs and CORs to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized.\u003c/li\u003e\u003cli\u003eCoordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the SOP to ensure appropriate information security and privacy contracting language from relevant sources is incorporated into each IT contract. Relevant sources must include, but are not limited to, the following:\u003cul\u003e\u003cli\u003eHHS ASFR\u003c/li\u003e\u003cli\u003eHHS Office of Grants and Acquisition Policy and Accountability (OGAPA)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Office of Acquisition and Grants Management (OAGM).\u003c/li\u003e\u003cli\u003eFor each FISMA system and collection of PII/PHI, coordinate with the Data Guardian, ISO, CRA, and System Security and Privacy Officer (previously known as ISSO) to ensure compliance with the \u003cem\u003eCMS ARS\u003c/em\u003e, and when collecting or using FTI, with Internal Revenue Service (IRS) \u003cem\u003ePublication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies10.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eCoordinate with ISO, CRA, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocument data that are collected and maintained and certify that the data are authorized, relevant, and necessary to CMSs mission.\u003c/li\u003e\u003cli\u003eOwn the information stored, processed, or transmitted in CMSs information systems and limit access to the data/information.\u003c/li\u003e\u003cli\u003eManage and approve all use and disclosure of data from CMS programs or systems that are permitted by routine use under CMS System of Records Notices (SORN) through appropriate vehicles to authorize or deny the release of PII.\u003c/li\u003e\u003cli\u003eVerify that CMSs programs or systems only disclose the minimum data necessary.\u003c/li\u003e\u003cli\u003eDetermine and certify that the information security and privacy controls that protect CMSs systems are commensurate with the sensitivity of the data being protected.\u003c/li\u003e\u003cli\u003eEstablish and revise, in coordination with the Privacy Act Officer, SORNs and computer matching agreements in accordance with the established procedures.\u003c/li\u003e\u003cli\u003ePrepare PIAs for programs or systems in accordance with the direction provided by the CRA.\u003c/li\u003e\u003cli\u003eSupport the analysis of incidents involving PII and the determination of the appropriate action to be taken regarding external notification of privacy breaches as well as the reporting, monitoring, tracking, and closure of PII incidents.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eContracting Officer and Contracting Officer's Representative\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CO and COR must be agency officials (federal government employees) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.34, \u003cem\u003eCO and COR.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS CO and COR must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the CISO, SOP, Privacy Act Officer, and Data Guardian are consulted during contract development and that the latest information security and privacy contract language is included in all contracts, as applicable.\u003c/li\u003e\u003cli\u003eWork with the Business Owner to determine the minimum necessary PII/PHI required to conduct each activity for which the agency is authorized.\u003c/li\u003e\u003cli\u003e\u003cp\u003eCollect training records demonstrating that all CMS contractors with significant security and/or privacy responsibilities complete specialized RBT commensurate with their roles\u0026nbsp;\u003c/p\u003e\u003cp\u003ewithin 60 days of beginning work on a contract, upon commencement of the contractors work, annually thereafter, and upon request.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eProgram/Project Manager\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Program/Project Manager must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.35, \u003cem\u003eProject/Program Manager \u003c/em\u003ein coordination with the Data Guardian.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Program/Project Manager must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure information security and privacy-related actions identified by the CMS SDLC meet all identified information security and privacy requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure contractors follow all required information security and privacy policies, standards, and procedures\u003c/li\u003e\u003cli\u003eEnsure contractors follow all required procedures and provide all required documentation when requesting/gaining access to PII\u003c/li\u003e\u003cli\u003eEnsure contractors use the minimum data required to perform approved tasks\u003c/li\u003e\u003cli\u003eEnsure contractors return data covered by approved information sharing agreements at the end of the contract or task to the COR for proper destruction\u003c/li\u003e\u003cli\u003eEnsure appropriate notification and corrective actions, as described in the CMS Incident Handling procedure, are taken when a privacy breach is declared and involves a contractor or a public-private partnership operating a SOR on behalf of CMS.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrimary System Security and Privacy Officer (previously known as P-ISSO)\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Primary System Security and Privacy Officer (previously known as P-ISSO) may be either a federal government employee or a contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.24, \u003cem\u003eSystem Security and System Privacy Officers (previously referred to as ISSO)\u003c/em\u003e. The System Security and Privacy Officer (previously known as ISSO) must ensure the duties of the Security Control Assessor and Contingency Planning Coordinator are completed as described in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSections 7.26 and 7.30, and further elaborated in this subsection.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Primary System Security and Privacy Officer (previously known as P-ISSO)) must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, ISO, Business Owner, PA, and CRA to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the information security and privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReport compliance on secure protocol use in websites periodically as defined within the \u003cem\u003eCMS ARS\u003c/em\u003e.\u003c/li\u003e\u003cli\u003eSubmit System Security and Privacy Officer (previously known as ISSO) appointment letter for assigned system when nominated for approval and resubmit every two (2) years for review.\u003c/li\u003e\u003cli\u003eSubmit recommendations to the CRA for system configuration deviations from the required baseline.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, SOP, Data Guardian, and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and application.\u003c/li\u003e\u003cli\u003eCoordinate with the System Developer and Maintainer in identifying the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems.\u003c/li\u003e\u003cli\u003eDocument the controls in the information security and privacy plan (or equivalent document) to ensure implemented controls meet or exceed the minimal controls defined by CISO guidance.\u003c/li\u003e\u003cli\u003eCoordinate with BO, CRA, and the PA in documenting Risk-based Decisions which impact their organizational FISMA system in accordance to CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003cli\u003eAct as one of the attestation officials for any authorization request for certification for an Authority-To-Operate (ATO) from the CMS Authorization Official (AO).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinate with the Data Guardian, ISO, Business Owner, PA, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for PII, PHI, and FTI in accordance with the \u003cem\u003ePrivacy Act\u003c/em\u003e, \u003cem\u003eE-Government Act\u003c/em\u003e, the HIPAA Privacy and Security Rules, and all applicable guidance.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAssessment and Authorization\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain current system information in CFACTS (such as POCs and artifacts) to support organizational requirements and processes (e.g., communication, contingency planning, training, and data calls).\u003c/li\u003e\u003cli\u003eCoordinate with the Business Owner, ISO, and CISO to ensure that all requirements specified by the \u003cem\u003eCMS ARS \u003c/em\u003eare implemented and enforced for applicable information and information systems.\u003c/li\u003e\u003cli\u003e• Ensure anomalies identified under the CMS Continuous Diagnostics and Mitigation (CDM) program and ISCM activities are addressed and remediated in a manner that is commensurate with the risks posed to the system from the anomalies.\u003c/li\u003e\u003cli\u003eEvaluate the impact of network and system changes using standard processes.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem Development Life Cycle\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eInitiation\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview and confirm that contracts include appropriate information security and privacy language.\u003cul\u003e\u003cli\u003eCoordinate with Enterprise Architecture.\u003c/li\u003e\u003cli\u003eEnsure the system appears in CFACTS.\u003c/li\u003e\u003cli\u003eGenerate a draft PIA in coordination with the Business Owner.\u003c/li\u003e\u003cli\u003eEvaluate whether other privacy artifacts are required.\u003c/li\u003e\u003cli\u003eComplete System Security Categorization.\u003c/li\u003e\u003cli\u003eIdentify system-specific, information security and privacy training needs.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eConcept\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify and discuss risk with the Program Manager and Business Owner.\u003c/li\u003e\u003cli\u003eIdentify any investment needs to ensure each FISMA system meets security and privacy requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003ePlanning\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop a System Security and Privacy Plan (SSPP).\u003c/li\u003e\u003cli\u003eEnsure Security Control Assessment is scheduled.\u003c/li\u003e\u003cli\u003eIdentify training needs.\u003c/li\u003e\u003cli\u003eReview or develop a corresponding security architecture diagram.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eRequirements Analysis\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eConduct formal information security risk assessment (ISRA)\u003cem\u003e.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eComplete documentation activities, including the privacy documents.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDesign\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that security architecture ingress/egress points are reviewed to meet CMS security requirements.\u003c/li\u003e\u003cli\u003eEnsure data is transmitted, processed, and stored securely.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDevelopment\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify software code is developed in accordance with the \u003cem\u003eCMS Technical Reference Architecture (TRA) \u003c/em\u003eand SDLC information security and privacy guidelines.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eTest\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSchedule internal tests such as penetration testing.\u003c/li\u003e\u003cli\u003eCoordinate with the CCIC to ensure assets are identified within monitoring tools.\u003c/li\u003e\u003cli\u003eEnsure use case security testing is incorporated into system functional testing.\u003c/li\u003e\u003cli\u003eEnsure change control processes are followed in accordance with the system security and privacy plan (SSPP).\u003c/li\u003e\u003cli\u003eEnsure auditing logs are appropriately capturing required information.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eImplementation\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure third-party testing begins and weaknesses are resolved quickly.\u003c/li\u003e\u003cli\u003eEnsure each FISMA system is authorized for operation before the go-live date.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eOperation and Maintenance\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAddress weaknesses and POA\u0026amp;Ms.\u003c/li\u003e\u003cli\u003eReview available reports.\u003c/li\u003e\u003cli\u003eRoutinely evaluate risk posture based on change requests.\u003c/li\u003e\u003cli\u003eConduct Security Impact Analysis (SIA) at the direction of the Business Owner.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDisposition\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify the proper disposition of hardware and software.\u003c/li\u003e\u003cli\u003eVerify data are archived securely in accordance with the National Archives and Records Administration (NARA) requirements and in coordination with the Data Guardian.\u003c/li\u003e\u003cli\u003eInitiate the request to close out the project file in CFACTS.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSecondary System Security and Privacy Officer (previously known as S-ISSO) and System Security and Privacy Officer Contractor Support (previously known as ISSOCS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Secondary System Security and Privacy Officer (previously known as S-ISSO) may be either a federal government employee or a contractor identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.25, \u003cem\u003eSystem Security and Privacy Officer (previously referred to as ISSO) Designated Representative / Security Steward \u003c/em\u003eand must assist the Primary System Security and Privacy Officer (previously known as P-ISSO). The System Security and Privacy Officer Contractor Support (previously known as ISSOCS) is a contractor only role that assists and supports the Primary System Security and Privacy Officer (previously known as P-ISSO) and Secondary Systems Security and Privacy Officer (previously known as S-ISSO) roles in fulfillment of their CMS cybersecurity duties.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or Privacy Control Assessor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Security or Privacy Control Assessor (also referred to as Certification Agent) role may be performed by a System Security and Privacy Officer (previously known as ISSO). The CMS Security or Privacy Control Assessor must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eInformation Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.23, \u003cem\u003eSecurity or Privacy Control Assessor\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eContingency Planning Coordinator\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Contingency Planning Coordinator may either be a federal government employee or a contractor. The role may also be performed by a System Security and Privacy Officer (previously known as ISSO). The CMS Contingency Planning Coordinator must fulfill all the responsibilities identified in the HHS \u003cem\u003ePolicy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.30, \u003cem\u003eContingency Planning Coordinator.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Contingency Planning Coordinator must also include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWork as part of an integrated project team to ensure contingency plans and related operational procedures accommodate all business resumption priorities and the defined applicable Maximum Tolerable Downtimes (MTD)\u003c/li\u003e\u003cli\u003eEnsure procedures exist that achieve continuity of operations of business objectives within appropriately targeted systems with any applicable Recovery Time Objective (RTO) and Recovery Point Objective (RPO) identified in the Business Impact Assessment\u003c/li\u003e\u003cli\u003eEnsure that the contingency plan is activated if any computer security incident disrupts the system; if the disruption is not resolved within the systems RTO, implement the systems disaster recovery procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Operations Center/Incident Response Team\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe FISMA system SOC/IRT may consist of federal employees or contractors and must fulfill all the FISMA system-level responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.16, \u003cem\u003eOpDiv CSIRT, \u003c/em\u003eand the applicable responsibilities under the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.17, \u003cem\u003eHHS PIRT\u003c/em\u003e. The FISMA system SOC/IRT reports to the Agency Security Operations, which is responsible for CMS-wide incident management.\u003c/p\u003e\u003cp\u003eThe Data Guardian, Business Owner, and ISO, in coordination with the CISO, have ownership of and responsibility for incident response and reporting for the FISMA system. The execution of this function begins at the data center/contractor site housing the FISMA system. Once an incident is declared, the CCIC coordinates with FISMA system SOC/IRT and Agency Security Operations personnel for all incident management activities.\u003c/p\u003e\u003cp\u003eThe FISMA system SOC/IRT operates under the direction and authority of the System Security and Privacy Officer (previously known as ISSO) and the Business Owner/ISO. The FISMA system SOC/IRT monitors for, detects, and responds to information security and privacy incidents within the FISMA system environment. The FISMA system SOC/IRT also provides timely, accurate, and meaningful reporting to the FISMA system stakeholders.\u003c/p\u003e\u003cp\u003eFISMA systems may perform the SOC/IRT capability by using a separate CMS CISO-approved SOC/IRT service provider. Any FISMA system SOC/IRT that is unable to deploy the required capabilities may establish an agreement with the CCIC to provide SOC/IRT services.\u003c/p\u003e\u003cp\u003eThe responsibilities of the FISMA system SOC/IRT must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor the FISMA system, perform:\u003cul\u003e\u003cli\u003eReal-time network and system security monitoring and triage\u003c/li\u003e\u003cli\u003eAnalysis, coordination, and response to information security and privacy incidents and breaches\u003c/li\u003e\u003cli\u003eSecurity sensor tuning and management and infrastructure operations and maintenance (O\u0026amp;M).\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure flaw remediation (e.g., patching and installation of compensating controls), planning, ongoing scanning (e.g., ISCM), help desk, asset management, and ticketing are performed for the FISMA system in a manner that meets or exceeds CMS requirements.\u003c/li\u003e\u003cli\u003eEnsure the SOC/IRT-specific tools are implemented and deployed according to the CCIC and vendor technical guidance.\u003c/li\u003e\u003cli\u003eEnsure SOC/IRT-specific tools/equipment are isolated, as appropriate, from operational networks and systems.\u003c/li\u003e\u003cli\u003eServe as the FISMA systems information security and privacy lead on behalf of CCIC and HHS CSIRC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReport FISMA system information security and privacy incidents and breaches to CCIC and HHS CSIRC as required by federal law, regulations, mandates, and directives, and as reflected in the CMS established procedures.\u003c/li\u003e\u003cli\u003eReport cyber threat/intelligence/information to CCIC as required by federal law, regulations, mandates, and directives.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePrivileged Users\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes specific information security and privacy responsibilities of users with privileged access to CMS information systems. For example, a privileged user11 is any user that has sufficient access rights to modify, including disabling, controls that are in place to protect the system. The responsibilities for all privileged users must include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLimit the use of privileged access to those administrative functions requiring elevated privileges\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSystem/Network Administrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS System/Network Administrator may be a federal employee or a contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.33, \u003cem\u003eSystem Administrator\u003c/em\u003e. Per the HHS IS2P, the system administrator role includes, and are not limited to, other types of system administrators (e.g., database administrators, network administrators, web administrators, and application administrators).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWebsite Owner/Administrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Website Owner/Administrator may be a federal employee or contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.28, \u003cem\u003eWebsite Owner/Administrator\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Website Owner/Administrator must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement proper system backups and patch management processes.\u003c/li\u003e\u003cli\u003eAssess the performance of security and privacy controls associated with the web service to ensure the residual risk is maintained within an acceptable range.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, SOP, Data Guardian, and System Security and Privacy Officer (previously known as ISSO) to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eLimit connections to publicly accessible federal websites and web services to approved secure protocols.\u003c/li\u003e\u003cli\u003eEnsure federal websites and web services adhere to Hypertext Transfer Protocol (HTTP) Strict Transport Security (HSTS)12 practices.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSystem Developer and Maintainer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS System Developer and Maintainer must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.31, \u003cem\u003eSystem Developer and Maintainer\u003c/em\u003e. The responsibilities of the CMS System Developer and Maintainer must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify, tailor, document, and implement information security- and privacy-related functional requirements necessary to protect CMS information, information systems, missions, and business processes, including:\u003cul\u003e\u003cli\u003eEnsure the requirements are effectively integrated into IT component products and information systems through purposeful security architecting, design, development, and configuration in accordance with the CMS SDLC and change management processes\u003c/li\u003e\u003cli\u003eEnsure the requirements are adequately planned and addressed in all aspects of system architecture, including reference models, segment and solution architectures, and information systems that support the missions and business processes\u003c/li\u003e\u003cli\u003eEnsure automated information security and privacy capabilities are integrated and deployed as required.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the System Security and Privacy Officer (previously known as ISSO) to identify the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems.\u003c/li\u003e\u003cli\u003eFollow the CMS SDLC in developing and maintaining a CMS system, including:\u003cul\u003e\u003cli\u003eUnderstand the relationships among planned and implemented information security and privacy safeguards and the features installed on the system\u003c/li\u003e\u003cli\u003eEnsure all development practices comply with the \u003cem\u003eCMS TRA.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eExecute the RMF tasks listed in NIST SP 800-37 Revision 2\u003cem\u003e.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEnsure CMS systems or applications that currently disseminate data for any purpose are capable of extracting data by pre-approved categories.\u003c/li\u003e\u003cli\u003eShare only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eEnterprise Architect (Function)\u003c/h3\u003e\u003cp\u003eThe Enterprise Architect must be an agency official (federal government employee). The Enterprise Architect must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e Section 7.32. \u003cem\u003eEnterprise Architect\u003c/em\u003e. The CIO may designate specific responsibilities to the Enterprise Architect as necessary.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Enterprise Architect must also include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop and disseminate strategies, policies, and standards to implement the Enterprise Architecture program.\u003c/li\u003e\u003cli\u003eManage the agency's Enterprise Architecture resources.\u003c/li\u003e\u003cli\u003eProvide leadership in developing, maintaining, and implementing a sound and integrated Enterprise Architecture for the agency and its sub-organizations.\u003c/li\u003e\u003cli\u003eOrganize and chair the agency's Enterprise Architecture advisory group to provide cross-organization business and technical input to Enterprise Architecture-related matters, ensuring CMS programmatic and technical participation in Enterprise Architecture-related activities.\u003c/li\u003e\u003cli\u003eDefine, document, and align the agency's Enterprise Architecture with HHS Enterprise Architecture.\u003c/li\u003e\u003cli\u003eEnsure implementation of the Enterprise Architecture alignment reviews, verification of Enterprise Architecture approvals, and granting of waivers within the agency's Capital Planning and Investment Control (CCIC) investment planning and reviews, acquisition procedures, and SDLC project phase reviews.\u003c/li\u003e\u003cli\u003eMonitor program and project artifacts for alignment with Enterprise Architecture requirements, identifying and reporting non-conforming projects for resolution.\u003c/li\u003e\u003cli\u003eAdvise and inform all contractors and developers of Enterprise Architecture standards and compliance requirements.\u003c/li\u003e\u003cli\u003eEnsure that CMS adopts data stewardship mechanisms necessary for Enterprise Architecture data of acceptable quality to be created, captured, entered, and maintained promptly in the HHS Enterprise Architecture Repository.\u003c/li\u003e\u003cli\u003eRecommend technical standards to the agency Technical Review Board, ensuring submission to the HHS Chief Enterprise Architect of proposed modifications to HHS Enterprise Architecture and technology standards to meet CMS business requirements.\u003c/li\u003e\u003cli\u003eEnsure that CMS Enterprise Architecture-related training requirements are identified, planned for, and implemented.\u003c/li\u003e\u003cli\u003eAdvise or ensure that Enterprise Architecture advice is available to all CMS IT project teams.\u003c/li\u003e\u003cli\u003eRepresent CMS on the HHS Enterprise Architecture Review Board (EARB), and all agency, departmental, and intergovernmental Enterprise Architecture-related advisory bodies or working groups.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAgency Security Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAgency Security Operations must fulfill all OpDiv responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.16, \u003cem\u003eOpDiv Computer Security Incident Response Team (CSIRT), \u003c/em\u003eand applicable responsibilities under the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.17, \u003cem\u003eHHS Privacy Incident Response Team (PIRT)\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eSecurity operations are a shared responsibility between CMS Agency Security Operations and the ISOs SOC/IRT. For each FISMA system, System Developers and Maintainers are expected to establish, maintain, and operate a SOC/IRT to provide FISMA system situational awareness and incident response. For the CMS enterprise, Agency Security Operations maintains visibility and incident management across all FISMA systems, providing management, information sharing and coordination, unified response (including containment and mitigation approaches), and required reporting across the enterprise to CMS Management.\u003c/p\u003e\u003cp\u003eThe responsibilities for Agency Security Operations, both within the CCIC and across all SOC/IRTs, must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure all personnel with responsibilities for incident response complete annual RBT.\u003c/li\u003e\u003cli\u003eEnsure non-federal technical personnel (SOC/IRT and CCIC) obtain and maintain appropriate commercial information assurance certification credentials that have been accredited by the American National Standards Institute (ANSI) or an equivalent authorized body under the ANSI/International Standards Organization (ISO)/ International Electrotechnical Commission (IEC) 17024 Standard.\u003cul\u003e\u003cli\u003ePersonnel who do not hold a commercial information assurance certification credential must obtain an appropriate credential within six months of the individuals start date or the release date of this document, whichever is later.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEncourage federal oversight personnel (SOC/IRT and CCIC) to obtain and maintain a commercial information assurance certification credential that has been accredited by ANSI or an equivalent authorized body under the ANSI/ISO/IEC 17024 Standard.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eDirector for the CMS Cybersecurity Integration Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CCIC operates under the direction and authority of the CMS CISO, who appoints the Director for the CCIC.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Director for the CCIC must include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the operational execution of the CCIC function enables the CMS CISOs strategic vision.\u003c/li\u003e\u003cli\u003eOversee the operation of the CCIC.\u003c/li\u003e\u003cli\u003eEnable CCIC capabilities (penetration testing, security engineering, etc.) to efficiently and effectively enhance the CMS enterprise security posture by performing their roles across the enterprise in coordination with CMS groups, partners, and contractors.\u003c/li\u003e\u003cli\u003eSupport the CISO and SOP when immediate disconnection or suspension of any interconnection is required.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy RBT requirements for CCIC and FISMA system SOC/IRT personnel.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Cybersecurity Integration Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CCIC monitors, detects, and isolates information security and privacy incidents and breaches across the CMS enterprise IT environment. The CCIC provides continual situational awareness of the risks associated with CMS data and information systems throughout CMS. The CCIC also provides timely, accurate, and meaningful reporting across the technical, operational, and executive spectrum.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CCIC must include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eServe as the primary entity in CMS responsible for maintaining CMS-wide operational cyber security situational awareness, based on coordinated enterprise ISCM activities and the overall information security and privacy risk posture of CMS.\u003c/li\u003e\u003cli\u003eServe as the information security and privacy lead organization for coordinating within CMS and identified external organizations for Cyber Threat Intelligence (CTI) sharing, analysis, and response activities, including:\u003cul\u003e\u003cli\u003eIdentify enterprise threats and disseminate advisories and guidance\u003c/li\u003e\u003cli\u003eIdentify and coordinate response with SOC/IRT to ongoing threats to CMS\u003c/li\u003e\u003cli\u003eDevelop and share Indicators of Compromise (IOC)\u003c/li\u003e\u003cli\u003eDevelop and disseminate unified containment and mitigation approaches\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDefine minimum interoperable defensive technology requirements for CMS systems.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eServe as CMSs primary POC with HHS CSIRC.\u003c/li\u003e\u003cli\u003eReport CMS information security and privacy incidents and breaches to HHS CSIRC.\u003c/li\u003e\u003cli\u003ePerform malware analysis and advanced analytics in support of unified incident response.\u003c/li\u003e\u003cli\u003eCoordinate with the Data Guardian when PII is involved.\u003c/li\u003e\u003cli\u003eCoordinate with the CMS Counterintelligence and Insider Threat Program Office, as appropriate.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAssessment and Authorization\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine enterprise-wide information security and privacy requirements for all phases of the SDLC.\u003c/li\u003e\u003cli\u003eDefine an enterprise-wide, continual assessment process that:\u003cul\u003e\u003cli\u003eValidates incident response processes and procedures\u003c/li\u003e\u003cli\u003eMeets federal law, regulations, mandates, and directives for continual assessment\u003c/li\u003e\u003cli\u003eDefines security data monitored by all SOCs/IRTs and is made available to the CCIC\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDefine reporting metrics that are compliant with federal law, regulations, mandates, and directives for:\u003cul\u003e\u003cli\u003ePenetration testing\u003c/li\u003e\u003cli\u003eInformation security continuous monitoring\u003c/li\u003e\u003cli\u003eInformation security and privacy incident and breach response\u003c/li\u003e\u003cli\u003eCyber threat intelligence\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDetermine risk and impact on the CMS enterprise based on:\u003cul\u003e\u003cli\u003eReal-time monitoring and triage\u003c/li\u003e\u003cli\u003eAnalysis, coordination, and response to incidents\u003c/li\u003e\u003cli\u003eCollection, sharing, and analysis of CTI (i.e., knowing the adversary)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e• Develop, in coordination with the CCIC Director, information security and privacy RBT requirements for CCIC and FISMA system SOC/IRT personnel.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAgency Continuity Point of Contact\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Agency Continuity Point of Contact must be an agency official (federal government employee) and is the individual the Administrator designates as the accountable official who will:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePerform the duties and responsibilities of the Agency Continuity Point of Contact, as set out in HHSs Continuity of Operations Program Policy.\u003c/li\u003e\u003cli\u003eBe directly responsible to the Administrator for management oversight of the CMS continuity program.\u003c/li\u003e\u003cli\u003eServe as the single POC for coordination within CMS for continuity matters.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eIT Advisory Organizations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS Executive Management established IT advisory and decision-making bodies. These organizations ensure proper project planning; proper use of CMS information; and provide technical guidance ensuring IT projects properly integrate within the CMS environment. These organizations promote CMS strategic objectives and enforce federal requirements, including information security and privacy.\u003c/p\u003e\u003cp\u003eThe primary IT Advisory Organizations relevant to information system security and privacy policy are:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe \u003cstrong\u003eStrategic Planning Management Council (SPMC)\u003c/strong\u003e, co-chaired by the Chief Operating Officer (COO) and CIO, manages oversight of all CMS investment-related governance boards.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eGovernance Review Board (GRB) \u003c/strong\u003eChaired by the CIO, CFO, and Head of Contracting Activity. Members are the Budget Development Group Chairs. The Agencies IT Investment Review Boards and serves as the decision or approval authority for IT expenditure. Capital Planning and Investment Control.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eGovernance Review Team (GRT) \u003c/strong\u003e- Support staff which gathers information to assist the GRB in making decisions.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eTechnical Review Board (TRB) \u003c/strong\u003eChaired by the CTO and supported by IT Governance serves as a key member of the Target Life Cycle Governance Program. They advise and guide IT Projects Teams that are moving through the Target Life Cycle to ensure it conforms to the CMS Technical Reference Architecture.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eData Governance Board (DGB) \u003c/strong\u003esupports overall agency data governance. Led by OEDA CMS Chief Data Officer. works with the national data sets supplied by CMS to different programs.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eStrategic Planning Management Council (SPMC)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Strategic Planning Management Council (SPMC) provides leadership and support for executing CMS strategic objectives across all CMS investments. The SPMC provides a forum for ongoing collaboration among teams and overall management of the CMS Strategy.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGovernance Review Board (GRB)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Governance Review Board (GRB) is established as part of the CMS IT Governance process to enforce the implementation of CMS enterprise standards and strategy. The GRB consists of CMS Senior Leadership which reviews the recommendations for project alternatives. The GRB does not make funding decisions, however, they review proposed options and potential solutions to ensure the best solution is implemented by the project team to address the business needs.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGovernance Review Team (GRT)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Governance Review Team (GRT) is a project planning body that supports project teams in determining the steps needed to ensure projects are in alignment with CMS Security and Privacy Policy. The GRT will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMake recommendations to the GRB on proposed business cases and alternative analysis ensuring the project:\u003cul\u003e\u003cli\u003eFulfills a need,\u003c/li\u003e\u003cli\u003eDoes not duplicate current processes or functions; and\u003c/li\u003e\u003cli\u003eIs in alignment with current IT Portfolio Goals\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAdvise Project Teams on the IT Governance Process.\u003c/li\u003e\u003cli\u003eConsist of Subject Matter Experts which support CMS stakeholders in the development of their projects and business cases.\u003c/li\u003e\u003cli\u003eReview Business Cases and support the GRB by providing ongoing review of proposed and operational systems for adherence to CMS policies.\u003c/li\u003e\u003cli\u003eCoordinate with other governance boards when necessary to ensure further reviews are implemented when necessary.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eTechnical Review Board\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Technical Review Board (TRB) is an advisory board established to ensure IT investments are consistent with CMSs IT strategy. The board manages updates to the \u003cem\u003eCMS TRA \u003c/em\u003eto promote the CMS IT strategy and assists projects by ensuring solutions are technically sound and are on track to deliver promised capabilities on time and on budget. The TRB:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides technology leadership to deliver business value and anticipate change to meet the current and long-term needs of CMS programs.\u003c/li\u003e\u003cli\u003eImplements and communicates CMSs IT strategy to ensure projects solutions are cost- effective, sustainable, and support the agencys business.\u003c/li\u003e\u003cli\u003eProvides technical guidance to ensure CMSs IT Investments are properly integrated into the CMS environment.\u003c/li\u003e\u003cli\u003eSupports teams in building IT features.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eData Governance Board\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Data Governance Board (DGB) provides executive leadership and stewardship of the agencys data assets, including oversight for the development and implementation of the policies and processes which govern the collection or creation, management, use, and disclosure of CMS data.\u003c/p\u003e\u003cp\u003eThe DGB ensures intra-agency transparency and data stewardship to promote efficient and appropriate use of, and investment into, agency data resources. Transparency and data stewardship include:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eOpenness: \u003c/em\u003ePromoting and facilitating the open sharing of knowledge about CMS data, including an understanding of how and where agency data are collected or created, stored, managed, and made available for analysis.\u003c/li\u003e\u003cli\u003e\u003cem\u003eCommunication: \u003c/em\u003ePromoting partnerships across the CMS enterprise to eliminate duplication of effort, stove-piping, and one-off solution designs.\u003c/li\u003e\u003cli\u003e\u003cem\u003eAccountability: \u003c/em\u003eEnsuring agency-wide compliance with approved data management principles and policies. Understanding the objectives of current and future strategic or programmatic initiatives and how they impact, or are impacted by, existing data management principles and policies as well as current privacy and security protocols.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIntegrated Information Security and Privacy Policies\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eCMS Tailored Policies\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003edelineates information security and privacy policies, including both mandated security controls and a provision for CMS to develop its own controls over CMS information and information systems as long as the HHS baseline requirements are met. CMS tailored specific security controls to ensure they meet the mission and vision of the organization. This section lists the tailored controls which include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControls explicitly mandated for CMS by an authoritative agent (e.g., HHS or other federal agency requirements).\u003c/li\u003e\u003cli\u003eControls modified to address the CMS implementation (e.g., CMS architecture, risk framework, and life cycle management).\u003c/li\u003e\u003cli\u003eControls that address specialized topics that extend beyond NIST 800-53, Revision 5 (e.g., the Federal Risk and Authorization Management Program [FedRAMP], and FISCAM).\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEmployee Monitoring / Insider Threat (CMS-EMP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-1 \u003c/strong\u003eThe use of warning banners is mandatory on all CMS information systems in accordance with federal and HHS policy and the ARS control requirements. A warning banner\u003c/p\u003e\u003cp\u003estates that by accessing a CMS information system, (e.g., logging onto a CMS computer or network), the employee consents to having no reasonable expectation of privacy regarding any communication or data transiting or stored on that system, and the employee understands that, at any time, CMS may monitor the use of CMS IT resources for lawful government purposes. \u003cem\u003e(For the purposes of this policy requirement, the term “employee” includes all individuals who have been provided and currently have access to CMS IT resources and who are current employees, contractors, guest researchers, visiting scientists, and fellows. The term excludes individuals who are not or are no longer CMS employees, contractors, guest researchers, visiting scientists, or fellows.)\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-2 \u003c/strong\u003eIn accordance with HHS policy the CMS CIO must carry out monitoring in a fashion that protects employee interests and ensures the need for monitoring has been thoroughly vetted and documented.\u003c/p\u003e\u003cp\u003eComputer monitoring of an employee at CMS may be requested by HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program Office, or an outside law enforcement authority.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cem\u003e(For the purposes of this policy, the term “computer monitoring” covers monitoring of CMS IT resources, including real-time or contemporaneous observation, prospective monitoring, (e.g., using monitoring software), and retrospective review and analyses (e.g., of email sent or received, of computer hard-drive contents) focusing on an individual employee. This section of policy does not apply to passive monitoring (computer incident response monitoring) of systems relating to national security or FISMA that perform general system and network monitoring or examinations of computers for malware. Additionally, computer monitoring excludes any review and analysis requested by or approved by the employee(s) being covered. This does not apply to retrospective searches for documents in response to valid information requests in the context of litigation, Congressional oversight, Freedom of Information Act (FOIA) requests, and investigations by the Government Accountability Office (GAO) and the Office of Special Counsel. Such retrospective searches may be conducted with the consent of the employee or the authorization of the CMS CIO.)\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-3 \u003c/strong\u003eAll requests from outside law enforcement agencies must be coordinated through the HHS/OIG, except for requests relating to national security or non-criminal insider threat matters. The latter must be coordinated via the Counterintelligence and Insider Threat Program of the Division of Strategic Information (DSI), which in turn coordinates with the HHS/ONS on all requests. Such external computer monitoring requests may be subject to different standards, partly because they are covered by the internal controls of the requesting agency or judicial process.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-4 \u003c/strong\u003eNo CMS official may initiate computer monitoring without advance written authorization by the CMS Administrator or the CMS CIO. By HHS policy, this authority to authorize monitoring may not be delegated below the CMS CIO. Prior to submission of a monitoring request, the CMS CIO or HHS/ONS consults with the HHS Office of the General Counsel (OGC). The requesting organization documents the basis for approving any request for computer monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-5\u003c/strong\u003e Computer monitoring may only be authorized for the following reasons:\u003c/p\u003e\u003col\u003e\u003cli\u003eMonitoring has been requested by the HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program Office, or an outside law enforcement authority in accordance with CMS Administrative Services Group, DSI and federally recognized jurisdiction.\u003c/li\u003e\u003cli\u003eReasonable grounds exist to conclude that the individual to be monitored may be responsible for an unauthorized disclosure of legally protected information (e.g., confidential commercial information or \u003cem\u003ePrivacy Act \u003c/em\u003eprotected information).\u003c/li\u003e\u003cli\u003eReasonable grounds exist to believe that the individual to be monitored may have violated an applicable law, regulation, or written HHS or CMS policy.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eRoutine IT equipment examinations are permissible when malware searches are involved. Any unintended discoveries of problematic content and resulting follow-up actions are not subject to this policy except for follow-up actions that involve computer monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-6 \u003c/strong\u003eIn circumstances in which HHS/OIG requests computer monitoring for purposes of an HHS/OIG investigation or where HHS/OIG requires assistance in the conduct of computer monitoring, HHS/OIG will provide such information or notification as is consistent with its responsibilities, duties, and obligations under the \u003cem\u003eInspector General Act of 1978, \u003c/em\u003eas amended.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.1\u003c/em\u003e In concert with the HHS/OGC, the CMS CIO must develop a memorandum of understanding (MOU) or similar written agreement with outside law enforcement agencies as a precondition for approving monitoring requests from these organizations. The MOU must include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eTitle and organizational component of the person(s) authorized to make monitoring requests on behalf of the law enforcement agency.\u003c/li\u003e\u003cli\u003eDocumentation of the source of the official request demonstrating approval by an official of the governmental entity that has the authority to request the initiation of such monitoring (e.g., a subpoena [administrative or grand jury], warrant, national security letter [NSL], or other acceptable documented request [e.g., a written law enforcement administrative request that meets applicable requirements of the \u003cem\u003ePrivacy Act \u003c/em\u003eand/or HIPAA requirements for certain disclosures to law enforcement agencies]).\u003c/li\u003e\u003cli\u003eAny restrictions applicable to the handling and disclosure of confidential information that may be produced by monitoring.\u003c/li\u003e\u003cli\u003eOther items consistent with this memorandum, including handling sensitive communications, as described in the following bullet (Documentation).\u003c/li\u003e\u003cli\u003eDocumentation the written authorization for computer monitoring describes the reason for the monitoring. If the monitoring is initiated at the request of outside law enforcement authorities, the authorization documents that the request was approved, consistent with the applicable MOU with that organization by an official of the governmental entity that has the authority to request the initiation of such monitoring.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.2\u003c/em\u003e Except for monitoring initiated at the request of an outside law enforcement authority or the HHS/OIG, the party requesting the monitoring must document the factual basis justifying the request for monitoring and the proposed scope of the request. Requests for such monitoring must include an explanation of how monitoring will be conducted, how the information collected during monitoring will be controlled and protected, and a list of individuals who will have access to the resulting monitoring information.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.3\u003c/em\u003e A record of all requests for monitoring must be maintained by the CMS CIO along with any other summary results or documentation produced during the period of monitoring. The record must also reflect the scope of the monitoring by documenting search terms and techniques. All information collected from monitoring must be controlled and protected with distribution limited to the individuals identified in the request for monitoring and other individuals specifically designated by the CMS Administrator or CMS CIO as having a specific need to know such information.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-7 \u003c/strong\u003eThe CMS Administrator or CMS CIO must ensure authorized computer monitoring is appropriately narrow in scope and time-limited and takes the least invasive approach to accomplish monitoring objectives. The CMS Administrator or CMS CIO, in reviewing requests for monitoring, must consider whether there are alternative information gathering methods that CMS can utilize to address the concern in lieu of monitoring. When the monitoring request originates from HHS/OIG or outside law enforcement, CMS will grant appropriate deference to a request made in accordance with this policy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-8\u003c/strong\u003e No monitoring authorized or conducted may target communications with law enforcement entities, the Office of Special Counsel, members of Congress or their staff, employee union officials, or private attorneys. Employee union officials of CMS will be treated, for non-targeted monitoring purposes, as all other employees of CMS when monitoring is necessary. If such protected communications are inadvertently collected or identified from more general searches, they may not be shared with a non-law enforcement party who requested the monitoring or anyone else without express written authorization from the HHS/OGC and other appropriate HHS official(s).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-9 \u003c/strong\u003eWhen a request for computer monitoring is made by a party other than an outside law enforcement authority or the HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program, CMS must consult with the OGC as to whether the monitoring is consistent with all applicable legal requirements, including the \u003cem\u003eWhistleblower Protection Act \u003c/em\u003eand \u003cem\u003eHIPAA, \u003c/em\u003eand consider whether there are any additional limits. In addition, except for monitoring initiated at the request of outside law enforcement or the HHS/OIG, parties that receive information derived from monitoring must consult with the OGC as to potential restrictions on the use of such information under applicable law.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-10 \u003c/strong\u003eThe CMS CIO must review all employee monitoring every month and, in consultation with the party who requested the monitoring, assess whether it remains justified or is to be discontinued. The CMS CIO must consider whether or not the decision for ongoing monitoring must be reviewed by the OGC. A decision to continue monitoring must be explained and documented in writing by the CMS CIO, who must report at least monthly to the CMS Administrator regarding the status of any ongoing monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-11\u003c/strong\u003e The CMS CIO and the OGC may make recommendations to the CMS Administrator for additional procedures, if necessary, to address specific circumstances not addressed in this policy. Insider threat policies and procedures that deviate from the elements of this policy, however, must not be implemented without the written concurrence of the HHS CIO in consultation with the OGC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Management Framework (CMS-RMF)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS-RMF-1\u003c/strong\u003e The CMS CISO must develop and maintain within the ARS \u003cem\u003eAssessment, Authorization, and Monitoring \u003c/em\u003efamily of controls minimum controls to ensure information systems: (i) are assessed at least every three years or whenever a significant change occurs (as defined in the CMS established procedures; NIST SP 800-37, revision 2, describes examples of significant changes to an information system that should be reviewed for possible re-authorization) to the information system to determine if security and privacy controls are effective in their application; (ii) have POA\u0026amp;Ms designed to correct\u0026nbsp;deficiencies and reduce or eliminate vulnerabilities; (iii) are authorized for processing (including any associated information system connections) by the CMS CIO; and (iv) are monitored on an ongoing basis to ensure the continued effectiveness of the controls. In addition, the CMS CISO, where necessary to add clarity, provides methods in the form of \u003cem\u003eChapters, Procedures, \u003c/em\u003eand/or \u003cem\u003eStandards \u003c/em\u003ewithin the CMS established procedures to facilitate implementation, assurance, and tracking effectiveness of those controls. Minimally, these processes and procedures must address the following:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.1 \u003c/em\u003eEnsure all systems and networks receive a system categorization in accordance with the frameworks set forth in FIPS 199, NIST SP 800-60, \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories\u003c/em\u003e, as amended, and please refer to the CMS established procedures.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.2 \u003c/em\u003eEnsure CMS Business Owners/ISOs conduct risk assessments on systems and networks and document the result in accordance with NIST SP 800-30, \u003cem\u003eGuide for Conducting Risk Assessments\u003c/em\u003e, as amended\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.3\u003c/em\u003e Ensure the CMS Business Owners/ISOs review and update risks, as necessary, no less than annually or when significant changes occur to the system/network.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.4\u003c/em\u003e Ensure CMS Business Owners/ISOs implement appropriate information security and privacy controls as documented in an information system security and privacy plan for each CMS system and network in accordance with NIST SP 800-18, \u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e, and that CMS Business Owners/ISOs review and update plans as needed but no less than annually or when significant changes occur to the system/network.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.5\u003c/em\u003e Ensure CMS Business Owners/ISOs implement and document information security and privacy controls outlined in NIST SP 800-53, Revision 5.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.6 \u003c/em\u003eAssess the controls using the procedures outlined in NIST SP 800-53A, as amended, \u003cem\u003eAssessing Security and Privacy Controls in Information Systems and Organizations.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.7\u003c/em\u003e Develop, disseminate, and review/update: (i) formal, documented security assessment and authorization standards that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.8\u003c/em\u003e Determine (i) the required level of Security Control Assessor independence based on the security categorization of the information system and/or the ultimate risk to organizational operations and assets and to individuals; and (ii) if the level of Security Control Assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.9\u003c/em\u003e Ensure all CMS systems and networks are formally assessed and authorized using the methodology outlined in NIST SP 800-37 Revision 2, and in accordance with the minimum content requirements for the creation of security authorization packages, as stated in the ARS and the CMS established procedures.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.10 \u003c/em\u003eEnsure the \u003ca href=\"https://csrc.nist.gov/glossary/term/security_control_assessor\"\u003eSecurity Control Assessor(s)\u003c/a\u003e\u0026nbsp;is identified and assigned prior to applying the RMF tasks to the information system. The AO for the information system (i) is the CMS CIO, (ii) authorizes the information system for processing before commencing operations, and (iii) uses the results of the ISCM process to the maximum extent possible as the basis for rendering a re-authorization decision.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.11\u003c/em\u003e Require SIA and PIA review when any significant change occurs to a CMS system, network, physical environment, etc., to assess the impact of the change on the information security and privacy of the information processed.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.12 \u003c/em\u003eEnsure CMS Business Owners/ISOs request to re-authorize all systems at least every three years or when a significant change occurs to the system.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.13\u003c/em\u003e Develop a ISCM strategy and implement a ISCM program that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003e(i) a configuration management process for the information system and its constituent components;\u003c/li\u003e\u003cli\u003e(ii) determination of the security impact of changes to the information system and environment of operation;\u003c/li\u003e\u003cli\u003e(iii) ongoing information security and privacy control assessments in accordance with the organizational ISCM strategy; and\u003c/li\u003e\u003cli\u003e(iv) reporting on the security state of the information system to appropriate organizational officials.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe organization assesses the information security and privacy controls in an information system, at a minimum, as part of (i) security authorization or re-authorization, (ii) meeting the FISMA requirement for annual assessments, (iii) ISCM, and (iv) testing/evaluation of the information system as part of the SDLC process. Those controls that are the most volatile (e.g., controls mostly affected by ongoing changes to the information system or its environment of operation) or deemed essential to protecting CMS operations and assets, individuals, other organizations, and the nation are assessed more frequently in accordance with the CMS CISOs assessment of risk as defined in the CMS established procedures. All other controls are assessed at least once during the information systems three-year authorization cycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Systems Development Life Cycle (CMS-SDLC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity Architecture and Engineering (SA\u0026amp;E) activities help CMS Components align with enterprise information security and privacy capabilities, reporting processes, and requirements. SA\u0026amp;E ensures that the information security environment continues to meet business needs and address new and emerging threats by identifying risks and providing adequate information security and privacy protections through testing, implementation, and improvement of new and existing technologies and processes. To help guide a unified enterprise approach to implementing information security and privacy architecture, the risk management and compliance functional area publishes and updates information security and privacy technical guidance and provides input into the development of TRA security-related supplements.17 Security Assessment and Authorization (SA\u0026amp;A) processes help CMS Business Owners/ISOs comply with Capital Planning and Investment Control (CPIC) processes and CMSs SDLC processes to incorporate the security requirements of the ARS and the CMS TRA to obtain system authorization, also referred to as Authority to Operate (ATO), prior to operation. The CMS CISO and SOP follow the procedures outlined in the RMF for SA\u0026amp;A in accordance with FISMA and the direction of the CMS CIO.\u003c/p\u003e\u003cp\u003eThe SA\u0026amp;A processes help CMS stakeholders identify information security and privacy risks, assess the adequacy of information security and privacy controls, and ensure information security and privacy responsibilities are assigned prior to authorizing systems for operation. These processes incorporate ISCM and periodic manual assessment techniques to appropriately test the ongoing effectiveness of all controls.\u003c/p\u003e\u003cp\u003eBy following CPIC, SDLC, and RMF, System Developers and Maintainers include information security and privacy requirements from project initiation throughout the life cycle and implement the appropriate controls to manage information security and privacy risk.\u003c/p\u003e\u003cp\u003eThe ARS provides specific standards for completing the RMF process and include descriptions of the artifacts required to document information and information system controls. The SA\u0026amp;A processes result in identification of information security and privacy risks that must be managed by the POA\u0026amp;M processes.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-1\u003c/strong\u003e The CISO must integrate information security and privacy into the CMS life cycle processes. The SDLC provides the processes and practices of the CMS system development life cycle in accordance with the \u003cem\u003eCMS Policy for Information Technology (IT) Investment Management \u0026amp; Governance\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-2\u003c/strong\u003e Program Executives must engage the System Security and Privacy Officer (previously known as ISSO), CRA, and privacy team early and throughout the SDLC.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-3\u003c/strong\u003e The SDLC processes and procedures must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.1\u003c/em\u003e Integrate information security and privacy requirements into all CMS SDLC activities (i.e., The four distinct phases of the CMS TLC include Initiate, Develop, Operate, and Retire).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.2\u003c/em\u003e Ensure critical SDLC stage gate reviews are conducted to govern the information security and privacy posture of the system being developed. The TRB must evaluate the information security and privacy risk introduced by the system and provide guidance to improve system architecture and engineering.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eThe CMS Technical Review Board (TRB) provides technical guidance to assist project teams with their IT investments and enable them to be integrated within CMS' IT environment. At the project level, the TRB has advisory support services to ensure project solutions are technically sound and on track to deliver the target capabilities. The TRB also promotes IT reuse, information sharing, and systems integration across the Agency.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.3 \u003c/em\u003eAssign information security and privacy roles for the information system.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.4\u003c/em\u003e Ensure system information security and privacy controls are assessed.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.5\u003c/em\u003e Ensure system authorization prior to entering the O\u0026amp;M phase of the SDLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCloud Computing Requirements (CMS-CLD)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS developed CMS-CLD policies to provide guidance and direction on the acceptable uses of cloud service providers (CSP) and cloud computing services in compliance with the \u003cem\u003eFederal Cloud Computing Strategy (Cloud Smart) \u003c/em\u003ewhen used as part of a CMS FISMA system\u003cem\u003e. \u003c/em\u003eThe CMS-CLD policies define directives concerning the procurement, deployment, and utilization of cloud computing services across the CMS enterprise.\u003c/p\u003e\u003cp\u003eIn accordance with \u003ca href=\"https://cloud.cio.gov/strategy/\"\u003e\u003cem\u003eCloud Smart\u003c/em\u003e\u003c/a\u003e, CMS permits cloud services within the CMS environment. CMS established the policies in this section to guide the use of cloud services and cloud computing installations.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-1\u003c/strong\u003e All cloud service implementations used must have an approved Federal Risk and Authorization Management Program (FedRAMP) Authorization and CMS-issued ATO\u003cstrong\u003e.\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-CLD-1.1\u003c/em\u003e If a Software as a Service (SaaS) product does not have a current FedRAMP authorization, a Rapid Cloud Review (RCR) and a CMS-issued Provisional Authority to Operate (P-ATO) would be needed to assess FedRAMP readiness.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-2 \u003c/strong\u003eAll FISMA systems and applications deployed on a CSP service must have a valid CMS-issued ATO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-3\u003c/strong\u003e All CSP systems must integrate with continuous monitoring and identity management systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Email Encryption Requirements (CMS-EMAIL)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS must comply with information security and privacy encryption policies defined by federal laws, executive orders, directives, regulations, policies, standards, and guidance (e.g., HIPAA, Health Information Technology for Economic and Clinical Health [HITECH], Privacy Act, and IRS Publication 1075). The CMS Email Encryption Requirements control family provides the CMS standards for implementing information security and privacy controls.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMAIL-1\u003c/strong\u003e CMS Sensitive Information must be protected and only sent to recipients with a “need to know.” Emails containing sensitive information must be protected using one of the following steps:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.1\u003c/em\u003e Ensure unencrypted emails containing sensitive information remain within the CHS email service environment (i.e., “jane.doe@cms.hhs.gov”) or trusted domain.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2 \u003c/em\u003eFor recipients outside of the CMS email service environment or trusted domain:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.1\u003c/em\u003e Encrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.2 \u003c/em\u003ePlace the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.3\u003c/em\u003e Sending passwords for an encrypted attachment via email is prohibited. Instant messaging clients that are integrated with Microsoft Outlook, such as Lync/Skype, must not be used to communicate passwords. Acceptable approaches for sharing passwords include phone conversation, text message, or a shared secret. The method chosen must protect the password from compromise.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eProgram Specific Requirements\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eEnterprise Level Control Packages\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has enterprise-level security and privacy controls for inheritance that are based on information security and privacy policies, programs or services that are provided by the offices of the CIO and CISO. These controls must be accounted for within the CMS governance, risk and compliance (GRC) tool in order for them to be leveraged as inherited controls among the FISMA systems. As part of the GRC tool, the systems are designated as FISMA systems, but they are not actual FISMA systems and are not subject to the requirements listed in section 8.1.2. Risk Management Framework (CMS-RMF).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHigh Value Assets\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS must comply with the Office of Management and Budget (OMB) Memorandum M-19-03, \u003cem\u003eStrengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/em\u003e; the Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-02, \u003cem\u003eSecuring High Value Assets; \u003c/em\u003eand the \u003cem\u003eHHS High Value Asset (HVA) Program Polic\u003c/em\u003ey (August 2019).\u003c/p\u003e\u003cp\u003eThe \u003cem\u003eHHS HVA Program Policy \u003c/em\u003edefines HVAs as:\u003c/p\u003e\u003cp\u003eAssets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe HHS policy requires CMS to establish appropriate governance of HVA activities across its organization and integrate HVA remediation activities into its planning, programming, budgeting, and execution process. These efforts will align with federal law, regulations, standards, and guidelines, as well as CMS policies, processes, and procedures. To meet the HHS policy, CMS will conduct the following activities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-1\u003c/strong\u003e The CMS CIO develops a process for creating and maintaining an HVA inventory, consistent with any format and content specified by HHS. Upon request, the Program will complete or update the inventory. HHS may require the inventory to note any or all threats, vulnerabilities, and impacts, and the likelihood of each of these occurring, associated with each system. CMS will share its HVA inventory with HHS upon request, following HHS instructions.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-2\u003c/strong\u003e When creating or updating HVA-related contracts and acquisition requirements, CMS Contracting Officers Representatives (COR) must incorporate appropriate language from the HHS Security and Privacy Language for Information and Information Technology Procurements.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-3\u003c/strong\u003e HVA-related artifacts must be handled as directed by OMB and DHS. These documents include instructions for securing and encrypting all correspondence involving HVA- related information.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-4 \u003c/strong\u003eHVAs must have a valid Authority to Operate (ATO). An ATO must reflect that appropriate safeguards have been implemented to protect the HVA, many of which will be specific to HVAs.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-5 \u003c/strong\u003eSecurity assessments must be conducted as a minimum requirement by the CISA- Led Assessment Team for Tier 1 HVAs, Third Party/Independent Assessor for \u003ca href=\"https://www.cisa.gov/hva-pmo\"\u003eTier 2 HVAs\u003c/a\u003e, and Self-Assessment for \u003ca href=\"https://www.cisa.gov/hva-pmo\"\u003eTier 3 HVAs\u003c/a\u003e at the frequency and rigor stipulated by CISA.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-6\u003c/strong\u003e The CMS CIO, Senior Official for Privacy (SOP) or designated official, must develop a Standard Operating Procedure (SOP) for reviewing CMSs HVAs to identify those HVAs that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal Taxpayer Information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSystems that collect, maintain, use, or disclose Federal Tax Information (FTI) must follow IRS requirements for protecting FTI. Business Owners of CMS systems, with direction provided by the OIT, must ensure that all applicable information security and privacy controls, whether\u0026nbsp;imposed by an organization or office internal or external to CMS, are incorporated into CMS systems.\u003c/p\u003e\u003cp\u003eThe IRS defines Federal Tax Information as federal tax returns and return information (and information derived from it) that is in the agencys possession or control which is covered by the confidentiality protections of the Internal Revenue Code (IRC) and subject to the IRC 6103(p)(4) safeguarding requirements including IRS oversight. CMS often receives, accesses, and uses FTI in conducting its business processes.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-FTI-1\u003c/strong\u003e Business Owners that collect, maintain, use, or disclose FTI must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.1\u003c/em\u003e Comply with IRS Publication 1075, \u003cem\u003eTax Information Security Guidelines for Federal, State and Local Agencies\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.2\u003c/em\u003e Document and certify the incorporated controls in their respective system security and privacy plan and identify residual risks in the corresponding risk assessment for their systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.3\u003c/em\u003e Disclose FTI to its agents solely for purposes for which there is an appropriate legal authority, and for which IRS has granted an exception permitting its disclosure.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.4\u003c/em\u003e Notify the IRS Office of Safeguards prior to re-disclosing FTI to contractors. Notify and obtain written approval from the IRS Office of Safeguards prior to re-disclosing FTI to sub-contractors.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.5\u003c/em\u003e Notify the IRS Office of Safeguards when there has been a breach of FTI. CMS-FTI-1.6 Execute a contract or other agreement with any recipient of the FTI. The contract must require the recipient to abide by IRS Publication 1075, \u003cem\u003eTax Information Security Guidelines for Federal, State and Local Agencies\u003c/em\u003e, including its requirements for providing privacy and security controls for FTI\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-FTI-2\u003c/strong\u003e Users with access to FTI must adhere to the following when working from Alternative Work Sites\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.1\u003c/em\u003e Telework Locations - FTI remains subject to the same safeguard requirements and the highest level of attainable security. All the requirements of IRS Publication 1075, Section 4.5, Physical Security of Computers, Electronic, and Removable Media, apply to telework locations.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.2\u003c/em\u003e Equipment CMS must retain ownership and control, for all hardware, software, and end-point equipment connecting to public communication networks, where these are resident at all alternate work sites. Alternatively, the use of virtual desktop infrastructure with non-CMS-owned devices (including personally-owned devices) is acceptable, where all requirements in IRS Publication 1075, Section 9.4.13 Virtual Desktop Infrastructure are met.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.3 \u003c/em\u003eData Storage - FTI may be stored on hard disks only if CMS-approved security access control devices (hardware/software) have been installed, are receiving regularly scheduled maintenance including upgrades, and are being used. Access controls must include password security, an audit trail, encryption, virus detection, and data overwriting capabilities.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.4 \u003c/em\u003eInspection Alternate work sites may be subject to periodic inspections by CMS personnel to ensure that safeguards are adequate.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and Privacy Control Families\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS ARS is central to the security and privacy framework. Through this document, CMS identifies the essential set of security and privacy controls that must be implemented for CMS Information Systems. CMS established these safeguards based on the agencys interpretation of applicability of HHS and CMS internal policies and guidance, mandates and legislative guidance specific to the CMS environment. Each control family has a specific set of “dash one” controls that requires that policies be in place while the remaining controls provide details for implementing the policy. The “dash one” controls are included in this \u003cem\u003ePolicy \u003c/em\u003ewhile the required implementation of the details for each security and privacy controls are outlined in the ARS. This section provides an overview of the policy requirements associated with each “dash one” control family and includes additional details required for these “dash one” controls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAccess Control (AC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAC-1\u003c/strong\u003e The Program must develop and document an access control policy that addresses purpose, scope, responsibility, management commitment, coordination among organizational entities, and compliance. The Access Control family of controls ensures access to information systems is limited to authorized users, processes acting on behalf of authorized users, and devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Access Control Policies and Procedures\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.2\u003c/em\u003e Develop an Access Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Access Control family of controls and following defined events in the ARS, or as defined within the SSPP.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.4\u003c/em\u003e Disseminate policies, procedures, and standards for the Access Control family of controls to all personnel who perform roles defined within this \u003cem\u003ePolicy\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.5 \u003c/em\u003eMaintain all policies, procedures, and standards associated with the Access Control family of controls to reflect applicable federal laws, executive orders, directives, regulations, policies, standards, and guidance.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.6 \u003c/em\u003eDefine access control policies and procedures to provide the foundation required to ensure privacy protections are implemented for the identified uses of PII and PHI.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAwareness and Training (AT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAT-1 \u003c/strong\u003eThe Program must develop and maintain minimum controls to ensure managers and users of information systems are made aware of the information security and privacy risks associated with their activities and of the applicable federal and agency requirements related to the information security and privacy of CMS systems. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Awareness and Training family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eAT-1.1.1 Develop topic-based training to explain privacy processes carried out within CMS and update topic-based training courses when significant changes occur to privacy processes.\u003c/p\u003e\u003cp\u003eAT-1.1.2 Develop and implement an information security and privacy education, awareness, and training program for all employees and individuals working on behalf of CMS involved in managing, using, and/or operating information systems.\u003c/p\u003e\u003cp\u003eAT-1.1.2.1 Ensure information security awareness and training is provided to all employees and contractors, and that all employees and contractors review and acknowledge an approved RoB within sixty (60) days from entry on duty (EOD) date, or commencement of work on a contract or subcontract; and ensure and acknowledge the RoB annually thereafter.\u003c/p\u003e\u003cp\u003eAT-1.1.2.2 Ensure privacy awareness and training is provided within sixty (60) days from EOD date, or commencement of work on a contract or subcontract., and annually thereafter, to all employees and contractors to explain the importance and responsibility in safeguarding PII and PHI and ensuring privacy, as established in federal legislation, regulations, and OMB guidance.\u003c/p\u003e\u003cp\u003eAT-1.1.2.3 Ensure system information security and privacy training records are documented in support of annual FISMA reporting.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-2\u003c/strong\u003e The Program must develop and maintain minimum controls to ensure those with “significant information security and privacy responsibilities” receive adequate role-based training (RBT) to carry out those responsibilities. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.1 \u003c/em\u003eEnsure initial and periodic information security and privacy RBT is provided for all individuals in roles that possess significant information security and privacy responsibilities, including those that are CMS federal employees, contractors, and subcontractors. CMS RBT must meet or exceed HHS RBT requirements, as follows:\u003c/p\u003e\u003cp\u003eAT-2.1.1 CMS must identify all personnel (employees and contractors) and their associated work roles with significant information security and privacy responsibilities, in accordance with the HHS Cybersecurity Coding Guide and the National Initiative for Cybersecurity Education (NICE) Framework. The Program will identify appropriate minimum RBT requirements for each identified role with significant information security and privacy responsibilities.\u003c/p\u003e\u003cp\u003eAT-2.1.2 All CMS employees, including managers, Senior Executive Service (SES) personnel, and contractors who have significant information security and privacy responsibilities, must complete minimum RBT requirements within sixty (60) days from EOD date, or commencement of work on a contract or subcontract. Thereafter, all personnel with significant information security and privacy responsibilities must complete RBT at least annually.\u003c/p\u003e\u003cp\u003eAT-2.1.3 Individuals who change roles within CMS such that they assume new significant information security and privacy responsibilities, or who otherwise assume such responsibilities, must complete RBT within 60 days of assuming those new responsibilities. Thereafter, they must complete RBT at least annually.\u003c/p\u003e\u003cp\u003eAT-2.1.4 All CMS employees and contractors with significant information security and privacy responsibilities who have not completed the required training within the mandated timeframes will have their user accounts disabled until they have met their RBT requirement.\u003c/p\u003e\u003cp\u003eAT-2.1.5 All companies/vendors contracting with CMS are responsible for ensuring that their personnel who have significant information security and privacy responsibilities have training commensurate with their role. Training records must be submitted to CMS upon commencement of work and annually thereafter (or upon request whichever comes first).\u003c/p\u003e\u003cp\u003eAT-2.1.6 The CMS CISO, in coordination with the CMSs Training Coordinator(s) and Contracting Officers/Representatives (CO/COR), must track and maintain RBT records for all personnel with significant information security and privacy responsibilities. All training records must be retained consistently with an appropriately selected records retention schedule.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.2\u003c/em\u003e Develop appropriate security and privacy RBT for personnel with significant information security and privacy responsibilities in accordance with all relevant federal laws, regulations, and guidelines. The Program may provide such training in the form of CMS- or HHS-approved courses or professional development training, or in other appropriate formats. Personnel may also request approval for external training, such as certificate programs or college courses, to satisfy their RBT requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.3 \u003c/em\u003eRequire personnel wishing to receive credit for any form of RBT taken from an organization external to CMS, in satisfaction of any CMS or HHS training requirement to first seek review and approval from their supervisor (or for contractors, from their employer). The Program may further require personnel to supply information concerning completion of such external programs (such as grade reports or certificates of completion) before providing personnel with credit or acknowledgment for having satisfied the relevant RBT requirement.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.4\u003c/em\u003e In addition to periodically identifying all \u003cem\u003eroles \u003c/em\u003eof personnel that have significant information security and privacy responsibilities, CMS will also periodically identify all \u003cem\u003especific individuals \u003c/em\u003ewho serve in roles with significant information security and privacy responsibilities. CMS managers are responsible for cooperating with the Program to identify individuals with significant information security and privacy responsibilities, and for ensuring that the personnel they manage are appropriately categorized in their roles. CMS managers will be required to complete this identification process as a CMS personnel needs assessment.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.5\u003c/em\u003e Personnel who assume multiple roles must complete at least one training that addresses the unique responsibilities associated with at least one role. CMS managers must also ensure the personnel they manage complete the appropriate minimum RBT requirements in the required time frames.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.6\u003c/em\u003e The Program may request verification of completion of RBT of all personnel from CMS managers. The Program may require mangers to supply adequate information, for each individual completing RBT, to verify the individuals identity, the content of the RBT, and proof of completion of RBT.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-3\u003c/strong\u003e Develop an Awareness and Training Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-4 \u003c/strong\u003eReview and update policies, procedures, and standards for the Awareness and Training Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAudit and Accountability (AU)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAU-1\u003c/strong\u003e The Program must develop and maintain (within the Audit and Accountability family of controls) minimum controls to ensure information system audit records are created, protected, and retained to the extent needed to: (i) enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure the actions of individual information system users can be uniquely traced to those users so that they can be held accountable for their actions. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Audit and Accountability family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eAU-1.1.1 Identify which events the organization audits, based on a risk assessment and mission/business needs.\u003c/p\u003e\u003cp\u003eAU-1.1.2 Identify and ensure a subset of auditable events applicable to the information system is chosen, based on threat information and risk assessment.\u003c/p\u003e\u003cp\u003eAU-1.1.3 Identify and ensure the rationale is provided for why the list of auditable events is deemed adequate to support incident investigations.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.2\u003c/em\u003e Develop an Audit and Accountability Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.3\u003c/em\u003e Ensure audit record content for all CMS system components, at a minimum, includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of the event\u003c/li\u003e\u003cli\u003eComponent of the information system (e.g., software component, hardware component) where the event occurred\u003c/li\u003e\u003cli\u003eType of event\u003c/li\u003e\u003cli\u003eUser/subject identity\u003c/li\u003e\u003cli\u003eOutcome (success or failure) of the event\u003c/li\u003e\u003cli\u003eExecution of privileged functions.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eAU-1.4 \u003c/em\u003eEnsure audited events are significant and relevant to the information security and privacy needs associated with the information system.\u003c/p\u003e\u003cp\u003eAU-1.4.1 Auditing must be compliant with the \u003ca href=\"http://www.uscourts.gov/file/rules-evidence\"\u003eFederal Rules of Evidence \u003c/a\u003eas published by US Courts.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.5 \u003c/em\u003eDefine CMS processes, procedures, and standards for the maintenance and review of audit logs for indications of inappropriate or unusual activity to ensure:\u003c/p\u003e\u003cp\u003eAU-1.5.1 Findings are reported to the designated CMS officials, including system officials with a need to know (e.g., Business Owner, Security and Privacy Officer). AU-1.5.2 The level of audit review, analysis, and reporting is adjusted when there is a change in risk.\u003c/p\u003e\u003cp\u003eAU-1.5.3 A uniform time and time protocol is implemented across CMS, based on CMS approved sources.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.6\u003c/em\u003e Ensure audit and accountability policies, processes, procedures, and standards directly support privacy audit and accountability requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.7 \u003c/em\u003eCoordinate information security- and privacy-related audit functions with other entities that require audit information to enhance mutual support and guide the selection of auditable events.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.8\u003c/em\u003e Review and update policies, procedures, and standards for the Audit and Accountability Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssessment, Authorization, and Monitoring (CA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCA-1 \u003c/strong\u003eThe Program must develop and document a security assessment and authorization control policy governing the assessment and authorization of FISMA systems within the CMS enterprise environment or any systems storing, processing, or transmitting CMS information on behalf of CMS. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Security Assessment and Authorization family of security controls in the ARS to:\u003c/p\u003e\u003cp\u003eCA-1.1.1 Perform security assessments on information systems and the environments in which those systems operate as part of (i) initial and ongoing security authorizations, (ii) FISMA annual assessments, (iii) continuous monitoring, and (iv) system development life cycle activities.\u003c/p\u003e\u003cp\u003eCA-1.1.2 Authorize connections from the information system to other information systems through the use of Interconnection Security Agreements.\u003c/p\u003e\u003cp\u003eCA-1.1.3 Develop and submit a POA\u0026amp;M for the information system as a result of any security assessment findings.\u003c/p\u003e\u003cp\u003eCA-1.1.4 Develop an ISCM strategy and implement a program compliant with HHS ISCM Strategy.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.2\u003c/em\u003e Develop a Security Assessment and Authorization Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Security Assessment and Authorization Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConfiguration Management (CM)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCM-1 \u003c/strong\u003eThe CMS Configuration Management Executive must coordinate with the CMS CISO and the Program to document the configuration management processes and procedures to define configuration items at the system and component level (e.g., hardware, software, workstation); monitor configurations; and track and approve changes prior to implementation, including but not limited to flaw remediation, security patches, and emergency changes (e.g., unscheduled changes such as mitigating newly discovered security vulnerabilities, system crashes, replacement of critical hardware components). Baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) must be established and maintained throughout the respective system life cycles, and security configuration settings for information products employed in information systems must be established and enforced. In coordination with the CMS Configuration Management Executive, the Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Configuration Management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eCM-1.1.1 Ensure configuration management procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eCM-1.1.2 Ensure scheduled changes to networks or systems are authorized prior to implementation and are not permitted outside of the configuration management process.\u003c/p\u003e\u003cp\u003eCM-1.1.3 Monitor system configurations and changes to ensure configuration management processes and procedures are followed.\u003c/p\u003e\u003cp\u003eCM-1.1.4 Evaluate the configuration management process periodically, as specified in the ARS, as part of the required FISMA reporting process to verify adequacy and effectiveness.\u003c/p\u003e\u003cp\u003eThrough the Program the CMS CISO, in coordination with the CMS Configuration Management Executive, defines and develops policies to ensure CMS Business Owner/ISOs:\u003c/p\u003e\u003cp\u003eCM-1.1.5 Implement and enforce configuration management controls for all CMS systems and networks.\u003c/p\u003e\u003cp\u003eCM-1.1.6 Develop, document, and maintain a current baseline configuration of each system and the systems constituent components.\u003c/p\u003e\u003cp\u003eCM-1.1.7 Develop, document, and maintain an inventory of the components, both hardware and software, that includes relevant ownership information.\u003c/p\u003e\u003cp\u003eCM-1.1.8 Test, validate, and document proposed changes prior to implementation to assess the impact to the information security and privacy of data.\u003c/p\u003e\u003cp\u003eCM-1.1.9 Ensure systems categorized as “Moderate” or “High” under FIPS 199:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRetain older versions of baseline configurations as deemed necessary to support rollback\u003c/li\u003e\u003cli\u003eMaintain a baseline configuration for development and test environments to ensure development and test environments are managed separately from the operational environment\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThrough the program, the CMS CISO must ensure:\u003c/p\u003e\u003cp\u003eCM-1.1.10 Current (up-to-date) anti-virus (AV)/anti-malware and host-based intrusion detection system (HIDS) applications are included, as appropriate, on systems connected to the CMS network.\u003c/p\u003e\u003cp\u003eCM-1.1.11 AV software is configured to automatically perform periodic virus scanning. CM-1.1.12 HIDS software is configured to automatically scan all inbound and outbound network traffic.\u003c/p\u003e\u003cp\u003eThe CMS Configuration Management Executive must ensure:\u003c/p\u003e\u003cp\u003eCM-1.1.13 All systems and system components adhere to \u003cem\u003eHHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eCM-1.1.14 Appropriate CCBs are created and managed for the review and approval of changes.\u003c/p\u003e\u003cp\u003eCM-1.1.15 Configuration management includes a representative from the system as a member of the CCB. Participation on the CCB is at the Security Control Assessors discretion. If the Security and Privacy Officer or Security Control Assessor acts as a voting member of the CCB, they must be a federal employee.\u003c/p\u003e\u003cp\u003eCM-1.1.16 Personnel with configuration management responsibilities are trained on CMS configuration management processes.\u003c/p\u003e\u003cp\u003eCM-1.1.17 Change documentation is maintained for no less than 12 months after a change is made.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.2\u003c/em\u003e Develop a Configuration Management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.3\u003c/em\u003e For systems categorized as “High” under FIPS 199, ensure detection of unauthorized information security and privacy relevant configuration changes is incorporated into the incident response capability to ensure events are tracked, monitored, corrected, and available for historical purposes.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.4 \u003c/em\u003eReview and update policies, procedures, and standards for the Configuration Management Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContingency Planning (CP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCP-1\u003c/strong\u003e The Program must develop and maintain the Contingency Planning family of controls to ensure contingency plans for emergency response, backup operations, and disaster recovery for organizational information systems are established, maintained, and effectively implemented. IT Contingency Plans ensure the availability of critical information resources and continuity of operations in emergency situations. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Contingency Planning family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eCP-1.1.1 Work with Business Owners/ISOs to develop and document an IT contingency plan for all information systems in accordance with NIST SP 800-34 rev 1, \u003cem\u003eContingency Planning Guide for Information Technology Systems, \u003c/em\u003eand all other relevant CP documentations defined in the ARS.\u003c/p\u003e\u003cp\u003eIT contingency plans must support:\u003c/p\u003e\u003cp\u003eCP-1.1.1.1 Applicable CMS continuity of operations plans (COOP), particularly for information systems supporting the continuity of CMSs essential business functions.\u003c/p\u003e\u003cp\u003eCP-1.1.1.2 Recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.\u003c/p\u003e\u003cp\u003eCP-1.1.1.3 Implementation of privacy-applicable requirements to reduce the risk of avoidable information security and privacy incidents and breaches while executing contingency measures.\u003c/p\u003e\u003cp\u003eIT contingency plans, as part of the required FISMA reporting process, must be:\u003c/p\u003e\u003cp\u003eCP-1.1.1.4 Reviewed and updated periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003eCP-1.1.1.5 Tested periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003eCP-1.1.2 Ensure systems categorized as “High” or “Moderate” under FIPS 199:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement a transaction recovery system for transaction-based systems\u003c/li\u003e\u003cli\u003ePerform coordinated contingency testing and/or exercises with organizational elements responsible for related plans.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCP-1.1.3 Ensure systems categorized as “High” under FIPS 199 develop an IT contingency plan in coordination with organizational elements responsible for related plans (e.g., incident response).\u003c/p\u003e\u003cp\u003eCP-1.1.3.1 Business Owners/ISOs must develop and document a comprehensive system backup strategy for each system.\u003c/p\u003e\u003cp\u003eCP-1.1.3.1.1 The system backup strategy must document processes to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSupport the information system recovery\u003c/li\u003e\u003cli\u003eStore backup copies of the operating system and other critical information system software, as well as copies of the information system inventory, ina physically separate facility or in a fire-rated container not co-located with the operational system\u003c/li\u003e\u003cli\u003eMeet business continuity needs, including the identified RTO and RPO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCP-1.1.3.1.2 Applicable alternate processing sites must be established that are compliant with FIPS 199 system categorization requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.2 \u003c/em\u003eDevelop a Contingency Planning Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.3 \u003c/em\u003eFor systems categorized as “High” (or as “Moderate” and supporting essential CMS mission or business functions) under FIPS 199, ensure the CMS Business Owner/ISO establishes and maintains appropriate alternate processing and storage site agreements that require:\u003c/p\u003e\u003cp\u003eCP-1.3.1 Alternate processing sites:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe separated from the primary storage site(s) and primary processing site(s)\u003c/li\u003e\u003cli\u003eIdentify potential accessibility problems to the alternate processing site(s) and outline explicit mitigation actions\u003c/li\u003e\u003cli\u003eEnsure information security measures equivalent to those of the primary processing site(s) are provided\u003c/li\u003e\u003cli\u003eBe configurable for use as an operational site. CP-1.3.2 Alternate storage sites:\u003c/li\u003e\u003cli\u003eBe separated from the primary storage site(s)\u003c/li\u003e\u003cli\u003eIdentify potential accessibility problems to the alternate storage site(s) and outline explicit mitigation actions\u003c/li\u003e\u003cli\u003eEnsure information security measures equivalent to those of the primary storage site(s) are provided.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eCP-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Contingency Planning Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003eI\u003cstrong\u003edentification and Authentication (IA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIA-1 \u003c/strong\u003eThe Program must develop and maintain the Identification and Authentication family of controls to ensure information system users, processes acting on behalf of users, and devices are identified, and the identities authenticated (or verified) as a prerequisite to allowing access to information systems. Through the Program, the CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials manage the development, documentation, and dissemination of the System and Information Integrity family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eIA-1.1.1 Establish policy and procedures for the effective implementation of selected security controls and control enhancements in the IA control family.\u003c/p\u003e\u003cp\u003eIA-1.1.2 Ensure policy and procedures reflect applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eIA-1.1.3 Ensure the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users) and the organizations meet all the requirements specified by HHS policy and applicable implementation standard(s).\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.2 \u003c/em\u003eDevelop an Identification and Authentication Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.3 \u003c/em\u003eEnsure all users, including federal employees, contractors, and entities with network access to systems, use multi-factor authentication. External facing applications must offer consumers multi-factor authentication as an option.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Identity and Authentication Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncident Response (IR)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIR-1 \u003c/strong\u003eThe Program must develop and maintain the Incident Response family of controls to establish an operational incident handling capability for information systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Incidents must be tracked, documented, and reported. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Incident Response family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eIR-1.1.1 Document, maintain, and communicate policies and procedures in accordance with the \u003cem\u003eHHS Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response \u003c/em\u003eand the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of PII\u003c/em\u003e, including roles and responsibilities for information security and PII incidents and violation handling.\u003c/p\u003e\u003cp\u003eIR-1.1.2 Ensure CMS employees and contractors situational awareness through:\u003c/p\u003e\u003cp\u003eIR-1.1.2.1 Receipt of information system security and privacy alerts, advisories, and directives from designated external organizations on an ongoing basis.\u003c/p\u003e\u003cp\u003eIR-1.1.2.2 Generation of internal information security and privacy alerts, advisories, and directives as deemed necessary.\u003c/p\u003e\u003cp\u003eIR-1.1.2.3 Dissemination of information security and privacy alerts, advisories, and directives to personnel (see the ARS for a complementary, CMS-defined process).\u003c/p\u003e\u003cp\u003eIR-1.1.3 Ensure CMS employees and contractors awareness of privacy-related incidents through:\u003c/p\u003e\u003cp\u003eIR-1.1.3.1 Development and implementation of privacy breach notification and response policies, processes, and standards.\u003c/p\u003e\u003cp\u003eIR-1.1.3.2 Appropriate notification of the SOP for all incidents involving PII or PHI. IR-1.1.4 Ensure CMS employees and contractors maintain incident response processes and procedures by:\u003c/p\u003e\u003cp\u003eIR-1.1.4.1 Reviewing and updating Incident Response Plans periodically as defined in the ARS.\u003c/p\u003e\u003cp\u003eIR-1.1.4.2 Testing Incident Response Plans periodically as defined in the ARS.\u003c/p\u003e\u003cp\u003eIR-1.1.4.3 Incorporating lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.\u003c/p\u003e\u003cp\u003eIR-1.1.5 Ensure CMS employees and contractors maintain familiarity with incident response processes and procedures through periodic training, as defined in the ARS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.2 \u003c/em\u003eThe CMS CISO, in coordination with the CMS Director of CCIC and Business Owners/ISOs, must establish and maintain an information security and privacy incident and breach response capability that includes preparation, identification, containment, eradication, recovery, and follow-up capabilities to ensure effective recovery from information security and privacy incidents and breaches.\u003c/p\u003e\u003cp\u003eIR-1.2.1 For systems categorized as “Moderate” or “High” under FIPS 199, incident handling activities must be coordinated with contingency planning activities.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.3 \u003c/em\u003eDevelop an Incident Response Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Incident Response Control family of controls and following defined events in ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMaintenance (MA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eMA-1\u003c/strong\u003e The Program must develop and maintain the System Maintenance family of controls to ensure (i) periodic and timely maintenance on organizational information systems is performed and (ii) effective controls are established for the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. The Program must:\u003c/p\u003e\u003cp\u003eMA-1.1 Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Maintenance family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eMA-1.1.1 Ensure privacy considerations are included in system maintenance policy and procedures, especially when the system contains information subject to the \u003cem\u003ePrivacy Act \u003c/em\u003eand/or HIPAA.\u003c/p\u003e\u003cp\u003eMA-1.1.2 Ensure routine preventative and regular maintenance (including repairs) on the components of all CMS information systems, supporting utilities, and ancillary equipment (e.g., within the data center, used for testing) are scheduled, performed, documented, and reviewed.\u003c/p\u003e\u003cp\u003eMA-1.1.2.1 Maintenance processes and procedures must be compliant with CMS processes and procedures.\u003c/p\u003e\u003cp\u003eMA-1.1.2.2 Maintenance processes and procedures may reference manufacturer or vendor specifications.\u003c/p\u003e\u003cp\u003eMA-1.1.3 Ensure information system maintenance tools are approved, controlled, maintained, and monitored as required.\u003c/p\u003e\u003cp\u003eMA-1.1.4 Ensure only authorized personnel are allowed to perform maintenance on the information system through established processes and procedures.\u003c/p\u003e\u003cp\u003eMA-1.1.4.1 Personnel authorized to perform maintenance must be compliant with requirements defined under the Awareness and Training and Personnel Security sections of this document.\u003c/p\u003e\u003cp\u003eMA-1.1.5 For non-local (e.g., remote) maintenance and diagnostic services ensure:\u003c/p\u003e\u003cp\u003eMA-1.1.5.1 Services are authorized, monitored, and controlled.\u003c/p\u003e\u003cp\u003eMA-1.1.5.2 Tools are consistent with organizational policy and documented in the security plan for the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.5.3 Strong identification and authentication techniques are employed in the establishment of sessions.\u003c/p\u003e\u003cp\u003eMA-1.1.5.4 Activity records are maintained.\u003c/p\u003e\u003cp\u003eMA-1.1.5.5 All sessions and network connections are terminated when non-local maintenance is completed.\u003c/p\u003e\u003cp\u003eMA-1.1.6 Ensure appropriate protection of information systems and/or components being removed:\u003c/p\u003e\u003cp\u003eMA-1.1.6.1 The CMS Business Owner/ISO or designated federal employee must approve the removal of information systems and/or system components for offsite maintenance/repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.6.2 The equipment/media must be sanitized in a manner compliant with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\"\u003eNIST sanitization standards\u003c/a\u003e prior to removal from organizational facilities for offsite maintenance or repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.7 For systems categorized as “Moderate” or “High” under FIPS 199, maintenance records must include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of maintenance\u003c/li\u003e\u003cli\u003eName of the individual performing the maintenance\u003c/li\u003e\u003cli\u003eName of escort, if necessary\u003c/li\u003e\u003cli\u003eDescription of the maintenance performed\u003c/li\u003e\u003cli\u003eList of equipment (including components and parts), including the removal and/or replacement of applicable identification numbers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS Business Owners/ISOs must:\u003c/p\u003e\u003cp\u003eMA-1.1.7.1 Inspect all maintenance tools carried into a facility by maintenance personnel for improper modifications.\u003c/p\u003e\u003cp\u003eMA-1.1.7.2 Check all media containing diagnostic and test applications and programs for malicious code before the media is used in the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.7.3 Ensure non-local maintenance and diagnostic sessions, including review of the maintenance records of the sessions, are audited by the Security and Privacy Officer.\u003c/p\u003e\u003cp\u003eMA-1.1.7.4 Ensure installation and use of non-local maintenance and diagnostic connections are documented in the security plan for the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.8 For systems categorized as “High” under FIPS 199, CMS Business Owners/ISOs must:\u003c/p\u003e\u003cp\u003eMA-1.1.8.1 Employ automated mechanisms to schedule, conduct, and document any required maintenance and repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.8.2 Produce and maintain up-to-date, accurate, complete, and available records of all maintenance and repair actions that are needed, in process, and completed.\u003c/p\u003e\u003cp\u003eMA-1.1.8.3 Prevent the unauthorized removal of maintenance equipment/media by performing one of the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerifying there is no CMS sensitive information contained on the equipment/media\u003c/li\u003e\u003cli\u003eSanitizing or destroying the equipment/media in a manner compliant with NIST or DoD guidance\u003c/li\u003e\u003cli\u003eRetaining the equipment/media within the facility\u003c/li\u003e\u003cli\u003eDocumenting the removal of the equipment/media from the facility with an exemption signed by the Business Owner/ISO or designated federal employee\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eMA-1.2 \u003c/em\u003eDevelop a Maintenance Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMA-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Maintenance Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMedia Protection (MP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eMP-1 \u003c/strong\u003eThe Program must develop and maintain the Media Protection family of controls to ensure information system media containing sensitive information, both digital and non-digital, is protected by (i) limiting access to authorized users and (ii) sanitizing or destroying information system media before disposal or release for reuse. The program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Media Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eMP-1.1.1 Inform all employees and contractors with potential access to sensitive information, such as PII or PHI, about all policies and procedures to protect any sensitive information residing on the various media types used by CMS.\u003c/p\u003e\u003cp\u003eMP-1.1.2 Ensure procedures exist for protecting information system media during transport, specifically through the use of cryptography and restricting the transport of such media to authorized personnel commensurate with the sensitivity level of the data.\u003c/p\u003e\u003cp\u003eMP-1.1.3 Develop and maintain processes, procedures, and standards to ensure information system media, both digital and non-digital, are properly sanitized and/or disposed of.\u003c/p\u003e\u003cp\u003eMP-1.1.3.1 Ensure sanitization and disposal techniques (i.e., clear, purge, destroy) for digital and non-digital media are in compliance with NIST SP 800-88 Revision 1, \u003cem\u003eGuidelines for Media Sanitization, \u003c/em\u003eincluding the media sanitization decision matrix, prior to disposal, release, and transfer of custody for re-use.\u003c/p\u003e\u003cp\u003eMP-1.1.4 Ensure all confidential or classified information is sanitized and disposed of in accordance with policy, procedures, and standards established by the National Security Agency (NSA) and DoD.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.2 \u003c/em\u003eDevelop a Media Protection Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Media Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePhysical and Environmental Protection (PE)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePhysical controls are important for protecting FTI, PII and PHI against unauthorized access, use, and disclosure. Environmental controls can be critical when FTI and PII have high availability requirements (e.g., core mission capabilities of an organization rely on consistent and frequent access to PII/FTI)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePE-1\u003c/strong\u003e The Program must develop and maintain the Physical and Environmental Protection family of controls to ensure physical access to information systems, equipment, and the respective operating environments is limited to authorized individuals. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Physical and Environmental Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePE-1.1.1 Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals.\u003c/p\u003e\u003cp\u003ePE-1.1.2 Protect the physical plant and support infrastructure for information systems.\u003c/p\u003e\u003cp\u003ePE-1.1.3 Provide supporting utilities for information systems.\u003c/p\u003e\u003cp\u003ePE-1.1.4 Protect against environmental hazards.\u003c/p\u003e\u003cp\u003ePE-1.1.5 Consider the data sensitivity when defining physical and environmental controls for systems.\u003c/p\u003e\u003cp\u003ePE-1.1.6 Maintain an understanding that the sensitivity of information impacts the necessary physical and environmental controls.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.2 \u003c/em\u003eDevelop a Physical and Environmental Protection Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Physical and Environmental Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePlanning (PL)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePL-1\u003c/strong\u003e The Program must develop and maintain the Planning family of controls to ensure information security and privacy planning for FISMA systems are performed within the CMS enterprise environment and on any systems storing, processing, or transmitting CMS information on behalf of CMS. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.1 \u003c/em\u003eDesignate CMS Enterprise-level defined officials to manage the development, documentation, and dissemination of the Planning family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePL-1.1.1 Develop, document, and maintain information security and privacy plans for each CMS system and network:\u003c/p\u003e\u003cp\u003ePL-1.1.1.1 Security plans must be in accordance with NIST SP 800-18 Revision 1,\u003c/p\u003e\u003cp\u003e\u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e.\u003c/p\u003e\u003cp\u003ePL-1.1.1.2 Privacy plans must address the privacy requirements for confidentiality, availability, and integrity for the organization and individual information system(s). PL-1.1.1.3 Business Owners/ISOs must review and update the information security and privacy plans periodically as defined in the ARS, and following defined events in the ARS and \u003cstrong\u003ea\u003c/strong\u003epplicable control implementation statements of the associated PL controls.\u003c/p\u003e\u003cp\u003ePL-1.1.2 Develop, document, and maintain an Information Security Architecture to: PL-1.1.2.1 Document the information security segments of the CMS enterprise architecture in accordance with OMB Circular A-130.\u003c/p\u003e\u003cp\u003ePL-1.1.2.2 Fully integrate information security and privacy into the CMS architecture framework.\u003c/p\u003e\u003cp\u003ePL-1.1.3 Review and update the security segments of the CMS enterprise architecture periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003ePL-1.1.4 Develop, document, and maintain the CMS Acceptable Use standards within the \u003cem\u003eHHS Rules of Behavior For Use of HHS Information and IT Resources Policy.\u003c/em\u003e\u003c/p\u003e\u003cp\u003ePL-1.1.4.1 Privacy requirements must be identified in contracts and acquisition- related documents.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2 CMS employees and contractors (users) must:\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.1 Be informed that the use of CMS IT resources, other than for authorized purposes, is a violation of the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resource Policy \u003c/em\u003eand is grounds for disciplinary action, up to and including removal from federal service, monetary fines, and/or criminal charges, which could result in imprisonment.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.2 Be prohibited from transmitting sensitive CMS information using any non-CMS approved Internet-based mechanism, including but not limited to personal email, file-sharing, file transfer, and backup services.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.3 Read and sign the HHS RoB periodically, as defined in the ARS. PL-1.1.4.3 Personal use of CMS IT resources must comply with \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resource Policy\u003c/em\u003e, which governs the appropriate use of CMS IT resources to ensure personal use of those resources does not put CMS data at risk of unauthorized disclosure or dissemination.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.2\u003c/em\u003e Develop a Planning Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Planning Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProgram Management (PM)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePM-1 \u003c/strong\u003eThe Program must develop and maintain the Program Management family of controls to ensure CMS develops an organization-wide information security and privacy program. The Program Management (PM) controls are typically implemented at the organization level and not specifically directed at individual information systems. Through the PM implementation of the controls, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePM-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Program Management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePM-1.1.1 Periodic review and update of the Program Plan following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003ePM-1.1.2 CMS develops, maintains and reviews:\u003c/p\u003e\u003cp\u003ePM-1.1.2.1 Information security and privacy policy as an overview of the information security and privacy management controls and common controls.\u003c/p\u003e\u003cp\u003ePM-1.1.2.2 Policy and procedures to ensure requirements for protecting controlled unclassified information processed, stored, or transmitted on external systems are implemented.\u003c/p\u003e\u003cp\u003ePM-1.1.2.3 An accurate accounting of disclosures of personally identifiable information as specified in the ARS.\u003c/p\u003e\u003cp\u003ePM-1.1.2.4 Policies and procedures for reviewing the accuracy, relevance, timeliness, and completeness of PII across the information life cycle as specified in the ARS. PM-1.1.2.5 The process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices.\u003c/p\u003e\u003cp\u003ePM-1.1.2.6 A privacy program structured to inform the information security program of all privacy-related requirements.\u003c/p\u003e\u003cp\u003ePM-1.1.3 CMS identifies roles, responsibilities, and compliance requirements.\u003c/p\u003e\u003cp\u003ePM-1.1.3.1 CMS must appoint the CISO as the Senior Information Security Officer. PM-1.1.3.2 CMS must appoint individuals with specific roles and responsibilities.\u003c/p\u003e\u003cp\u003ePM-1.1.4 CMS holds the approved AO accountable for the risk to the operations within CMS, organizational assets, individuals, and the nation.\u003c/p\u003e\u003cp\u003ePM-1.1.5 CMS develops, implements, and maintains a Risk Management Strategy to: PM-1.1.5.1 Document remediation actions responding to identified risk.\u003c/p\u003e\u003cp\u003ePM-1.1.5.2 Develop and implement a POA\u0026amp;M process to address information security and privacy risks identified in its information systems.\u003c/p\u003e\u003cp\u003ePM-1.1.5.3 Develop and maintain inventory listings of its information systems.\u003c/p\u003e\u003cp\u003ePM-1.1.5.4 Measure the effectiveness of the Program, information security controls, and privacy controls.\u003c/p\u003e\u003cp\u003ePM-1.1.6 CMS develops, implements, and maintains a testing, training, and monitoring program.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePM-1.2 \u003c/em\u003eDevelop a Program Management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel Security (PS)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePS-1 \u003c/strong\u003eThe Program must develop and maintain the Personnel Security family of controls to ensure (i) CMS information systems employ personnel security controls consistent with applicable laws, executive orders, policies, directives, regulations, standards, and guidelines and (ii) procedures are developed to guide the implementation of personnel security controls. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Personnel Security family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePS-1.1.1 CMS information systems employ personnel security controls consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003ePS-1.1.2 Processes and procedures are developed to guide the implementation of personnel security controls.\u003c/p\u003e\u003cp\u003ePS-1.1.2.1 Where appropriate, roles that require access to sensitive information (such as PII and PHI) must apply additional personnel security measures.\u003c/p\u003e\u003cp\u003ePS-1.1.3 Individuals occupying positions of responsibility within organizations (i.e., including third-party service providers) are trustworthy and meet established security criteria for the positions of responsibility.\u003c/p\u003e\u003cp\u003ePS-1.1.4 Information and information systems are adequately protected when personnel actions occur such as initial employment, terminations, and transfers.\u003c/p\u003e\u003cp\u003ePS-1.1.5 Formal sanctions for personnel failing to comply with organizational security policies and procedures are employed.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.2\u003c/em\u003e Develop a Personnel Security Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Personnel Security Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePII Processing and Transparency (PT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePT-1\u003c/strong\u003e The Program must develop and maintain the Processing and Transparency family of controls to ensure the confidentiality of Personally Identifiable Information being processed and maintained by CMS organizational information systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Personally Identifiable Information Processing and Transparency family of controls in the ARS to. The Program Must:\u003c/p\u003e\u003cp\u003ePT-1-1-1 Coordinate with the SOP and the CISO in establishing the organizational authority for the use of Personally Identifiable Information being processed and developing processes to restrict the use of PII.\u003c/p\u003e\u003cp\u003ePT-1-1-2 Ensure public notices and policies are developed to describe the purpose for processing PII and monitoring changes.\u003c/p\u003e\u003cp\u003ePT-1-1-3 Ensure procedures are in place for individuals to consent to the processing of their personally identifiable information prior to its collection to allow for them to make informed decisions regarding the use of their personal information.\u003c/p\u003e\u003cp\u003ePT-1-1.4 Establish privacy risk assessments associated with the processing of personally identifiable information to help determine the appropriate elements to include in privacy notices.\u003c/p\u003e\u003cp\u003ePT-1-1-5 Develop, publish and maintain system of records notices in accordance with OMB guidance when systems are used to maintain a group of any record under the control of CMS from which information is retrieved by the name of an individual or some type of identifying number, symbol, or other identifier.\u003c/p\u003e\u003cp\u003ePT-1-1-5 Obtain approval from the Data Integrity Board when systems or organizations conduct computer matching programs.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-2 \u003c/em\u003eDevelop a Personally Identifiable Information Processing and Transparency Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-2\u003c/em\u003e Review and update policies, procedures, and standards for the Personally Identifiable Information Processing and Transparency Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Assessment (RA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRA-1 Designate CMS Enterprise-level defined officials to manage the development, documentation, and dissemination of the Risk Assessment family of controls to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the risk to organizational operations (e.g., mission, functions, image, reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information, is assessed.\u003c/li\u003e\u003cli\u003eDevelop, document, implement, and update a risk assessment at least every three years or whenever a significant change occurs to the information system, a change in the threat environment occurs, a significant data breach occurs, or the ATO has expired.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.1 \u003c/em\u003eDevelop and maintain effective implementation of selected information security and privacy controls and control enhancements in the Risk Assessment family of controls as described in the ARS to ensure formal risk assessment processes and policies provide the foundation for protecting sensitive information.\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.2 \u003c/em\u003eDevelop a Risk Assessment Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Risk Assessment Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Services Acquisition (SA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSA-1 \u003c/strong\u003eThe Program must develop and maintain the System and Services Acquisition family of controls to ensure contracts, especially the Statement of Work (SOW) within the contract, are reviewed for appropriate information security and privacy contracting language specific to the technology or service being acquired. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Services Acquisition family of controls defined in the ARS to ensure:\u003c/p\u003e\u003cp\u003eSA-1.1.1 Appropriate information security and privacy documentation (i.e., information security and privacy functional requirements/specifications, information security-related and privacy-related documentation requirements, and developmental and evaluation- related assurance requirements) are contractually required for the development or acquisition of new systems.\u003c/p\u003e\u003cp\u003eSA-1.1.2 Appropriate information security and privacy language to protect sensitive information, such as PII and PHI, is contractually required for the development, acquisition, or operation of systems, when applicable.\u003c/p\u003e\u003cp\u003eSA-1.1.3 Documented processes and procedures are developed and implemented effectively to facilitate the acquisition of information security and privacy controls in all system and services acquisitions.\u003c/p\u003e\u003cp\u003eSA-1.1.4 Processes and procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eSA-1.1.5 Sufficient resources to adequately protect organizational information systems are allocated by the responsible organization.\u003c/p\u003e\u003cp\u003eSA-1.1.6 System development life cycle processes, as defined under the SDLC, incorporate required information security and privacy considerations.\u003c/p\u003e\u003cp\u003eSA-1.1.7 Software usage and installation restrictions are employed and compliant with CMS policy.\u003c/p\u003e\u003cp\u003eSA-1.1.8 Security specifications, either explicitly or by reference, are included in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal requirements and industry best practices.\u003c/p\u003e\u003cp\u003eSA-1.1.9 Security measures consistent with applicable federal requirements and industry best practices to protect information, applications, and/or services outsourced from the organization are required of third-party vendors and are verified as specified in the ARS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.2 \u003c/em\u003eDevelop a System and Services Acquisition Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Services Acquisition Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Communications Protection (SC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSC-1\u003c/strong\u003e The Program must develop and maintain the System and Communications Protection family of controls to ensure the organization develops, documents, and maintains system and communications protection policy, processes, and procedures. Through the Program the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Communications Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eSC-1.1.1 Review and update the System and Communications Protection Policies and Procedures periodically and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003eSC-1.1.2 Protect the systems assets and information while in transmission or at rest with technical controls based on:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe confidentiality, integrity, and availability of the system\u003c/li\u003e\u003cli\u003eThe sensitivity of information (e.g., PII and PHI) processed or stored by the system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.3 Ensure the information system separates user functionality, including user interface services, from system management functionality. By applying the systems security engineering design principles within the TRA to:\u003c/p\u003e\u003cp\u003eSC-1.1.3.1 Isolate access and information flow control from non-security functions and from other security functions.\u003c/p\u003e\u003cp\u003eSC-1.1.3.2 Determine if the information system uses underlying hardware separation mechanisms to implement security function isolation.\u003c/p\u003e\u003cp\u003eSC-1.1.3.3 Minimize the number of non-security functions included within the isolation boundary containing security functions by implementing security and privacy functions as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLargely independent modules to maximize internal cohesiveness within modules and minimize coupling between modules\u003c/li\u003e\u003cli\u003eA layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.4 Implement information security and privacy controls throughout the SDLC of each system by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplementing usage restrictions based on the potential risk of harm to an information system\u003c/li\u003e\u003cli\u003eAuthorizing, monitoring, and controlling the use of such components within the information system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.5 Operate websites that are within the restrictions stated in federal policies and directives.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.2\u003c/em\u003e Develop a System and Communications Protection Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Communications Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Information Integrity (SI)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSI-1 \u003c/strong\u003eThe Program must develop and maintain the System and Information Integrity family of controls to establish and maintain policy and procedures for the effective implementation of selected information security controls and control enhancements. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Information Integrity family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eSI-1.1.1 Policy, processes, and procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eSI-1.1.2 Policy, processes, and procedures are implemented to protect the integrity of systems and information and to meet the \u003cem\u003ePrivacy Act \u003c/em\u003erequirements for protection against any anticipated threats or hazards to the security or integrity of records.\u003c/p\u003e\u003cp\u003eSI-1.1.3 Information and information system flaws are identified, reported, and corrected in a timely manner, as defined within the ARS.\u003c/p\u003e\u003cp\u003eSI-1.1.4 Protection from malicious code is provided at appropriate locations within organizational information systems.\u003c/p\u003e\u003cp\u003eSI-1.1.5 Information system security and privacy alerts and advisories issued are monitored and appropriate action taken in response.\u003c/p\u003e\u003cp\u003eSI-1.1.6 Minimum information security and privacy controls are supplemented, as warranted, based on an assessment of risk and local conditions, including organization- specific security requirements, specific threat information, cost-benefit analysis, and special circumstances.\u003c/p\u003e\u003cp\u003eSI-1.1.7 A monitoring strategy is developed to implement an ISCM program that is compliant with Federal Rules of Evidence Section 803(6).\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.2 \u003c/em\u003eDevelop a System and Information Integrity Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Information Integrity Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSupply Chain Risk Management (SR)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSR-1\u003c/strong\u003e The Program must develop and maintain the Supply Chain Risk Management (SR) family of controls to establish and maintain policy and procedures for the effective implementation of the selected information security controls and control enhancements. In coordination with the CISO, the program, the organization must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Supply chain risk management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.2\u003c/em\u003e Develop a Supply chain risk management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.3\u003c/em\u003e Coordinate with the CMS CISO to establish a process to identify and address weaknesses or deficiencies in the supply chain elements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.4 \u003c/em\u003eEstablish procedures and agreements with entities involved in the supply chain for systems, system components or system services to ensure notification of supply chain compromises that can potentially adversely affect organizational systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.5\u003c/em\u003e Review and update policies, procedures, and standards for the Supply chain risk management Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eNon-Compliance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe HHS Rules of Behavior (RoB) for Use of Information IT Resources Policy cannot account for every possible situation. Therefore, where this \u003cem\u003ePolicy \u003c/em\u003edoes not provide explicit guidance, personnel shall use their best judgment to apply the principles set forth in the \u003ca href=\"https://cmsintranet.share.cms.gov/ER/Pages/EthicsManagementOffice.aspx\"\u003estandards\u003c/a\u003e for \u003ca href=\"https://www.ecfr.gov/current/title-5/chapter-XVI/subchapter-B/part-2635\"\u003eethical conduct\u003c/a\u003e to guide their actions and seek guidance when appropriate from the Chief Information Officer (CIO) or his/her designee.\u003c/p\u003e\u003cp\u003eNon-compliance with the requirements in this Policy may be cause for disciplinary and non- disciplinary actions. Depending on the severity of the violation and management discretion, consequences may include one or more of the following actions:\u003c/p\u003e\u003col\u003e\u003cli\u003eSuspension of access privileges;\u003c/li\u003e\u003cli\u003eRevocation of access to federal information, information systems, and/or facilities;\u003c/li\u003e\u003cli\u003eReprimand;\u003c/li\u003e\u003cli\u003eTermination of employment;\u003c/li\u003e\u003cli\u003eSuspension without pay;\u003c/li\u003e\u003cli\u003eRemoval or disbarment from work on federal contracts or projects;\u003c/li\u003e\u003cli\u003eMonetary fines;\u003c/li\u003e\u003cli\u003eCriminal charges that may result in imprisonment;\u003c/li\u003e\u003cli\u003eDeactivate the accounts.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eInformation and Assistance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS ISPG is responsible for the development and management of this policy. Questions, comments, suggestions, and requests for information about this \u003cem\u003ePolicy \u003c/em\u003eshould be directed to: \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eEffective Date and Implementation\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe effective date of this policy is the date on which the policy is approved. This policy must be reviewed, at a minimum, every three (3) years from the approval date.\u003c/p\u003e\u003cp\u003eThe CMS CIO has the authority to grant a one (1) year extension of the policy. To archive this policy, approval must be granted, in writing, by the CMS CIO.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eApproval\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eGeorge Hoffmann\u003c/p\u003e\u003cp\u003eCMS Chief Information Officer\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConcurrence\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis document will be reviewed in accordance with the established review schedule located on the CMS website.\u003c/p\u003e\u003cp\u003eKeith Busby\u003c/p\u003e\u003cp\u003eCMS Chief Information Security Officer\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAuthoritative References, Statutes, Orders, Directives, Policies, and Guidance\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eFederal Directives and Policies\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eFederal Continuity Directive 1 (FCD 1): Federal Executive Branch National Continuity Program and Requirements, February 2008\u003c/li\u003e\u003cli\u003eHSPD-12, \u003cem\u003ePolicy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e, August 27, 2004\u003c/li\u003e\u003cli\u003eHSPD-7, \u003cem\u003eCritical Infrastructure Identification, Prioritization, and Protection\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOffice of Assistant Secretary for Administration and Management and Office of the Assistant Secretary for Resources and Technology: Statement of Organization, Functions, and Delegations of Authority, 74 Fed. Reg. 57679-57682 (2009)\u003c/li\u003e\u003cli\u003eOffice for Civil Rights: Delegation of Authority, 74 Fed. Reg. 38630 (2009) Office of Resources and Technology: Statement of Organization, Functions and Delegations of Authority, 73 Fed. Reg. 31486-31487 (2008)\u003c/li\u003e\u003cli\u003eOffice of the Secretary: Statement of Organization, Functions, and Delegations of Authority, 72 Fed. Reg. 19000-19001 (2007)\u003c/li\u003e\u003cli\u003eOffice of Personnel Management (OPM) Regulation 5 Code of Federal Regulations (CFR) 930.301\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eStatutes\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eThe Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009\u003c/li\u003e\u003cli\u003e\u003cem\u003ePublic Welfare\u003c/em\u003e, Title 45 Code of Federal Regulations, Pt. 160. 2009 ed.\u003c/li\u003e\u003cli\u003eFederal Acquisition Regulation (as amended)\u003c/li\u003e\u003cli\u003eE-Government Act of 2002\u003c/li\u003e\u003cli\u003eThe Federal Information Security Management Act (Pub. L. No. 107-347)\u003c/li\u003e\u003cli\u003eClinger-Cohen Act of 1996\u003c/li\u003e\u003cli\u003eThe Health Insurance Portability and Accountability Act of 1996\u003c/li\u003e\u003cli\u003ePaperwork Reduction Act of 1995\u003c/li\u003e\u003cli\u003eChildrens Online Privacy Protection Act of 1988\u003c/li\u003e\u003cli\u003eThe Computer Matching and Privacy Protection Act of 1988\u003c/li\u003e\u003cli\u003eThe Privacy Act of 1974 (as amended)\u003c/li\u003e\u003cli\u003eOffice of Federal Procurement Policy Act of 1974\u003c/li\u003e\u003cli\u003eFreedom of Information Act of 1966 (Public Law 89-554, 80 Stat. 383; Amended 1996,2002, 2007)\u003c/li\u003e\u003cli\u003eFederal Records Act of 1950\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eN.3. HHS Policy\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eHHS-OCIO-OIS-2021-11-006, \u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2021-03-001, \u003cem\u003eHHS Policy for Information Technology Procurements - Security and Privacy Language\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2020-01-001, \u003cem\u003eHHS Policy for Securing Wireless Local Area Networks\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-PIM-2020-05-003, \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-PIM-2020-06-004, \u003cem\u003eHHS Policy for Records Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2019-05-004, \u003cem\u003eHHS Rules of Behavior for the Use of HHS Information and IT Resources Policy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2018-0001.002S, \u003cem\u003eHHS System Inventory Management Standard\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2017-0001.001S\u003cem\u003e, HHS OCIO Minimum Security Configuration Standards Guidance\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2016-0005\u003cem\u003e, HHS Standard for Encryption of Computing Devices and Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2013-0004\u003cem\u003e, Policy for Personal Use of Information Technology Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2012-0001.001S, \u003cem\u003eStandard for Plans of Action and Milestones (POA\u0026amp;M) Management and Reporting\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2010-0002, \u003cem\u003eHHS-OCIO Policy for Capital Planning and Investment Control\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2008-0004.001, \u003cem\u003eHHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2008-0001.003, \u003cem\u003eHHS Policy for Responding to Breaches of Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS CSIRC Concept of Operations\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Minimum Security Configuration Standards\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eContinued Implementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eResolving Security Audit Finding Disputes\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eSecurity of Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eOffice of Inspector General Management Implication Report Need for Departmental Security Enhancements for Information Technology Assets\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eUpdated Departmental Standard for the Definition of Sensitive Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eRole-Based Training (RBT) of Personnel with Significant Security Responsibilities\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eSecurity Related to Hosting Foreign Visitors and Foreign Travel by HHS Personnel\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS \u003cem\u003ePolicy for Information Technology (IT): Security and Privacy Incident Reporting and Response\u003c/em\u003e\u003c/li\u003e\u003cli\u003e48 CFR Chapter 3 \u003cem\u003eHealth and Human Services Acquisition Regulation (HHSAR)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFAC-2005-46, Federal Acquisition Regulation (FAR), amendments\u003c/li\u003e\u003cli\u003e\u003cem\u003eDepartment Information Security Policy/Standard Waiver\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Information Security Program \u003cem\u003ePrivacy in the System Development Life Cycle\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eFederal Information Processing Standards (FIPS) 200 Implementation\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS National Security Information Manual\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Personnel Security/Suitability Handbook\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOMB Policy and Memoranda\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eOMB Circular A-108,\u003cem\u003e Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-127, \u003cem\u003eFinancial Management Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-130, \u003cem\u003eManagement of Federal Information Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-123, \u003cem\u003eManagement Accountability and Control\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-14-03, \u003cem\u003eEnhancing the Security of Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-13-13, \u003cem\u003eOpen Data Policy Managing Information as an Asset\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-12-20, \u003cem\u003eFY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-33, \u003cem\u003eFY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-29, \u003cem\u003eChief Information Officer Authorities\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-16, \u003cem\u003e2011 Issuance of Revised Parts I and II to Appendix C of OMB Circular A- 123\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-11, \u003cem\u003eContinued Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-02, \u003cem\u003eSharing Data While Protecting Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-22, \u003cem\u003eGuidance for Online Use of Web Measurement and Customization Technologies\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-23, \u003cem\u003eGuidance for Agency Use of Third-Party Websites and Applications\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-15, \u003cem\u003eFY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-06, \u003cem\u003eOpen Government Directive\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-09-29, \u003cem\u003eFY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-21, \u003cem\u003eFY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-23, \u003cem\u003eSecuring the Federal Governments Domain Name System Infrastructure\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-09, \u003cem\u003eNew FISMA Privacy Reporting Requirements for FY 2008\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-10, \u003cem\u003eUse of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-20, \u003cem\u003eFY 2007 E-Government Act Reporting Instructions\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-19, \u003cem\u003eFY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-16, \u003cem\u003eSafeguarding Against and Responding to the Breach of Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-20, \u003cem\u003eFY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-19, \u003cem\u003eReporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-16, \u003cem\u003eProtection of Sensitive Agency Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-15, \u003cem\u003eSafeguarding Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-24, \u003cem\u003eImplementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-15, \u003cem\u003eFY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-08, \u003cem\u003eDesignation of Senior Agency Officials for Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-04, \u003cem\u003ePolicies for Federal Agency Public Websites\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-04-26, \u003cem\u003ePersonal Use Policies and File Sharing Technology\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-03-22, \u003cem\u003eOMB Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002 (as amended)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-04-04, \u003cem\u003eE-Authentication Guidance for Federal Agencies\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-01-24, \u003cem\u003eReporting Instructions for the Government Information Security Reform Act\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-01-05, \u003cem\u003eGuidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-99-20, \u003cem\u003eSecurity of Federal Automated Information Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-99-05, \u003cem\u003eInstructions on Complying with President's Memorandum of May 14, 1998, \"Privacy and Personal Information in Federal Records\"\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-96-20, \u003cem\u003eImplementation of the Information Technology Management Reform Act of 1996\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eNIST Guidance\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eNIST SP 800-122, \u003cem\u003eGuide to Protecting Confidentiality of PII\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-81, \u003cem\u003eSecure Domain Name System (DNS) Deployment Guide\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-65, \u003cem\u003eIntegrating IT Security into the Capital Planning and Investment Control Process\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-64, \u003cem\u003eSecurity Considerations in the System Development Lifecycle\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-63, \u003cem\u003eElectronic Authentication Guideline\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-61, \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-60, \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-58, \u003cem\u003eSecurity Considerations for Voice Over IP Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-53A, \u003cem\u003eGuide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-53, \u003cem\u003eRecommended Security Controls for Federal Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-37, \u003cem\u003eGuide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-34, \u003cem\u003eContingency Planning Guide for Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-30, \u003cem\u003eRisk Management Guide for Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-18, \u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-16, \u003cem\u003eInformation Technology Security Training Requirements: A Role- and Performance-Based Model\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST \u003cem\u003eUnited States Government Configuration Baseline for Windows XP \u0026amp; Vista\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 200, \u003cem\u003eMinimum Security Requirements for Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 199, \u003cem\u003eStandards for Security Categorization of Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 140-3, \u003cem\u003eSecurity Requirements for Cryptographic Modules\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST United States Government Configuration Baseline (USGCB)\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Policy and Directives\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eCMS Information Security Acceptable Risk Safeguards, CMS ARS Version 5.0\u003c/li\u003e\u003cli\u003eCMS Vulnerability Disclosure Policy Program\u003c/li\u003e\u003cli\u003eCMS Supply Chain Risk Management Policy\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAssociated CMS Resources\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISPG Library is available at: \u003ca href=\"https://security.cms.gov/\"\u003ehttps://security.cms.gov.\u003c/a\u003e It contains up-to-date policies, procedures, and directives, including those approved after release of this Policy.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:T34350,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs required under the Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35), and in compliance with the updated requirements of the National Institute of Standards and Technology's (NIST) Special Publications (SP) 800-53, Revision 5, and other federal requirements, this \u003cem\u003ePolicy \u003c/em\u003edefines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems. It also provides direction for all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information. As the federal agency responsible for administering the Medicare, Medicaid, Childrens Health Insurance Program (CHIP), and Health Insurance Exchange (HIX), CMS collects, creates, uses, discloses, maintains, and stores personal, healthcare, and other sensitive information subject to federal law, regulation, or guidance. All NIST Special Publication (SP) 800 series are applicable to CMS policy including the \u003cem\u003eIS2P2\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003erequires all CMS stakeholders, including Business Owners and System Security and Privacy Officer (previously known as ISSO) to implement adequate information security and privacy safeguards to protect all CMS-sensitive information. The Chief Information Officer (CIO), Chief Information Security Officer (CISO), and the Senior Official for Privacy (SOP) jointly develop and maintain this document. All references contained in this \u003cem\u003ePolicy \u003c/em\u003eare subject to periodic revision, update, and reissuance.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBackground\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS Information Security and Privacy Group (ISPG), under the direction of the CMS Chief Information Security Officer (CISO) and the Senior Official for Privacy (SOP), is tasked with overseeing the Cybersecurity and Privacy Programs for the agency. Following the Federal and HHS requirements, CMS ISPG identifies cybersecurity and privacy risks, implements mitigation strategies and ensures the confidentiality, integrity and availability of CMS-sensitive information and information systems. These activities are aimed at safeguarding and preventing unauthorized disclosure of Personally Identifiable Information (PII) and Protected Health Information (PHI) entrusted to CMS.\u003c/p\u003e\u003cp\u003eISPG recognized the need to develop a policy that references and incorporates the security and privacy requirements from authoritative sources while tailoring it to suit the CMS physical and information technology environments. This \u003cem\u003ePolicy \u003c/em\u003eexplains the scope and applicability of security and privacy requirements as it pertains to CMS information systems. This \u003cem\u003ePolicy \u003c/em\u003ealso defines the security and privacy control baselines as well as the supplemental controls available for selection and should be used in conjunction with the \u003cem\u003eAcceptable Risk Safeguards (ARS)\u003c/em\u003e, CMS process guidelines and other supporting CMS-established policies, procedures, and standards. The format of these requirements is scalable to accommodate modifications or the addition of new requirements over time as a result of the ever-changing cybersecurity landscape.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003esupersedes the \u003cem\u003eCMS Information System Security and Privacy Policy (IS2P2) v 3.3\u003c/em\u003e, and supplements the HHS-OCIO-OIS-2021-11-006, \u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P) v 1.1\u003c/em\u003e, and it applies to all CMS personnel or entities:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConducting business for CMS\u003c/li\u003e\u003cli\u003eCollecting or maintaining information for CMS\u003c/li\u003e\u003cli\u003eUsing or operating information systems on behalf of CMS whether directly or through contractual relationships.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe below list of CMS personnel or entities include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational components, centers, or offices\u003c/li\u003e\u003cli\u003eFederal employees, contractor personnel, interns, or other non-government employees operating on behalf of CMS.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003edoes not supersede any other applicable laws, higher-level agency directives, or the existing labor-management agreement in place.\u003c/p\u003e\u003cp\u003eThe contents of and the compliance with this \u003cem\u003ePolicy \u003c/em\u003emust be incorporated into the applicable contract language, as appropriate. Any contract, agreement, or other arrangement that collects, creates, uses, discloses, or maintains sensitive information, including but not limited to Personally Identifiable Information (PII) and Protected Health Information (PHI), must comply with this \u003cem\u003ePolicy\u003c/em\u003e. In some cases, other external agency policies may also apply (e.g., if a system processes, stores, or transmits Federal Tax Information [FTI]).\u003c/p\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003edoes not apply to any network or system that processes, stores, or transmits foreign intelligence or national security information under the cognizance of the Special Assistant to the Secretary (National Security) pursuant to Executive Order (E.O.) 12333, \u003cem\u003eUnited States Intelligence Activities, \u003c/em\u003eor subsequent orders. The Special Assistant to the Secretary (National Security) is the point of contact (POC) for issuing IT security and privacy policy and guidance for these systems. Privacy Act questions should be directed to the CMS Privacy Act Officer.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAuthorities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Office of Management and Budget (OMB) designated the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) as authorities to provide guidance to federal agencies for implementing information security and privacy laws and regulations, including FISMA, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Privacy Act of 1974 (“Privacy Act”). This \u003cem\u003ePolicy \u003c/em\u003eaddresses CMS applicable information security and privacy requirements arising from federal legislation, mandates, directives, executive orders, and the Department of Health and Human Services (HHS) policies by integrating NIST Special Publication (SP) 800-53 Revision 5, \u003cem\u003eSecurity and Privacy Controls for Federal Information Systems and Organizations \u003c/em\u003ewith the \u003cem\u003eDepartment of Health and Human Services Policy for Information Systems Security and Privacy Protection (HHS IS2P) \u003c/em\u003eand other specific programmatic legislations and CMS regulations. The authoritative references include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBuy American Act, 41 U.S.C §§ 8301-8305\u003c/li\u003e\u003cli\u003eDHS Binding Operational Directive 18-02, Securing High-Value Assets May 7, 2018\u003c/li\u003e\u003cli\u003eExecutive Order 13556, the Controlled Unclassified Information (CUI) program\u003c/li\u003e\u003cli\u003eE-Government Act of 2002 (44 U.S.C. Chapters 35 and 36)\u003c/li\u003e\u003cli\u003eFamily Educational Rights and Privacy Act (FERPA) 20 U.S.C. § 1232g\u003c/li\u003e\u003cli\u003eFederal Acquisition Supply Chain Security Act of 2018\u003c/li\u003e\u003cli\u003eFederal Information Processing Standards: FIPS 140-2, FIPS 199, FIPS 200, FIPS 201-1\u003c/li\u003e\u003cli\u003eFederal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C § 3551\u003c/li\u003e\u003cli\u003eFinancial Audit Manual (FAM), GAO-18-G01G: Published June 14, 2018\u003c/li\u003e\u003cli\u003eHealth Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub.L. 104191, 110 Stat. 1936, enacted August 21, 1996)\u003c/li\u003e\u003cli\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/li\u003e\u003cli\u003eHomeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004\u003c/li\u003e\u003cli\u003eHSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004\u003c/li\u003e\u003cli\u003eH.R. 1232 Federal Information Technology Acquisition Reform\u003c/li\u003e\u003cli\u003eNational Archives and Records Administration, CUI Registry\u003c/li\u003e\u003cli\u003eNIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u003c/li\u003e\u003cli\u003eNIST SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security\u003c/li\u003e\u003cli\u003eNIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003eNIST SP 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)\u003c/li\u003e\u003cli\u003eNIST SP 800-88 Revision 1, Guidelines for Media Sanitization\u003c/li\u003e\u003cli\u003eNIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices\u003c/li\u003e\u003cli\u003eNIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eNIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing\u003c/li\u003e\u003cli\u003eNIST SP 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)\u003c/li\u003e\u003cli\u003eNIST SP 800-171, Rev. 2, Protecting CUI in Nonfederal Systems\u003c/li\u003e\u003cli\u003eNIST SP 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies\u003c/li\u003e\u003cli\u003eNIST SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-130, Managing Information as a Strategic Resource\u003c/li\u003e\u003cli\u003eOMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information\u003c/li\u003e\u003cli\u003eOMB memorandums M-02-01, M-03-22, M-10-22, M-10-23, M-16-17. M-14-03, M-17-12\u003c/li\u003e\u003cli\u003eOPM Information systems security awareness training program, 5 CFR § 930.301\u003c/li\u003e\u003cli\u003ePublic Law 113-291, Title VIII, Subtitle D of the National Defense Authorization Act (NDAA) for Fiscal Year 2015\u003c/li\u003e\u003cli\u003ePublic Law 115-232 § 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, August 13, 2018\u003c/li\u003e\u003cli\u003eSection 508 of the Rehabilitation Act of 1973, as amended in 1998 (29 U.S.C 794d)\u003c/li\u003e\u003cli\u003eThe Privacy Act of 1974 as amended (5 U.S.C. 552a).\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eDocument Organization\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS CIO, CISO, and SOP designed this \u003cem\u003ePolicy \u003c/em\u003eto comply with the NIST 800-53, Revision 5, Program Management (PM) control family. This \u003cem\u003ePolicy \u003c/em\u003eintegrates information security and privacy roles, responsibilities, and controls into the CMS Information Security and Privacy Program. The key contents of this \u003cem\u003ePolicy \u003c/em\u003einclude:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn overall description of the Information Security and Privacy Program (Section 6)\u003c/li\u003e\u003cli\u003eDescriptions of specific roles and responsibilities of key CMS security and privacy Stakeholders (Section 7)\u003c/li\u003e\u003cli\u003eDefining HHS and CMS-specific tailored policies, policies associated with the security and privacy control families, and the consequences for non-compliance (Sections 8, 9, \u0026amp; 10)\u003c/li\u003e\u003cli\u003eSupporting Appendices provide references, a glossary of terms, and acronyms:\u003cul\u003e\u003cli\u003eAppendix A: References\u003c/li\u003e\u003cli\u003eAppendix B: Glossary of Terms and Acronyms.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn accordance with HHS policy, CMS must update this \u003cem\u003ePolicy \u003c/em\u003eat least every three years (36 months). In cases where existing policy is insufficient to address changes in governance (e.g., legislation, directives, mandates, executive orders, or HHS policy) or emerging technology, the CMS CIO may publish ad hoc or specialized interim directives or memorandums to address the area of concern. As appropriate, the interim directive or memorandum may be integrated into future releases of or incorporated as an appendix to this \u003cem\u003ePolicy\u003c/em\u003e. The CMS CISO and SOP may develop \u003cem\u003ememorandums \u003c/em\u003ethat provide actionable guidance that supports best practices and procedures in support of the implementation of CIO policies and directives, along with legislation, mandates, executive orders and other federal mandates.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eInformation Security and Privacy Program Summary\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS CISO and SOP are responsible for managing the Information Security and Privacy Program (henceforth “Program”). This section describes how specific functional areas of the Program help CMS stakeholders apply this \u003cem\u003ePolicy \u003c/em\u003ein protecting CMS information and information systems.\u003c/p\u003e\u003cp\u003eCMS security and privacy disciplines are now integrated into a single Program. However, there are requirements unique to each discipline. Privacy as well as security policies apply to CMS programs and activities at their inception, even before information systems are identified or defined. Business Owners must identify the security and privacy requirements, compliance documentation, and contract requirements prior to system development.\u003c/p\u003e\u003cp\u003ePrivacy policies apply to the collection, creation, use, disclosure, and retention of information that identifies an individual (i.e., PII, including PHI) in electronic or physical form. CMSs responsibility for protecting the privacy interests of individuals applies to all types of information, regardless of its form. All CMS standards, regulations, directives, practices, and procedures must clearly state that all forms of information must be protected.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePolicy and Governance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe policy and governance functional area establishes and implements the information security and privacy program which develops organizational security and privacy policies, standards, directives, practices, and procedures within the CMS environment. The responsibilities include developing, implementing, and disseminating this \u003cem\u003ePolicy \u003c/em\u003eto align with and supplement HHS policies, federal legislation, and best practices. The \u003cem\u003eCMS Acceptable Risk Safeguards (ARS) \u003c/em\u003eis the HHS Operating Division (OpDiv) of CMSs implementation of the National Institute of Standards and Technologys (NIST) Special Publications (SP) 800-53, Revision 5, and it contains detailed minimum control standards that are traceable to the policies contained herein. Each security and privacy control description provides CMS-specified implementation details for all the security and privacy controls allocated as a baseline to an identified CMS FISMA system based on the FIPS 199 Security Category. Additional CMS-established policies and procedures can serve as further guidance for administering CMS standards, requirements, directives, practices, and procedures for protecting CMS information and information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Management and Compliance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe risk management and compliance functional area provides a multi-level approach to managing information system-related security and privacy risks at the \u003cem\u003eenterprise level\u003c/em\u003e, the \u003cem\u003emission/business process \u003c/em\u003elevel, and the \u003cem\u003einformation system \u003c/em\u003elevel to protect CMS information system assets and individuals accessing these assets. CMS provides a risk-based approach for managing information system-related security and privacy risk which is based on NIST SP 800- 37, Revision 2, \u003cem\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. \u003c/em\u003eThis framework includes developing and updating risk management and compliance processes and procedures to align with HHS policies, federal legislation, and federal cybersecurity and privacy frameworks. The CMS security and privacy program, under the direction of the Chief Information Security Officer (CISO) and the Senior Official for Privacy (SOP) oversees the agency-wide implementation of this framework which includes Security Assessment and Authorization (SA\u0026amp;A), Continuous Diagnostics and Mitigation (CDM), FISMA reporting, internal assessments/audits, and other external assessments/audits.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe awareness and training functional area provides organizational security and privacy awareness training and specific role-based training (RBT) for all CMS stakeholders with Significant Security Responsibilities (SSR). The responsibilities include developing curriculum and content, delivering training, ensuring training policies and procedures are current, tracking training status, and reporting on completed security awareness and RBT courses.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCyber Threat and Incident Handling\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe cyber threat and incident handling functional area support CMSs cyber threat intelligence, information sharing, and incident handling, including breach response. The responsibilities include developing, updating, and disseminating processes and procedures to coordinate information sharing and investigating incidents across CMS, following established CMS incident Response (IR) procedures.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContinuity of Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe continuity of operations functional area provides plans and procedures to ensure continuity of operations for information systems that support CMS operations and assets. The responsibilities include developing processes and procedures for system contingency planning, disaster recovery, and participation in federal continuity exercises.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis section details significant information security and privacy roles and responsibilities for CMS stakeholders. The responsibilities, defined by role rather than position, are derived from the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, RBT requirements, and CMS-specific responsibilities. This section also enhances the responsibilities defined within the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, to address CMSs needs. Therefore, CMS stakeholders must also refer to the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003efor additional detail.\u003c/p\u003e\u003cp\u003eA current version of the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003emay be requested via the HHS Office of Information Security (OIS) mailbox at \u003ca href=\"mailto:HHSCybersecurityPolicy@hhs.gov\"\u003eHHSCybersecurityPolicy@hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eMost of the roles described in this section are restricted to federal employees based on the specific position and role they fulfill within the CMS organization, while others may be filled by either a federal employee or a contractor.\u003c/p\u003e\u003cp\u003eFor additional information, please check CMS Organizational Charts.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGeneral Roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS personnel, whether federal employees, contractors (including subcontractors), or entities operating on behalf of CMS, must adhere to the information security and privacy responsibilities defined within this section. This subsection describes CMS-specific responsibilities for the roles “All Users” and “Supervisors.”\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFederal Employees and Contractors (All Users)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAll CMS federal employees and contractors (including subcontractors) must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, Section 7.36, \u003cem\u003eAll Users\u003c/em\u003e. All users have the responsibility to protect CMSs information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction by complying with the information security and privacy requirements maintained in this Policy.\u003c/p\u003e\u003cp\u003eIn addition to the HHS IS2P the responsibilities of the CMS federal employees and contractors must include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConsider all \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf\"\u003ebrowsing activities sensitive\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNotify the CMS CISO and SOP of actual or suspected information security and privacy incidents and breaches, including CMS sensitive data, using CMS specified procedures established in the CMS Incident Response (IR) procedures and applicable Rules of Behavior (RoB).\u003c/li\u003e\u003cli\u003eComplete mandatory security and privacy awareness training before accessing CMS information systems and annually thereafter.\u003c/li\u003e\u003cli\u003eFor all newly hired personnel and staff, and those who transfer into a new position with significant security and/or privacy responsibilities, complete specialized security or privacy RBT as appropriate for their assigned roles within 60 days of entry on duty or upon assuming new responsibilities. Thereafter, they must complete RBT at least annually.\u003c/li\u003e\u003cli\u003eFor contractors with significant security and/or privacy responsibilities, complete specialized RBT within 60 days of beginning work on a contract. They must complete RBT at least annually thereafter.\u003c/li\u003e\u003cli\u003eReport anomalies when CMS programs, systems, or applications are collecting, creating, using, disclosing, or retaining more than the minimum data necessary.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSupervisors\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSupervisors may be federal employees or contractors2 and must fulfill all responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.37, \u003cem\u003eSupervisors\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eIn addition to the HHS IS2P, the responsibilities of Supervisors include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNotify the appropriate System Security and Privacy Officer (Previously known as ISSO) (or the CMS CISO or designee, if the System Security and Privacy Officer (Previously known as the ISSO) \u0026nbsp;is not available) within one hour of any unexpected departure or separation of a CMS employee or contractor.\u003c/li\u003e\u003cli\u003eEnsure personnel under their direct report complete all required information security training, including privacy and RBT, within the mandated time frames established in the CMS Incident Response (IR) procedures.\u003c/li\u003e\u003cli\u003eEnsure background checks are conducted on all individuals identified by system owners with access to CMS information systems in accordance with \u003ca href=\"https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/\"\u003eposition sensitivity\u003c/a\u003e\u0026nbsp;designation as derived by the use of the \u003ca href=\"https://nbib.opm.gov/e-qip-background-investigations/\"\u003eappropriate CMS tool\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eHuman Resource Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eHuman Resource Officer must be an agency official (federal government employee) and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinating with appropriate CMS CIO POCs and Office of Security, Facilities and Logistics Operations (OSFLO) POCs to ensure background checks are conducted for individuals with significant security responsibilities.\u003c/li\u003e\u003cli\u003eNotifying the appropriate CMS POC (Manager, Supervisor, COR or CIO designated official) within one business day when CMS personnel are separated from the Department.\u003c/li\u003e\u003cli\u003eEnsuring relevant paperwork, interviews, and notifications are sent to the appropriate CMS POC (Manager, Supervisor, COR or CIO designated official) when personnel join, transfer within, or leave the organization, either permanently or on detail.\u003c/li\u003e\u003cli\u003eParticipating at the request of the CMS CCIC in the investigation of \u003cstrong\u003eFederal employees \u003c/strong\u003ewith regard to security incidents.\u003c/li\u003e\u003cli\u003eParticipating at the request of the CMS CCIC in the investigation of \u003cstrong\u003eFederal employees\u003c/strong\u003e\u0026nbsp;relative to PII breaches and violations.\u003c/li\u003e\u003cli\u003eEnsuring all HR systems and records/data are maintained, used and shared in compliance with the Privacy Act of 1974, as amended (5 U.S.C. 552a) and the HHS implementing regulations and applicable Systems of Records Notices (SORNs), and, all other applicable laws, policies and procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Federal Executives\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of CMS Federal Executives, including the Administrator, Chief Financial Officer (CFO), Personnel and Physical Security Officers (PPSO), and Operations Executive (OE). Only agency officials (federal government employees) are authorized to fill these roles.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAdministrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Administrator must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.2, \u003cem\u003eOpDiv Heads, \u003c/em\u003eincluding “Delegating responsibility and authority for management of HHS Operating Division (OpDiv) IT security and privacy programs to the OpDiv CIOs,” and those identified in the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII). \u003c/em\u003eThese responsibilities include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDelegating responsibility and authority for making final decisions regarding external breach notification and issuing written notification to individuals affected by a privacy breach.\u003c/li\u003e\u003cli\u003eReceiving inquiries, investigations, or audits from enforcement authorities, such as any initiated by the HHS Office for Civil Rights related to compliance with HIPAA or the HIPAA Privacy and Security Rules and coordinating responses with the Chief Information Officer and other appropriate staff.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHHSs Continuity of Operations Program Policy also requires that the Administrator must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncorporate continuity of operations requirements into all CMS activities and operations\u003c/li\u003e\u003cli\u003eDesignate in writing an accountable official as the Agency Continuity Point of Contact, who is directly responsible to the Administrator for management oversight of the CMS continuity program and who is the single point of contact for coordination within CMS for continuity matters.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Financial Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CFO must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.3, \u003cem\u003eOffice of Finance (OF)/Assistant Secretary for Financial Resources (ASFR)/Chief Financial Officer (CFO).\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePersonnel and Physical Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe PPSO must fulfill the shared responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, Section 7.6, \u003cem\u003eOffice of National Security (ONS). \u003c/em\u003eIn addition to the HHS IS2P, the general and incident response responsibilities of the PPSO must include, but are not limited to:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProtect employees, visitors, and CMS-owned and CMS-occupied critical infrastructure\u003c/li\u003e\u003cli\u003eCoordinate national security information services to all components within the Office of the Administrator (OA).\u003c/li\u003e\u003cli\u003eCoordinate with appropriate CMS CIO POCs and HHS POCs to ensure background checks are conducted on all individuals identified by system owners with access to CMS information systems in accordance with \u003ca href=\"https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/\"\u003eposition sensitivity designation\u003c/a\u003e\u0026nbsp;as derived by the use of the \u003ca href=\"https://nbib.opm.gov/e-qip-background-investigations/\"\u003eappropriate CMS tool\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eParticipate at the request of law enforcement, the HHS Computer Security Incident Response Center (CSIRC), the HHS Office of the Inspector General (OIG), and/or the CMS Cybersecurity Integration Center (CCIC) in investigating security and privacy incidents and breaches involving federal employees and/or CMS contractor personnel.\u003c/li\u003e\u003cli\u003eParticipate at the request of the HHS Privacy Incident Response Team (PIRT) and/or the CMS Breach Analysis Team (BAT) in investigating incidents and/or violations involving federal employees, PII, PHI, and/or Federal Tax Information (FTI).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOperations Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Operations Executive must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOversee day-to-day information security and privacy operations for CMS employees.\u003cul\u003e\u003cli\u003eDevelop and maintain, in coordination with the CISO and SOP, the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resources Policy\u003c/em\u003e, to address, at a minimum, the following Acceptable Use standards:\u003cul\u003e\u003cli\u003ePrivacy requirements must be identified in contracts and acquisition-related documents.\u003c/li\u003e\u003cli\u003ePersonal use of CMS IT resources must comply with \u003cem\u003eHHS Policy for Personal Use of Information Technology Resources\u003c/em\u003e, such that personal use of CMS IT resources does not put CMS data at risk of unauthorized disclosure or dissemination.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure all CMS system users annually read and sign the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information Resources\u003c/em\u003e, which governs the appropriate use of CMS IT resources.\u003c/li\u003e\u003cli\u003eInform CMS employees and contractors that use of CMS information resources, other than for authorized purposes, is a violation of the HHS RoB and Article 35 of the Master Labor Agreement and is grounds for disciplinary action, up to and including removal from federal service, monetary fines, and/or criminal charges that could result in imprisonment. CMS bargaining unit employees must also adhere to Article 35 of the Master Labor Agreement.\u003c/li\u003e\u003cli\u003eEnsure CMS employees and contractors encrypt CMS sensitive information transmitted to a non-CMS controlled environment,7 including but not limited to email, using Federal Information Processing Standard (FIPS) 140-3 compliant encryption solutions/modules.\u003c/li\u003e\u003cli\u003eEnsure CMS employees and contractors are prohibited from transmitting sensitive CMS information using any non-CMS approved, Internet-based mechanism, including but not limited to, personal email, file-sharing, file transfer, or backup services.\u003c/li\u003e\u003cli\u003eEnsure that any CMS contractor, other person, or organization that performs functions or activities that involve the use or disclosure of PHI on behalf of CMS have Business Associate Agreement provisions in their contracts or agreements per OAGM standard contract language requirements.\u003c/li\u003e\u003cli\u003eEnsure CMS uses PII internally only for the purpose(s) that are authorized by statute, regulation, or Executive Order; and when the PII is also considered PHI for treatment, payment, healthcare operations, or as permitted under HIPAA (e.g., for research as permitted under 45 CFR §164.512).\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOffice Director, Office of Enterprise Data and Analytics and Chief Data Officer\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eThe Office Director of the Office of Enterprise Data and Analytics (OEDA) also serves as the CMS Chief Data Officer (CDO). The CDO must be an agency official (federal government employee). The CDO must establish and implement policies, practices, and standards for maximizing the value and impact of CMS data for internal and external stakeholders.\u003c/p\u003e\u003cp\u003eOEDA develops and implements a data services strategy to maximize use of data on all CMS programs, including issue papers, chart books, dashboards, interactive reports, data enclave services, public use files, and research identifiable files. OEDA oversees the creation of data sets that de-identify individuals and makes these data sets publicly available when there is legal authority permitting their creation. Methods for creating these data sets may include:\u003c/p\u003e\u003c/li\u003e\u003cli\u003eThe methodology set out at 45 CFR §164.514(b)(2) (the “Safe Harbor Rule”).\u003c/li\u003e\u003cli\u003eThe methodology set out at 45 CFR §164.514(b)(1) (the “Expert Determination Rule”)\u003c/li\u003e\u003cli\u003e\u003cp\u003eOEDA also oversees the creation of “limited data sets” (LDS), which are data sets to be used or disclosed for purposes of research, public health, or healthcare operations, using the methodology set out at 45 CFR §164.514(e).\u003c/p\u003e\u003cp\u003eThe Administrator may designate other specific responsibilities to the CDO as necessary.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eOffice Director, Office of Acquisition and Grants Management and Head of Contracting Activity\u003c/h4\u003e\u003cp\u003eThe Office Director of the Office of Acquisition and Grants Management (OAGM) and Head of Contracting Activity (HCA) also serve as the CMS Chief Acquisition Officer (CAO). The CAO must be an agency official (federal government employee) designated to advise and assist the head of the agency and other agency officials to ensure that the mission of CMS is achieved through the management of the agencys acquisition activities. The responsibilities of the Chief Acquisition Officer include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAdvise and assist the administrator and other agency officials to ensure that the mission of CMS is achieved through the management of the agency's acquisition activities.\u003c/li\u003e\u003cli\u003eCoordinate with the authorizing official, business owners, system owners, common control providers, chief information security officer, senior official for privacy, and risk executive (function) to ensure that security and privacy requirements are defined in organizational procurements and acquisitions.\u003c/li\u003e\u003cli\u003eMonitor the performance of the acquisition activities and programs.\u003c/li\u003e\u003cli\u003eEstablish clear lines of authority, accountability, and responsibility for acquisition decision-making within CMS.\u003c/li\u003e\u003cli\u003eManage the direction and implementation of the acquisition policy.\u003c/li\u003e\u003cli\u003eEstablish policies, procedures, and practices that promote full and open competition from responsible sources to fulfill best value requirements considering the nature of the property or service procured.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCenter and Office Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEach CMS Center and Office Executive must nominate an appropriately qualified staff member as a Data Guardian to the Senior Official for Privacy (SOP) for approval. The executive must ensure the Data Guardian meets the following qualifications:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe a proficient consumer advocate\u003c/li\u003e\u003cli\u003eHave experience in identifying information security and privacy requirements\u003c/li\u003e\u003cli\u003eBe trained in using the CMS Risk Management Framework (RMF)\u003c/li\u003e\u003cli\u003eUnderstand the CMS Center/Office business processes and operations\u003c/li\u003e\u003cli\u003eHave respect for the role and impact PII and PHI play within the Center/Office and across the CMS enterprise.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation Security and Privacy Officers\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of those federal employees with roles related to establishing this \u003cem\u003ePolicy \u003c/em\u003eand the associated Program designed to protect CMS information and information systems, including the CIO, CISO, SOP, Privacy Act Officer, Chief Technology Officer (CTO), Configuration Management Executive, Cyber Risk Advisor (CRA), Privacy Advisor, and Marketplace Senior Information Security Officer.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eChief Information Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CIO must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.11, \u003cem\u003eOpDiv CIOs, \u003c/em\u003eincluding serving as the Chief Risk Officer and Authorizing Official (AO) for all CMS FISMA systems. There is only one AO for all CMS FISMA systems.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CIO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDesignate the CISO as the authority for managing CMS incident response activities identified in the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDefine recommended minimum System Security and Privacy Officer (previously known as ISSO) qualifications commensurate with the System Security and Privacy Officer (previously known as ISSO) role within CMS for both federal employees and contractors defined with NIST Significant Information Security and Privacy Responsibilities (SISPRs)\u003c/li\u003e\u003cli\u003eDefine mandatory information security and privacy training, education, and awareness activities undertaken by all personnel, including contractors, commensurate with identified roles and responsibilities\u003c/li\u003e\u003cli\u003eShare threat information as mandated by the Cybersecurity Enhancement Act of 2014\u003c/li\u003e\u003cli\u003eCoordinate with the CISO to establish configuration management processes and procedures\u003c/li\u003e\u003cli\u003eCreate and manage the review and approval of changes through the appropriate IT governance; change control bodies/boards\u003c/li\u003e\u003cli\u003eCoordinate with the CISO, SOP, Data Guardian, System Security and Privacy Officer (previously know as ISSO), and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications\u003c/li\u003e\u003cli\u003eRespond to any inquiries, investigations, or audits received from enforcement authorities, such as any initiated by the HHS Office for Civil Rights related to compliance with HIPAA or the HIPAA Privacy and Security Rules\u003c/li\u003e\u003cli\u003eEnsure that all CMS key stakeholders, including the Chief Financial Officer (CFO); Office Director, Office of Acquisition and Grants Management (OAGM) and Head of Contracting Activity (HCA); Senior Official for Privacy (SOP); mission, business, and policy owners; as well as the CISO organizations, are aware of risks associated with High Value Assets (HVAs)\u003c/li\u003e\u003cli\u003eEnsure the establishment and implementation of an HHS-specific or CMS-specific HVA Policy and HVA Management Program.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Information Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CISO must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.12, \u003cem\u003eOpDiv CISOs. \u003c/em\u003eThe CISO carries out the CIOs information security responsibilities under federal requirements in conjunction with the SOP.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CISO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy control requirements through the \u003cem\u003eCMS ARS\u003c/em\u003e.\u003c/li\u003e\u003cli\u003ePublish CISO Directives as required to augment existing policy.\u003c/li\u003e\u003cli\u003eReview any requested waivers and deviations from this Policy and provide recommendations to the AO for risk acceptance.\u003c/li\u003e\u003cli\u003eServe as the security official who is responsible for the development and implementation of the policies and procedures that are required by the HIPAA Security Rule (please refer to 45 CFR §164.308(a)(2)).\u003c/li\u003e\u003cli\u003eDelegate the authority to approve system configuration deviations to the CRA and System Security and Privacy Officer (previously known as the ISSO), where appropriate.\u003c/li\u003e\u003cli\u003eEnsure CMS-wide implementation of HHS and CMS information security and privacy capabilities, policies, and procedures consistent with the NIST Risk Management Framework (RMF).\u003c/li\u003e\u003cli\u003eLead the investigation and resolution of information security and privacy incidents and breaches across CMS.\u003c/li\u003e\u003cli\u003eDefine and oversee the goals and requirements of Agency Security Operations.\u003c/li\u003e\u003cli\u003eCoordinate incident response and threat information sharing with the HHS CSIRC and/or HHS PIRT, as appropriate.\u003c/li\u003e\u003cli\u003eEnsure the information security continuous monitoring (ISCM) capabilities accomplish the goals identified in the ISCM strategy.\u003c/li\u003e\u003cli\u003ePublish an Ongoing Authorization process as part of the Program\u003c/li\u003e\u003cli\u003eApprove the appointment of the System Security and Privacy Officer (previously know as ISSO) by the Program Executive\u003c/li\u003e\u003cli\u003eApprove the independent security control assessment deliverables\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, SOP, Data Guardian, System Security and Privacy Officer (previously known as ISSO), and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of any interconnection by coordinating with the SOP and the CCIC Director to (1) disconnect or suspend interconnections and (2) ensure interconnections remain disconnected or suspended until the AO orders reconnection.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRisk Executive (Function)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Risk Executive must be an agency official (federal government employee). The Risk Executive must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.13. \u003cem\u003eRisk Executive (Function)\u003c/em\u003e. The Administrator may designate specific responsibilities to the RE as necessary.\u003c/p\u003e\u003cp\u003eThe Risk Executive must also fulfill the responsibilities for agency-wide risk management strategies that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinate with the CCIC to:\u003c/li\u003e\u003cli\u003eManage risk(s) identified in the threat landscape via; cyber threat intelligence, vulnerability assessment, penetration testing, forensics, malware, insider threat, etc., and security and privacy risk(s) identified via; risk assessments, security control assessments, internal/external audits, etc. (including supply chain risk[s] via the Division of Strategic Information [DSI]) information for organizational systems and the environments in which the systems operate.\u003c/li\u003e\u003cli\u003eUse the CDM program to identify and report on the risk posture of the portfolio of FISMA reported systems in near real time\u003c/li\u003e\u003cli\u003eUtilize the CFACTS system to report on the risk posture of the FISMA reported systems.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSenior Official for Privacy\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe SOP must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.18, \u003cem\u003eOpDiv SOP \u003c/em\u003ealso include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLead CMS privacy programs and promote proper information security and privacy practices.\u003c/li\u003e\u003cli\u003eLead the development and implementation of privacy policies and procedures, including the following actions:\u003cul\u003e\u003cli\u003eEvaluate any new legislation that obligates the Program to create any regulations, policies, procedures, or other documents concerning collecting, creating, using, disclosing, or retaining PII/PHI.\u003c/li\u003e\u003cli\u003eEnsure an appropriate party will develop all such required policies or other documents.\u003c/li\u003e\u003cli\u003eEnsure policies exist to impose criminal penalties and/or other sanctions on CMS employees (consistent with the CMS Master Labor Agreement) and non-employees, including contractors and researchers, for violations of law and policy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure privacy controls are implemented and enforced.\u003c/li\u003e\u003cli\u003eServe as the privacy official responsible for developing and implementing policies and procedures, receiving complaints, and providing further information related to the Notice of Privacy Practices, as required by the HIPAA Privacy Rule (please refer to 45 CFR §164.530(a)).\u003c/li\u003e\u003cli\u003eEnsure individuals are able to exercise their rights to access, inspect, request additions or amendments, and obtain copies of their PII/PHI in a designated record set or in a Privacy Act system of records (SOR).\u003c/li\u003e\u003cli\u003eEnsure individuals are able to exercise their right to an accounting of disclosures of their PII/PHI by CMS or its business associates.\u003c/li\u003e\u003cli\u003eEnsure any use or disclosure of PII/PHI that is not for treatment, payment, health operations, or otherwise permitted or required by the HIPAA Privacy Rule or Privacy Act is disclosed only with the individuals authorization.\u003c/li\u003e\u003cli\u003eEnsure the Program develops and documents a Notice of Privacy Practices for all Medicare Fee-for-Service beneficiaries, as required by the HIPAA Privacy Rule, that defines the uses and disclosures of PHI.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, Data Guardian, System Security and Privacy Officer (previously known as ISSO), and Website Owner / Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eCoordinate as the lead and collaborate with the CISO to:\u003cul\u003e\u003cli\u003eDocument privacy requirements and manage privacy implementation as CMS information systems are designed, built, operated, or updated\u003c/li\u003e\u003cli\u003eProvide recommendations to the CIO regarding the privacy posture of FISMA systems and the use/disclosure of CMS information\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCo-chair the CMS Data Governance Board.\u003c/li\u003e\u003cli\u003eApprove the appointment of Data Guardians by the Center or Office Executive.\u003c/li\u003e\u003cli\u003eProvide overall direction for incident handling, which includes all incidents involving PII/PHI.\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of any interconnection\u003cul\u003e\u003cli\u003eCoordinate with the CISO and the CCIC Director to disconnect or suspend interconnections\u003c/li\u003e\u003cli\u003eCoordinate with the CISO and the CCIC Director to ensure interconnections remain disconnected or suspended until the AO orders reconnection\u003c/li\u003e\u003cli\u003eReview HVAs and identify those that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII/PHI\u003c/li\u003e\u003cli\u003eEnsure that all required privacy documentation and materials are complete, accurate, and up to date.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Act Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Privacy Act Officer must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.20, \u003cem\u003eOpDiv Privacy Act Contact\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Privacy Act Officer must also include, but not be limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop, implement, and maintain policies and procedures related to the Privacy Act.\u003c/li\u003e\u003cli\u003eProcess Privacy Act requests, including requests requiring exceptions to the Privacy Act.\u003c/li\u003e\u003cli\u003eProvide guidance and advice on federal Privacy Act policies and procedures.\u003c/li\u003e\u003cli\u003eEvaluate the impact of the Privacy Act and regulations on the organizations activities.\u003c/li\u003e\u003cli\u003eCoordinate with CMS Offices and staff as needed.\u003c/li\u003e\u003cli\u003eRepresent CMS on issues related to the Privacy Act.\u003c/li\u003e\u003cli\u003eAssess Privacy Act-related risks associated with programs, operations, and technology.\u003c/li\u003e\u003cli\u003eSupport efforts across CMS to comply with the Privacy Act.\u003c/li\u003e\u003cli\u003ePlan and conduct training sessions on Privacy Act requirements.\u003c/li\u003e\u003cli\u003eEnsure procedures exist to:\u003cul\u003e\u003cli\u003eAuthenticate the identity of a person requesting PII/PHI and, as appropriate, the authority of any such person permitted access to PII/PHI\u003c/li\u003e\u003cli\u003eObtain any documentation, statements, or representations, as appropriate, whether oral or written, from the authorized person requesting the PII/PHI\u003c/li\u003e\u003cli\u003eIn responses to requests for disclosures, limit the PII/PHI disclosed to that which is the minimum amount reasonably necessary to achieve the intended purpose of the disclosure or request, relying (if such reliance is reasonable under the circumstances) on the precise scope of the requested disclosure to determine the minimum necessary information to be included in the disclosure\u003c/li\u003e\u003cli\u003eIn structuring all CMS processes, ensuring that to the greatest degree practicable each person receives only the PII/PHI data elements and records that the person needs (e.g., the data elements the person needs to perform all tasks within the scope of their assigned responsibilities); When CMS requests PII/PHI from third parties, ensure the PII/PHI requested is limited to the amount reasonably necessary to accomplish the purpose for which the request is made.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Technology Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Chief Technology Officer (CTO) must be an agency official (federal government employee). The CIO may designate specific responsibilities to a CTO as necessary.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eConfiguration Management Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Configuration Management Executive must be an agency official (federal government employee) and must provide executive-level oversight for configuration management and contingency planning.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCyber Risk Advisor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Cyber Risk Advisor (CRA) may be federal employees or contractors. The CISO may designate the authority to approve system configuration deviations to the CRA where appropriate.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CRA must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAct as the subject matter expert in all areas of the \u003cem\u003eCMS RMF.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEvaluate, maintain, and communicate the risk posture of each FISMA system to executive leadership and make risk-based recommendations to the AO.\u003c/li\u003e\u003cli\u003eSupport the CMS stakeholders in ensuring that all requirements specified by the \u003cem\u003eCMS ARS \u003c/em\u003eare implemented and enforced; serve as an active participant in the system development life cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs considering security, functionality, and cost.\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, Information System Owner (ISO), Business Owner, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eDetermine the privacy impacts and manage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure information security and privacy testing is performed throughout the SDLC as appropriate and results are considered during the development phase of the SDLC.\u003c/li\u003e\u003cli\u003eMonitor system security posture by reviewing all proposed information security and privacy artifacts to provide recommendations to the System Security and Privacy Officer (previously known as ISSO).\u003c/li\u003e\u003cli\u003eProvide guidance to CMS stakeholders on required actions, potential strategies, and best practices for closure of identified weaknesses.\u003c/li\u003e\u003cli\u003eUpload findings spreadsheets to the CMS FISMA Controls Tracking System (CFACTS).\u003c/li\u003e\u003cli\u003eEnsure AO-issued authorization is updated in CFACTS.\u003c/li\u003e\u003cli\u003eServe as the authority to approve selected system configuration deviations from the required baseline.\u003c/li\u003e\u003cli\u003eRemind System Security and Privacy Officer (previously known as ISSO) with expiring or expired letters to resubmit their appointment letters using a new letter.\u003c/li\u003e\u003cli\u003eUpload signed System Security and Privacy Officer (previously known as ISSO) appointment letter(s) to CFACTS.\u003c/li\u003e\u003cli\u003eCoordinate with the BO, ISO, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact the organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Advisor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePrivacy Advisors may be federal employees or contractors and work under the direction of the SOP. The Privacy Advisor must fulfill responsibilities that include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify opportunities to integrate Fair Information Practice Principles (FIPP) into CMS business processes and information systems.\u003c/li\u003e\u003cli\u003eEvaluate legislation, regulations, and policies that may affect how CMS collects, uses, stores, discloses, or retires PII; identify their potential impacts on CMS; and recommend responsive actions to the CMS management or others that request guidance.\u003c/li\u003e\u003cli\u003eFor IT systems, coordinate with the Business Owner, CRA, Data Guardian, ISO, and System Security and Privacy Officer (previously known as ISSO) to identify the types of information processed, assign the appropriate security categorizations to the information systems, determine the privacy impacts, and manage information security and privacy risk, including:\u003cul\u003e\u003cli\u003eReview the Privacy Impact Assessment (PIA) and existing CFACTS documentation to verify that the PIA follows HHS/CMS guidance and verify that privacy risks have been appropriately documented\u003c/li\u003e\u003cli\u003eEvaluate privacy-related agreements (e.g., Computer Matching Agreements [CMA], Information Exchange Agreements [IEAs], and Memoranda of Agreement / Understanding [MOA/MOU]) to verify that privacy requirements are satisfied and privacy risks are adequately addressed, both initially and when periodically reviewed, and provide guidance and advice on these agreements to Business Owners, ISOs, and other CMS staff as needed\u003c/li\u003e\u003cli\u003eContinuously monitor all findings of privacy risk or deficiency, including by monitoring progress against privacy-related POA\u0026amp;Ms\u003c/li\u003e\u003cli\u003eTrack the progress of enterprise privacy risk mitigation activities across portfolios\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eProvide ISPG perspective during TRB reviews to assess the impact of changes to IT systems on privacy issues and work to mitigate those impacts.\u003c/li\u003e\u003cli\u003eWork with System Security and Privacy Officer (previously known as ISSO) to evaluate system changes to determine whether privacy risks are sufficiently significant to require updates to Authority To Operate (ATO) documents.\u003c/li\u003e\u003cli\u003eWork with BO, ISO, CRA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003cli\u003eWorks with CRAs to verify that decommission and disposition plans for IT systems do not create significant privacy risks.\u003c/li\u003e\u003cli\u003eAssist in developing reports on any aspect of privacy requested by CMS senior management, HHS, external auditors, or any other party authorized to request and receive such information.\u003c/li\u003e\u003cli\u003eProvide recommendations concerning the privacy risks and practices relevant to IT systems.\u003c/li\u003e\u003cli\u003eProvide incident handling support for incidents involving PII.\u003c/li\u003e\u003cli\u003eAdvise CMS healthcare programs on compliance with privacy and related cybersecurity requirements.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAffordable Care Act (ACA) Senior Information Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe ACA Senior Information Security Officer must be an agency official (federal government employee).\u003c/p\u003e\u003cp\u003eThe responsibilities of the ACA Senior Information Security Officer must include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the overall information security and privacy of the Health Insurance Marketplace (HIM) by driving integration, collaboration, and innovation across disparate groups under the HIM program.\u003c/li\u003e\u003cli\u003eRepresent the interests of the CCIIO, as well as the CIO, CISO, and SOP by integrating the work of the managers and staff of multiple units to ensure an acceptable information security and privacy posture through visibility, compatibility, and situational awareness.\u003c/li\u003e\u003cli\u003eProvide technical and policy guidance during all phases of the SDLC to balance risk-based tradeoffs among information security, privacy, functionality, and cost.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Records Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Records Officer must be an agency official (federal government employee), and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsuring compliance with the Federal Records Act of 1950, National Archives and Records Administration (NARA) regulations and/or guidance, OMB directives, and Government Accountability Office (GAO) audit requirements.\u003c/li\u003e\u003cli\u003eServing as Chairperson of the CMS Records Management Office.\u003c/li\u003e\u003cli\u003eDevelop CMS records management policies and procedures.\u003c/li\u003e\u003cli\u003eProviding agency-wide guidance, training, and assistance for compliance with laws and regulations\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSupply Chain Risk Management (SCRM) Manager\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe SCRM Manager must be an agency official (federal government employee), and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eManaging the development, documentation, and dissemination of the supply chain risk management policy and procedures.\u003c/li\u003e\u003cli\u003eAnalyze and assess the effects and impacts of existing and proposed federal legislation on CMS policies as it relates to supply chain risk management.\u003c/li\u003e\u003cli\u003eFacilitate or attend SCRM-related working group meetings to promote supply chain risk management program and share policy updates and supply chain risk challenges and solutions to relevant CMS stakeholders.\u003c/li\u003e\u003cli\u003eResearch, identify, analyze and recommend countermeasures and mitigations for supply chain risks that promote supply chain resilience.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eProgram and Information System Roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of those with roles related to CMS programs and the associated information systems. Program Executives oversee CMS programs and may also serve as ISOs and/or Business Owners. ISOs, referred to as “System Owners” in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e(IS2P)\u003c/em\u003e, take responsibility for the operation of information systems required by the CMS program. Business Owners, referred to in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eas “Data Owners/Business Owners,” take primary responsibility for the information and data processed by the CMS program.\u003c/p\u003e\u003cp\u003eThis subsection also identifies specific information security and privacy responsibilities of the ISOs, Data Guardians, Business Owners, Contracting Officers (CO), Contracting Officers Representatives (COR), and Program/Project Managers. This subsection also describes the responsibilities of the System Security and Privacy Officer (previously known as ISSO), including auxiliary responsibilities of the Security Control Assessor and Contingency Planning Coordinator (CPC) that may be filled by the System Security and Privacy Officer (previously known as ISSO). The final subsection describes specific responsibilities of the Security Operations Center/Incident Response Team (SOC/IRT).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Owner\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISO must be an agency official (federal government employee) and must fulfill all of the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.23 IS2P, \u003cem\u003eSystem Owner\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS ISO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIn coordination with the Data Guardian and Business Owner\u003cul\u003e\u003cli\u003eNominate appropriately qualified System Security and Privacy Officer (previously known as ISSO) appointees, as defined under FISMA, to the CISO for approval.\u003c/li\u003e\u003cli\u003eEnsure that information security and privacy for each information system are planned, documented, and integrated from project inception through all phases of the CMS SDLC.\u003c/li\u003e\u003cli\u003eConsult and coordinate with the CIO and SOP to identify, negotiate, and execute appropriate governing artifacts and agreements before sharing CMS information.\u003c/li\u003e\u003cli\u003eIdentify program or system roles that have NIST Significant Information Security or Privacy Responsibilities (SISPRs) within their purview and oversee the system-specific Rules of Behavior (RoB) training applicable to system(s) in their portfolio.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, Business Owner, CRA, Privacy Steward, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS or the component of CMS conducting the collection of PII/PHI has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, sharing, and disclosure of PII/PHI and subsequent appropriate disposal after disposition and retirement\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure each systems Change Control Board (CCB):\u003c/li\u003e\u003cli\u003eIs an integral part of the information system change management process.\u003c/li\u003e\u003cli\u003eImplements applicable governing standards as defined in the \u003cem\u003eARS.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eSupports the creation of baseline configuration documentation to reflect ongoing implementation of the operational configuration baseline updates.\u003c/li\u003e\u003cli\u003eSupports the change management processes to address change requests (CRs) for each system so that an appropriate Security Impact Analysis is performed by the System Security and Privacy Officer (previously known as ISSO) or designated staff\u003c/li\u003e\u003cli\u003eApproves System Security and Privacy Officer (previously known as ISSO) information security configuration recommendations to address weaknesses and system deficiencies.\u003c/li\u003e\u003cli\u003eEnsure employees and contractors receive the appropriate training and education regarding relevant information security and privacy laws, regulations, and policies governing the information assets they are responsible for protecting.\u003c/li\u003e\u003cli\u003eServe as the attestation official for approving the common controls provided by the system.\u003c/li\u003e\u003cli\u003eInclude the Security Control Assessor or representative from the system as a member of the CCB in all configuration management processes that include the system. If the System Security and Privacy Officer (previously known as ISSO) or Security Control Assessor acts as a voting member of the CCB, they must be federal employees.\u003c/li\u003e\u003cli\u003eMaintain change documentation in accordance with the CMS Records Retention Policy\u003c/li\u003e\u003cli\u003eCoordinate with BO, CRA, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Data Guardian must be an agency official (federal government employee) and must fulfill shared responsibilities with the CMS Business Owner identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.27, \u003cem\u003eData Owner/Business Owner\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Data Guardian must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRepresent the Center or Office on the Data Guardian Committee under the auspices of the CMS Data Governance Board to ensure a coordinated and consistent approach to protecting PII across the CMS enterprise.\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the ISO, Business Owner, CRA, and ISSO (Now referred to as Security and Privacy Officer) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eIdentify and pursue opportunities to proactively enhance information security and privacy controls and increase awareness of the evolving information security and privacy threats to the information assets of the Center or Office.\u003c/li\u003e\u003cli\u003eAttend quarterly Data Guardian Meetings.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSafeguard PII by creating an information security and privacy awareness culture that adheres to information security and privacy standards and requirements designed to protect CMS data assets as directed by the CISO and SOP.\u003c/li\u003e\u003cli\u003eGather lessons learned and communicate best practices for protecting PII to their Center or Office.\u003c/li\u003e\u003cli\u003eParticipate in incident response activities affecting the Center or Office information security and privacy posture.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Business Owner must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.27, \u003cem\u003eData Owner/Business Owner \u003c/em\u003ein coordination with the Data Guardian. CMS Business Owners are the Group Directors or Deputy Group Directors who have the primary business needs that are or will be addressed by CMS IT investments/projects. The responsibilities of the CMS Business Owner must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eComply with the requirements of the CMS Policy for IT Investment Management \u0026amp; Governance or its successor policy.\u003c/li\u003e\u003cli\u003eFor each FISMA system and collection of PII/PHI, coordinate with the Data Guardian, ISO, CRA, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the information security and privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eWork with the COs and CORs to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized.\u003c/li\u003e\u003cli\u003eCoordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the SOP to ensure appropriate information security and privacy contracting language from relevant sources is incorporated into each IT contract. Relevant sources must include, but are not limited to, the following:\u003cul\u003e\u003cli\u003eHHS ASFR\u003c/li\u003e\u003cli\u003eHHS Office of Grants and Acquisition Policy and Accountability (OGAPA)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Office of Acquisition and Grants Management (OAGM).\u003c/li\u003e\u003cli\u003eFor each FISMA system and collection of PII/PHI, coordinate with the Data Guardian, ISO, CRA, and System Security and Privacy Officer (previously known as ISSO) to ensure compliance with the \u003cem\u003eCMS ARS\u003c/em\u003e, and when collecting or using FTI, with Internal Revenue Service (IRS) \u003cem\u003ePublication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies10.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eCoordinate with ISO, CRA, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocument data that are collected and maintained and certify that the data are authorized, relevant, and necessary to CMSs mission.\u003c/li\u003e\u003cli\u003eOwn the information stored, processed, or transmitted in CMSs information systems and limit access to the data/information.\u003c/li\u003e\u003cli\u003eManage and approve all use and disclosure of data from CMS programs or systems that are permitted by routine use under CMS System of Records Notices (SORN) through appropriate vehicles to authorize or deny the release of PII.\u003c/li\u003e\u003cli\u003eVerify that CMSs programs or systems only disclose the minimum data necessary.\u003c/li\u003e\u003cli\u003eDetermine and certify that the information security and privacy controls that protect CMSs systems are commensurate with the sensitivity of the data being protected.\u003c/li\u003e\u003cli\u003eEstablish and revise, in coordination with the Privacy Act Officer, SORNs and computer matching agreements in accordance with the established procedures.\u003c/li\u003e\u003cli\u003ePrepare PIAs for programs or systems in accordance with the direction provided by the CRA.\u003c/li\u003e\u003cli\u003eSupport the analysis of incidents involving PII and the determination of the appropriate action to be taken regarding external notification of privacy breaches as well as the reporting, monitoring, tracking, and closure of PII incidents.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eContracting Officer and Contracting Officer's Representative\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CO and COR must be agency officials (federal government employees) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.34, \u003cem\u003eCO and COR.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS CO and COR must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the CISO, SOP, Privacy Act Officer, and Data Guardian are consulted during contract development and that the latest information security and privacy contract language is included in all contracts, as applicable.\u003c/li\u003e\u003cli\u003eWork with the Business Owner to determine the minimum necessary PII/PHI required to conduct each activity for which the agency is authorized.\u003c/li\u003e\u003cli\u003e\u003cp\u003eCollect training records demonstrating that all CMS contractors with significant security and/or privacy responsibilities complete specialized RBT commensurate with their roles\u0026nbsp;\u003c/p\u003e\u003cp\u003ewithin 60 days of beginning work on a contract, upon commencement of the contractors work, annually thereafter, and upon request.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eProgram/Project Manager\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Program/Project Manager must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.35, \u003cem\u003eProject/Program Manager \u003c/em\u003ein coordination with the Data Guardian.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Program/Project Manager must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure information security and privacy-related actions identified by the CMS SDLC meet all identified information security and privacy requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure contractors follow all required information security and privacy policies, standards, and procedures\u003c/li\u003e\u003cli\u003eEnsure contractors follow all required procedures and provide all required documentation when requesting/gaining access to PII\u003c/li\u003e\u003cli\u003eEnsure contractors use the minimum data required to perform approved tasks\u003c/li\u003e\u003cli\u003eEnsure contractors return data covered by approved information sharing agreements at the end of the contract or task to the COR for proper destruction\u003c/li\u003e\u003cli\u003eEnsure appropriate notification and corrective actions, as described in the CMS Incident Handling procedure, are taken when a privacy breach is declared and involves a contractor or a public-private partnership operating a SOR on behalf of CMS.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrimary System Security and Privacy Officer (previously known as P-ISSO)\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Primary System Security and Privacy Officer (previously known as P-ISSO) may be either a federal government employee or a contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.24, \u003cem\u003eSystem Security and System Privacy Officers (previously referred to as ISSO)\u003c/em\u003e. The System Security and Privacy Officer (previously known as ISSO) must ensure the duties of the Security Control Assessor and Contingency Planning Coordinator are completed as described in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSections 7.26 and 7.30, and further elaborated in this subsection.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Primary System Security and Privacy Officer (previously known as P-ISSO)) must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, ISO, Business Owner, PA, and CRA to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the information security and privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReport compliance on secure protocol use in websites periodically as defined within the \u003cem\u003eCMS ARS\u003c/em\u003e.\u003c/li\u003e\u003cli\u003eSubmit System Security and Privacy Officer (previously known as ISSO) appointment letter for assigned system when nominated for approval and resubmit every two (2) years for review.\u003c/li\u003e\u003cli\u003eSubmit recommendations to the CRA for system configuration deviations from the required baseline.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, SOP, Data Guardian, and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and application.\u003c/li\u003e\u003cli\u003eCoordinate with the System Developer and Maintainer in identifying the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems.\u003c/li\u003e\u003cli\u003eDocument the controls in the information security and privacy plan (or equivalent document) to ensure implemented controls meet or exceed the minimal controls defined by CISO guidance.\u003c/li\u003e\u003cli\u003eCoordinate with BO, CRA, and the PA in documenting Risk-based Decisions which impact their organizational FISMA system in accordance to CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003cli\u003eAct as one of the attestation officials for any authorization request for certification for an Authority-To-Operate (ATO) from the CMS Authorization Official (AO).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinate with the Data Guardian, ISO, Business Owner, PA, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for PII, PHI, and FTI in accordance with the \u003cem\u003ePrivacy Act\u003c/em\u003e, \u003cem\u003eE-Government Act\u003c/em\u003e, the HIPAA Privacy and Security Rules, and all applicable guidance.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAssessment and Authorization\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain current system information in CFACTS (such as POCs and artifacts) to support organizational requirements and processes (e.g., communication, contingency planning, training, and data calls).\u003c/li\u003e\u003cli\u003eCoordinate with the Business Owner, ISO, and CISO to ensure that all requirements specified by the \u003cem\u003eCMS ARS \u003c/em\u003eare implemented and enforced for applicable information and information systems.\u003c/li\u003e\u003cli\u003e• Ensure anomalies identified under the CMS Continuous Diagnostics and Mitigation (CDM) program and ISCM activities are addressed and remediated in a manner that is commensurate with the risks posed to the system from the anomalies.\u003c/li\u003e\u003cli\u003eEvaluate the impact of network and system changes using standard processes.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem Development Life Cycle\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eInitiation\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview and confirm that contracts include appropriate information security and privacy language.\u003cul\u003e\u003cli\u003eCoordinate with Enterprise Architecture.\u003c/li\u003e\u003cli\u003eEnsure the system appears in CFACTS.\u003c/li\u003e\u003cli\u003eGenerate a draft PIA in coordination with the Business Owner.\u003c/li\u003e\u003cli\u003eEvaluate whether other privacy artifacts are required.\u003c/li\u003e\u003cli\u003eComplete System Security Categorization.\u003c/li\u003e\u003cli\u003eIdentify system-specific, information security and privacy training needs.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eConcept\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify and discuss risk with the Program Manager and Business Owner.\u003c/li\u003e\u003cli\u003eIdentify any investment needs to ensure each FISMA system meets security and privacy requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003ePlanning\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop a System Security and Privacy Plan (SSPP).\u003c/li\u003e\u003cli\u003eEnsure Security Control Assessment is scheduled.\u003c/li\u003e\u003cli\u003eIdentify training needs.\u003c/li\u003e\u003cli\u003eReview or develop a corresponding security architecture diagram.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eRequirements Analysis\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eConduct formal information security risk assessment (ISRA)\u003cem\u003e.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eComplete documentation activities, including the privacy documents.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDesign\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that security architecture ingress/egress points are reviewed to meet CMS security requirements.\u003c/li\u003e\u003cli\u003eEnsure data is transmitted, processed, and stored securely.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDevelopment\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify software code is developed in accordance with the \u003cem\u003eCMS Technical Reference Architecture (TRA) \u003c/em\u003eand SDLC information security and privacy guidelines.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eTest\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSchedule internal tests such as penetration testing.\u003c/li\u003e\u003cli\u003eCoordinate with the CCIC to ensure assets are identified within monitoring tools.\u003c/li\u003e\u003cli\u003eEnsure use case security testing is incorporated into system functional testing.\u003c/li\u003e\u003cli\u003eEnsure change control processes are followed in accordance with the system security and privacy plan (SSPP).\u003c/li\u003e\u003cli\u003eEnsure auditing logs are appropriately capturing required information.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eImplementation\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure third-party testing begins and weaknesses are resolved quickly.\u003c/li\u003e\u003cli\u003eEnsure each FISMA system is authorized for operation before the go-live date.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eOperation and Maintenance\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAddress weaknesses and POA\u0026amp;Ms.\u003c/li\u003e\u003cli\u003eReview available reports.\u003c/li\u003e\u003cli\u003eRoutinely evaluate risk posture based on change requests.\u003c/li\u003e\u003cli\u003eConduct Security Impact Analysis (SIA) at the direction of the Business Owner.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDisposition\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify the proper disposition of hardware and software.\u003c/li\u003e\u003cli\u003eVerify data are archived securely in accordance with the National Archives and Records Administration (NARA) requirements and in coordination with the Data Guardian.\u003c/li\u003e\u003cli\u003eInitiate the request to close out the project file in CFACTS.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSecondary System Security and Privacy Officer (previously known as S-ISSO) and System Security and Privacy Officer Contractor Support (previously known as ISSOCS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Secondary System Security and Privacy Officer (previously known as S-ISSO) may be either a federal government employee or a contractor identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.25, \u003cem\u003eSystem Security and Privacy Officer (previously referred to as ISSO) Designated Representative / Security Steward \u003c/em\u003eand must assist the Primary System Security and Privacy Officer (previously known as P-ISSO). The System Security and Privacy Officer Contractor Support (previously known as ISSOCS) is a contractor only role that assists and supports the Primary System Security and Privacy Officer (previously known as P-ISSO) and Secondary Systems Security and Privacy Officer (previously known as S-ISSO) roles in fulfillment of their CMS cybersecurity duties.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or Privacy Control Assessor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Security or Privacy Control Assessor (also referred to as Certification Agent) role may be performed by a System Security and Privacy Officer (previously known as ISSO). The CMS Security or Privacy Control Assessor must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eInformation Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.23, \u003cem\u003eSecurity or Privacy Control Assessor\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eContingency Planning Coordinator\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Contingency Planning Coordinator may either be a federal government employee or a contractor. The role may also be performed by a System Security and Privacy Officer (previously known as ISSO). The CMS Contingency Planning Coordinator must fulfill all the responsibilities identified in the HHS \u003cem\u003ePolicy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.30, \u003cem\u003eContingency Planning Coordinator.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Contingency Planning Coordinator must also include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWork as part of an integrated project team to ensure contingency plans and related operational procedures accommodate all business resumption priorities and the defined applicable Maximum Tolerable Downtimes (MTD)\u003c/li\u003e\u003cli\u003eEnsure procedures exist that achieve continuity of operations of business objectives within appropriately targeted systems with any applicable Recovery Time Objective (RTO) and Recovery Point Objective (RPO) identified in the Business Impact Assessment\u003c/li\u003e\u003cli\u003eEnsure that the contingency plan is activated if any computer security incident disrupts the system; if the disruption is not resolved within the systems RTO, implement the systems disaster recovery procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Operations Center/Incident Response Team\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe FISMA system SOC/IRT may consist of federal employees or contractors and must fulfill all the FISMA system-level responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.16, \u003cem\u003eOpDiv CSIRT, \u003c/em\u003eand the applicable responsibilities under the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.17, \u003cem\u003eHHS PIRT\u003c/em\u003e. The FISMA system SOC/IRT reports to the Agency Security Operations, which is responsible for CMS-wide incident management.\u003c/p\u003e\u003cp\u003eThe Data Guardian, Business Owner, and ISO, in coordination with the CISO, have ownership of and responsibility for incident response and reporting for the FISMA system. The execution of this function begins at the data center/contractor site housing the FISMA system. Once an incident is declared, the CCIC coordinates with FISMA system SOC/IRT and Agency Security Operations personnel for all incident management activities.\u003c/p\u003e\u003cp\u003eThe FISMA system SOC/IRT operates under the direction and authority of the System Security and Privacy Officer (previously known as ISSO) and the Business Owner/ISO. The FISMA system SOC/IRT monitors for, detects, and responds to information security and privacy incidents within the FISMA system environment. The FISMA system SOC/IRT also provides timely, accurate, and meaningful reporting to the FISMA system stakeholders.\u003c/p\u003e\u003cp\u003eFISMA systems may perform the SOC/IRT capability by using a separate CMS CISO-approved SOC/IRT service provider. Any FISMA system SOC/IRT that is unable to deploy the required capabilities may establish an agreement with the CCIC to provide SOC/IRT services.\u003c/p\u003e\u003cp\u003eThe responsibilities of the FISMA system SOC/IRT must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor the FISMA system, perform:\u003cul\u003e\u003cli\u003eReal-time network and system security monitoring and triage\u003c/li\u003e\u003cli\u003eAnalysis, coordination, and response to information security and privacy incidents and breaches\u003c/li\u003e\u003cli\u003eSecurity sensor tuning and management and infrastructure operations and maintenance (O\u0026amp;M).\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure flaw remediation (e.g., patching and installation of compensating controls), planning, ongoing scanning (e.g., ISCM), help desk, asset management, and ticketing are performed for the FISMA system in a manner that meets or exceeds CMS requirements.\u003c/li\u003e\u003cli\u003eEnsure the SOC/IRT-specific tools are implemented and deployed according to the CCIC and vendor technical guidance.\u003c/li\u003e\u003cli\u003eEnsure SOC/IRT-specific tools/equipment are isolated, as appropriate, from operational networks and systems.\u003c/li\u003e\u003cli\u003eServe as the FISMA systems information security and privacy lead on behalf of CCIC and HHS CSIRC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReport FISMA system information security and privacy incidents and breaches to CCIC and HHS CSIRC as required by federal law, regulations, mandates, and directives, and as reflected in the CMS established procedures.\u003c/li\u003e\u003cli\u003eReport cyber threat/intelligence/information to CCIC as required by federal law, regulations, mandates, and directives.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePrivileged Users\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes specific information security and privacy responsibilities of users with privileged access to CMS information systems. For example, a privileged user11 is any user that has sufficient access rights to modify, including disabling, controls that are in place to protect the system. The responsibilities for all privileged users must include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLimit the use of privileged access to those administrative functions requiring elevated privileges\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSystem/Network Administrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS System/Network Administrator may be a federal employee or a contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.33, \u003cem\u003eSystem Administrator\u003c/em\u003e. Per the HHS IS2P, the system administrator role includes, and are not limited to, other types of system administrators (e.g., database administrators, network administrators, web administrators, and application administrators).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWebsite Owner/Administrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Website Owner/Administrator may be a federal employee or contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.28, \u003cem\u003eWebsite Owner/Administrator\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Website Owner/Administrator must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement proper system backups and patch management processes.\u003c/li\u003e\u003cli\u003eAssess the performance of security and privacy controls associated with the web service to ensure the residual risk is maintained within an acceptable range.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, SOP, Data Guardian, and System Security and Privacy Officer (previously known as ISSO) to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eLimit connections to publicly accessible federal websites and web services to approved secure protocols.\u003c/li\u003e\u003cli\u003eEnsure federal websites and web services adhere to Hypertext Transfer Protocol (HTTP) Strict Transport Security (HSTS)12 practices.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSystem Developer and Maintainer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS System Developer and Maintainer must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.31, \u003cem\u003eSystem Developer and Maintainer\u003c/em\u003e. The responsibilities of the CMS System Developer and Maintainer must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify, tailor, document, and implement information security- and privacy-related functional requirements necessary to protect CMS information, information systems, missions, and business processes, including:\u003cul\u003e\u003cli\u003eEnsure the requirements are effectively integrated into IT component products and information systems through purposeful security architecting, design, development, and configuration in accordance with the CMS SDLC and change management processes\u003c/li\u003e\u003cli\u003eEnsure the requirements are adequately planned and addressed in all aspects of system architecture, including reference models, segment and solution architectures, and information systems that support the missions and business processes\u003c/li\u003e\u003cli\u003eEnsure automated information security and privacy capabilities are integrated and deployed as required.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the System Security and Privacy Officer (previously known as ISSO) to identify the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems.\u003c/li\u003e\u003cli\u003eFollow the CMS SDLC in developing and maintaining a CMS system, including:\u003cul\u003e\u003cli\u003eUnderstand the relationships among planned and implemented information security and privacy safeguards and the features installed on the system\u003c/li\u003e\u003cli\u003eEnsure all development practices comply with the \u003cem\u003eCMS TRA.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eExecute the RMF tasks listed in NIST SP 800-37 Revision 2\u003cem\u003e.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEnsure CMS systems or applications that currently disseminate data for any purpose are capable of extracting data by pre-approved categories.\u003c/li\u003e\u003cli\u003eShare only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eEnterprise Architect (Function)\u003c/h3\u003e\u003cp\u003eThe Enterprise Architect must be an agency official (federal government employee). The Enterprise Architect must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e Section 7.32. \u003cem\u003eEnterprise Architect\u003c/em\u003e. The CIO may designate specific responsibilities to the Enterprise Architect as necessary.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Enterprise Architect must also include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop and disseminate strategies, policies, and standards to implement the Enterprise Architecture program.\u003c/li\u003e\u003cli\u003eManage the agency's Enterprise Architecture resources.\u003c/li\u003e\u003cli\u003eProvide leadership in developing, maintaining, and implementing a sound and integrated Enterprise Architecture for the agency and its sub-organizations.\u003c/li\u003e\u003cli\u003eOrganize and chair the agency's Enterprise Architecture advisory group to provide cross-organization business and technical input to Enterprise Architecture-related matters, ensuring CMS programmatic and technical participation in Enterprise Architecture-related activities.\u003c/li\u003e\u003cli\u003eDefine, document, and align the agency's Enterprise Architecture with HHS Enterprise Architecture.\u003c/li\u003e\u003cli\u003eEnsure implementation of the Enterprise Architecture alignment reviews, verification of Enterprise Architecture approvals, and granting of waivers within the agency's Capital Planning and Investment Control (CCIC) investment planning and reviews, acquisition procedures, and SDLC project phase reviews.\u003c/li\u003e\u003cli\u003eMonitor program and project artifacts for alignment with Enterprise Architecture requirements, identifying and reporting non-conforming projects for resolution.\u003c/li\u003e\u003cli\u003eAdvise and inform all contractors and developers of Enterprise Architecture standards and compliance requirements.\u003c/li\u003e\u003cli\u003eEnsure that CMS adopts data stewardship mechanisms necessary for Enterprise Architecture data of acceptable quality to be created, captured, entered, and maintained promptly in the HHS Enterprise Architecture Repository.\u003c/li\u003e\u003cli\u003eRecommend technical standards to the agency Technical Review Board, ensuring submission to the HHS Chief Enterprise Architect of proposed modifications to HHS Enterprise Architecture and technology standards to meet CMS business requirements.\u003c/li\u003e\u003cli\u003eEnsure that CMS Enterprise Architecture-related training requirements are identified, planned for, and implemented.\u003c/li\u003e\u003cli\u003eAdvise or ensure that Enterprise Architecture advice is available to all CMS IT project teams.\u003c/li\u003e\u003cli\u003eRepresent CMS on the HHS Enterprise Architecture Review Board (EARB), and all agency, departmental, and intergovernmental Enterprise Architecture-related advisory bodies or working groups.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAgency Security Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAgency Security Operations must fulfill all OpDiv responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.16, \u003cem\u003eOpDiv Computer Security Incident Response Team (CSIRT), \u003c/em\u003eand applicable responsibilities under the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.17, \u003cem\u003eHHS Privacy Incident Response Team (PIRT)\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eSecurity operations are a shared responsibility between CMS Agency Security Operations and the ISOs SOC/IRT. For each FISMA system, System Developers and Maintainers are expected to establish, maintain, and operate a SOC/IRT to provide FISMA system situational awareness and incident response. For the CMS enterprise, Agency Security Operations maintains visibility and incident management across all FISMA systems, providing management, information sharing and coordination, unified response (including containment and mitigation approaches), and required reporting across the enterprise to CMS Management.\u003c/p\u003e\u003cp\u003eThe responsibilities for Agency Security Operations, both within the CCIC and across all SOC/IRTs, must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure all personnel with responsibilities for incident response complete annual RBT.\u003c/li\u003e\u003cli\u003eEnsure non-federal technical personnel (SOC/IRT and CCIC) obtain and maintain appropriate commercial information assurance certification credentials that have been accredited by the American National Standards Institute (ANSI) or an equivalent authorized body under the ANSI/International Standards Organization (ISO)/ International Electrotechnical Commission (IEC) 17024 Standard.\u003cul\u003e\u003cli\u003ePersonnel who do not hold a commercial information assurance certification credential must obtain an appropriate credential within six months of the individuals start date or the release date of this document, whichever is later.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEncourage federal oversight personnel (SOC/IRT and CCIC) to obtain and maintain a commercial information assurance certification credential that has been accredited by ANSI or an equivalent authorized body under the ANSI/ISO/IEC 17024 Standard.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eDirector for the CMS Cybersecurity Integration Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CCIC operates under the direction and authority of the CMS CISO, who appoints the Director for the CCIC.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Director for the CCIC must include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the operational execution of the CCIC function enables the CMS CISOs strategic vision.\u003c/li\u003e\u003cli\u003eOversee the operation of the CCIC.\u003c/li\u003e\u003cli\u003eEnable CCIC capabilities (penetration testing, security engineering, etc.) to efficiently and effectively enhance the CMS enterprise security posture by performing their roles across the enterprise in coordination with CMS groups, partners, and contractors.\u003c/li\u003e\u003cli\u003eSupport the CISO and SOP when immediate disconnection or suspension of any interconnection is required.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy RBT requirements for CCIC and FISMA system SOC/IRT personnel.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Cybersecurity Integration Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CCIC monitors, detects, and isolates information security and privacy incidents and breaches across the CMS enterprise IT environment. The CCIC provides continual situational awareness of the risks associated with CMS data and information systems throughout CMS. The CCIC also provides timely, accurate, and meaningful reporting across the technical, operational, and executive spectrum.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CCIC must include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eServe as the primary entity in CMS responsible for maintaining CMS-wide operational cyber security situational awareness, based on coordinated enterprise ISCM activities and the overall information security and privacy risk posture of CMS.\u003c/li\u003e\u003cli\u003eServe as the information security and privacy lead organization for coordinating within CMS and identified external organizations for Cyber Threat Intelligence (CTI) sharing, analysis, and response activities, including:\u003cul\u003e\u003cli\u003eIdentify enterprise threats and disseminate advisories and guidance\u003c/li\u003e\u003cli\u003eIdentify and coordinate response with SOC/IRT to ongoing threats to CMS\u003c/li\u003e\u003cli\u003eDevelop and share Indicators of Compromise (IOC)\u003c/li\u003e\u003cli\u003eDevelop and disseminate unified containment and mitigation approaches\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDefine minimum interoperable defensive technology requirements for CMS systems.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eServe as CMSs primary POC with HHS CSIRC.\u003c/li\u003e\u003cli\u003eReport CMS information security and privacy incidents and breaches to HHS CSIRC.\u003c/li\u003e\u003cli\u003ePerform malware analysis and advanced analytics in support of unified incident response.\u003c/li\u003e\u003cli\u003eCoordinate with the Data Guardian when PII is involved.\u003c/li\u003e\u003cli\u003eCoordinate with the CMS Counterintelligence and Insider Threat Program Office, as appropriate.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAssessment and Authorization\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine enterprise-wide information security and privacy requirements for all phases of the SDLC.\u003c/li\u003e\u003cli\u003eDefine an enterprise-wide, continual assessment process that:\u003cul\u003e\u003cli\u003eValidates incident response processes and procedures\u003c/li\u003e\u003cli\u003eMeets federal law, regulations, mandates, and directives for continual assessment\u003c/li\u003e\u003cli\u003eDefines security data monitored by all SOCs/IRTs and is made available to the CCIC\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDefine reporting metrics that are compliant with federal law, regulations, mandates, and directives for:\u003cul\u003e\u003cli\u003ePenetration testing\u003c/li\u003e\u003cli\u003eInformation security continuous monitoring\u003c/li\u003e\u003cli\u003eInformation security and privacy incident and breach response\u003c/li\u003e\u003cli\u003eCyber threat intelligence\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDetermine risk and impact on the CMS enterprise based on:\u003cul\u003e\u003cli\u003eReal-time monitoring and triage\u003c/li\u003e\u003cli\u003eAnalysis, coordination, and response to incidents\u003c/li\u003e\u003cli\u003eCollection, sharing, and analysis of CTI (i.e., knowing the adversary)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e• Develop, in coordination with the CCIC Director, information security and privacy RBT requirements for CCIC and FISMA system SOC/IRT personnel.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAgency Continuity Point of Contact\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Agency Continuity Point of Contact must be an agency official (federal government employee) and is the individual the Administrator designates as the accountable official who will:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePerform the duties and responsibilities of the Agency Continuity Point of Contact, as set out in HHSs Continuity of Operations Program Policy.\u003c/li\u003e\u003cli\u003eBe directly responsible to the Administrator for management oversight of the CMS continuity program.\u003c/li\u003e\u003cli\u003eServe as the single POC for coordination within CMS for continuity matters.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eIT Advisory Organizations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS Executive Management established IT advisory and decision-making bodies. These organizations ensure proper project planning; proper use of CMS information; and provide technical guidance ensuring IT projects properly integrate within the CMS environment. These organizations promote CMS strategic objectives and enforce federal requirements, including information security and privacy.\u003c/p\u003e\u003cp\u003eThe primary IT Advisory Organizations relevant to information system security and privacy policy are:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe \u003cstrong\u003eStrategic Planning Management Council (SPMC)\u003c/strong\u003e, co-chaired by the Chief Operating Officer (COO) and CIO, manages oversight of all CMS investment-related governance boards.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eGovernance Review Board (GRB) \u003c/strong\u003eChaired by the CIO, CFO, and Head of Contracting Activity. Members are the Budget Development Group Chairs. The Agencies IT Investment Review Boards and serves as the decision or approval authority for IT expenditure. Capital Planning and Investment Control.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eGovernance Review Team (GRT) \u003c/strong\u003e- Support staff which gathers information to assist the GRB in making decisions.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eTechnical Review Board (TRB) \u003c/strong\u003eChaired by the CTO and supported by IT Governance serves as a key member of the Target Life Cycle Governance Program. They advise and guide IT Projects Teams that are moving through the Target Life Cycle to ensure it conforms to the CMS Technical Reference Architecture.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eData Governance Board (DGB) \u003c/strong\u003esupports overall agency data governance. Led by OEDA CMS Chief Data Officer. works with the national data sets supplied by CMS to different programs.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eStrategic Planning Management Council (SPMC)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Strategic Planning Management Council (SPMC) provides leadership and support for executing CMS strategic objectives across all CMS investments. The SPMC provides a forum for ongoing collaboration among teams and overall management of the CMS Strategy.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGovernance Review Board (GRB)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Governance Review Board (GRB) is established as part of the CMS IT Governance process to enforce the implementation of CMS enterprise standards and strategy. The GRB consists of CMS Senior Leadership which reviews the recommendations for project alternatives. The GRB does not make funding decisions, however, they review proposed options and potential solutions to ensure the best solution is implemented by the project team to address the business needs.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGovernance Review Team (GRT)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Governance Review Team (GRT) is a project planning body that supports project teams in determining the steps needed to ensure projects are in alignment with CMS Security and Privacy Policy. The GRT will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMake recommendations to the GRB on proposed business cases and alternative analysis ensuring the project:\u003cul\u003e\u003cli\u003eFulfills a need,\u003c/li\u003e\u003cli\u003eDoes not duplicate current processes or functions; and\u003c/li\u003e\u003cli\u003eIs in alignment with current IT Portfolio Goals\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAdvise Project Teams on the IT Governance Process.\u003c/li\u003e\u003cli\u003eConsist of Subject Matter Experts which support CMS stakeholders in the development of their projects and business cases.\u003c/li\u003e\u003cli\u003eReview Business Cases and support the GRB by providing ongoing review of proposed and operational systems for adherence to CMS policies.\u003c/li\u003e\u003cli\u003eCoordinate with other governance boards when necessary to ensure further reviews are implemented when necessary.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eTechnical Review Board\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Technical Review Board (TRB) is an advisory board established to ensure IT investments are consistent with CMSs IT strategy. The board manages updates to the \u003cem\u003eCMS TRA \u003c/em\u003eto promote the CMS IT strategy and assists projects by ensuring solutions are technically sound and are on track to deliver promised capabilities on time and on budget. The TRB:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides technology leadership to deliver business value and anticipate change to meet the current and long-term needs of CMS programs.\u003c/li\u003e\u003cli\u003eImplements and communicates CMSs IT strategy to ensure projects solutions are cost- effective, sustainable, and support the agencys business.\u003c/li\u003e\u003cli\u003eProvides technical guidance to ensure CMSs IT Investments are properly integrated into the CMS environment.\u003c/li\u003e\u003cli\u003eSupports teams in building IT features.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eData Governance Board\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Data Governance Board (DGB) provides executive leadership and stewardship of the agencys data assets, including oversight for the development and implementation of the policies and processes which govern the collection or creation, management, use, and disclosure of CMS data.\u003c/p\u003e\u003cp\u003eThe DGB ensures intra-agency transparency and data stewardship to promote efficient and appropriate use of, and investment into, agency data resources. Transparency and data stewardship include:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eOpenness: \u003c/em\u003ePromoting and facilitating the open sharing of knowledge about CMS data, including an understanding of how and where agency data are collected or created, stored, managed, and made available for analysis.\u003c/li\u003e\u003cli\u003e\u003cem\u003eCommunication: \u003c/em\u003ePromoting partnerships across the CMS enterprise to eliminate duplication of effort, stove-piping, and one-off solution designs.\u003c/li\u003e\u003cli\u003e\u003cem\u003eAccountability: \u003c/em\u003eEnsuring agency-wide compliance with approved data management principles and policies. Understanding the objectives of current and future strategic or programmatic initiatives and how they impact, or are impacted by, existing data management principles and policies as well as current privacy and security protocols.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIntegrated Information Security and Privacy Policies\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eCMS Tailored Policies\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003edelineates information security and privacy policies, including both mandated security controls and a provision for CMS to develop its own controls over CMS information and information systems as long as the HHS baseline requirements are met. CMS tailored specific security controls to ensure they meet the mission and vision of the organization. This section lists the tailored controls which include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControls explicitly mandated for CMS by an authoritative agent (e.g., HHS or other federal agency requirements).\u003c/li\u003e\u003cli\u003eControls modified to address the CMS implementation (e.g., CMS architecture, risk framework, and life cycle management).\u003c/li\u003e\u003cli\u003eControls that address specialized topics that extend beyond NIST 800-53, Revision 5 (e.g., the Federal Risk and Authorization Management Program [FedRAMP], and FISCAM).\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEmployee Monitoring / Insider Threat (CMS-EMP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-1 \u003c/strong\u003eThe use of warning banners is mandatory on all CMS information systems in accordance with federal and HHS policy and the ARS control requirements. A warning banner\u003c/p\u003e\u003cp\u003estates that by accessing a CMS information system, (e.g., logging onto a CMS computer or network), the employee consents to having no reasonable expectation of privacy regarding any communication or data transiting or stored on that system, and the employee understands that, at any time, CMS may monitor the use of CMS IT resources for lawful government purposes. \u003cem\u003e(For the purposes of this policy requirement, the term “employee” includes all individuals who have been provided and currently have access to CMS IT resources and who are current employees, contractors, guest researchers, visiting scientists, and fellows. The term excludes individuals who are not or are no longer CMS employees, contractors, guest researchers, visiting scientists, or fellows.)\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-2 \u003c/strong\u003eIn accordance with HHS policy the CMS CIO must carry out monitoring in a fashion that protects employee interests and ensures the need for monitoring has been thoroughly vetted and documented.\u003c/p\u003e\u003cp\u003eComputer monitoring of an employee at CMS may be requested by HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program Office, or an outside law enforcement authority.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cem\u003e(For the purposes of this policy, the term “computer monitoring” covers monitoring of CMS IT resources, including real-time or contemporaneous observation, prospective monitoring, (e.g., using monitoring software), and retrospective review and analyses (e.g., of email sent or received, of computer hard-drive contents) focusing on an individual employee. This section of policy does not apply to passive monitoring (computer incident response monitoring) of systems relating to national security or FISMA that perform general system and network monitoring or examinations of computers for malware. Additionally, computer monitoring excludes any review and analysis requested by or approved by the employee(s) being covered. This does not apply to retrospective searches for documents in response to valid information requests in the context of litigation, Congressional oversight, Freedom of Information Act (FOIA) requests, and investigations by the Government Accountability Office (GAO) and the Office of Special Counsel. Such retrospective searches may be conducted with the consent of the employee or the authorization of the CMS CIO.)\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-3 \u003c/strong\u003eAll requests from outside law enforcement agencies must be coordinated through the HHS/OIG, except for requests relating to national security or non-criminal insider threat matters. The latter must be coordinated via the Counterintelligence and Insider Threat Program of the Division of Strategic Information (DSI), which in turn coordinates with the HHS/ONS on all requests. Such external computer monitoring requests may be subject to different standards, partly because they are covered by the internal controls of the requesting agency or judicial process.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-4 \u003c/strong\u003eNo CMS official may initiate computer monitoring without advance written authorization by the CMS Administrator or the CMS CIO. By HHS policy, this authority to authorize monitoring may not be delegated below the CMS CIO. Prior to submission of a monitoring request, the CMS CIO or HHS/ONS consults with the HHS Office of the General Counsel (OGC). The requesting organization documents the basis for approving any request for computer monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-5\u003c/strong\u003e Computer monitoring may only be authorized for the following reasons:\u003c/p\u003e\u003col\u003e\u003cli\u003eMonitoring has been requested by the HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program Office, or an outside law enforcement authority in accordance with CMS Administrative Services Group, DSI and federally recognized jurisdiction.\u003c/li\u003e\u003cli\u003eReasonable grounds exist to conclude that the individual to be monitored may be responsible for an unauthorized disclosure of legally protected information (e.g., confidential commercial information or \u003cem\u003ePrivacy Act \u003c/em\u003eprotected information).\u003c/li\u003e\u003cli\u003eReasonable grounds exist to believe that the individual to be monitored may have violated an applicable law, regulation, or written HHS or CMS policy.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eRoutine IT equipment examinations are permissible when malware searches are involved. Any unintended discoveries of problematic content and resulting follow-up actions are not subject to this policy except for follow-up actions that involve computer monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-6 \u003c/strong\u003eIn circumstances in which HHS/OIG requests computer monitoring for purposes of an HHS/OIG investigation or where HHS/OIG requires assistance in the conduct of computer monitoring, HHS/OIG will provide such information or notification as is consistent with its responsibilities, duties, and obligations under the \u003cem\u003eInspector General Act of 1978, \u003c/em\u003eas amended.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.1\u003c/em\u003e In concert with the HHS/OGC, the CMS CIO must develop a memorandum of understanding (MOU) or similar written agreement with outside law enforcement agencies as a precondition for approving monitoring requests from these organizations. The MOU must include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eTitle and organizational component of the person(s) authorized to make monitoring requests on behalf of the law enforcement agency.\u003c/li\u003e\u003cli\u003eDocumentation of the source of the official request demonstrating approval by an official of the governmental entity that has the authority to request the initiation of such monitoring (e.g., a subpoena [administrative or grand jury], warrant, national security letter [NSL], or other acceptable documented request [e.g., a written law enforcement administrative request that meets applicable requirements of the \u003cem\u003ePrivacy Act \u003c/em\u003eand/or HIPAA requirements for certain disclosures to law enforcement agencies]).\u003c/li\u003e\u003cli\u003eAny restrictions applicable to the handling and disclosure of confidential information that may be produced by monitoring.\u003c/li\u003e\u003cli\u003eOther items consistent with this memorandum, including handling sensitive communications, as described in the following bullet (Documentation).\u003c/li\u003e\u003cli\u003eDocumentation the written authorization for computer monitoring describes the reason for the monitoring. If the monitoring is initiated at the request of outside law enforcement authorities, the authorization documents that the request was approved, consistent with the applicable MOU with that organization by an official of the governmental entity that has the authority to request the initiation of such monitoring.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.2\u003c/em\u003e Except for monitoring initiated at the request of an outside law enforcement authority or the HHS/OIG, the party requesting the monitoring must document the factual basis justifying the request for monitoring and the proposed scope of the request. Requests for such monitoring must include an explanation of how monitoring will be conducted, how the information collected during monitoring will be controlled and protected, and a list of individuals who will have access to the resulting monitoring information.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.3\u003c/em\u003e A record of all requests for monitoring must be maintained by the CMS CIO along with any other summary results or documentation produced during the period of monitoring. The record must also reflect the scope of the monitoring by documenting search terms and techniques. All information collected from monitoring must be controlled and protected with distribution limited to the individuals identified in the request for monitoring and other individuals specifically designated by the CMS Administrator or CMS CIO as having a specific need to know such information.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-7 \u003c/strong\u003eThe CMS Administrator or CMS CIO must ensure authorized computer monitoring is appropriately narrow in scope and time-limited and takes the least invasive approach to accomplish monitoring objectives. The CMS Administrator or CMS CIO, in reviewing requests for monitoring, must consider whether there are alternative information gathering methods that CMS can utilize to address the concern in lieu of monitoring. When the monitoring request originates from HHS/OIG or outside law enforcement, CMS will grant appropriate deference to a request made in accordance with this policy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-8\u003c/strong\u003e No monitoring authorized or conducted may target communications with law enforcement entities, the Office of Special Counsel, members of Congress or their staff, employee union officials, or private attorneys. Employee union officials of CMS will be treated, for non-targeted monitoring purposes, as all other employees of CMS when monitoring is necessary. If such protected communications are inadvertently collected or identified from more general searches, they may not be shared with a non-law enforcement party who requested the monitoring or anyone else without express written authorization from the HHS/OGC and other appropriate HHS official(s).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-9 \u003c/strong\u003eWhen a request for computer monitoring is made by a party other than an outside law enforcement authority or the HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program, CMS must consult with the OGC as to whether the monitoring is consistent with all applicable legal requirements, including the \u003cem\u003eWhistleblower Protection Act \u003c/em\u003eand \u003cem\u003eHIPAA, \u003c/em\u003eand consider whether there are any additional limits. In addition, except for monitoring initiated at the request of outside law enforcement or the HHS/OIG, parties that receive information derived from monitoring must consult with the OGC as to potential restrictions on the use of such information under applicable law.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-10 \u003c/strong\u003eThe CMS CIO must review all employee monitoring every month and, in consultation with the party who requested the monitoring, assess whether it remains justified or is to be discontinued. The CMS CIO must consider whether or not the decision for ongoing monitoring must be reviewed by the OGC. A decision to continue monitoring must be explained and documented in writing by the CMS CIO, who must report at least monthly to the CMS Administrator regarding the status of any ongoing monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-11\u003c/strong\u003e The CMS CIO and the OGC may make recommendations to the CMS Administrator for additional procedures, if necessary, to address specific circumstances not addressed in this policy. Insider threat policies and procedures that deviate from the elements of this policy, however, must not be implemented without the written concurrence of the HHS CIO in consultation with the OGC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Management Framework (CMS-RMF)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS-RMF-1\u003c/strong\u003e The CMS CISO must develop and maintain within the ARS \u003cem\u003eAssessment, Authorization, and Monitoring \u003c/em\u003efamily of controls minimum controls to ensure information systems: (i) are assessed at least every three years or whenever a significant change occurs (as defined in the CMS established procedures; NIST SP 800-37, revision 2, describes examples of significant changes to an information system that should be reviewed for possible re-authorization) to the information system to determine if security and privacy controls are effective in their application; (ii) have POA\u0026amp;Ms designed to correct\u0026nbsp;deficiencies and reduce or eliminate vulnerabilities; (iii) are authorized for processing (including any associated information system connections) by the CMS CIO; and (iv) are monitored on an ongoing basis to ensure the continued effectiveness of the controls. In addition, the CMS CISO, where necessary to add clarity, provides methods in the form of \u003cem\u003eChapters, Procedures, \u003c/em\u003eand/or \u003cem\u003eStandards \u003c/em\u003ewithin the CMS established procedures to facilitate implementation, assurance, and tracking effectiveness of those controls. Minimally, these processes and procedures must address the following:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.1 \u003c/em\u003eEnsure all systems and networks receive a system categorization in accordance with the frameworks set forth in FIPS 199, NIST SP 800-60, \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories\u003c/em\u003e, as amended, and please refer to the CMS established procedures.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.2 \u003c/em\u003eEnsure CMS Business Owners/ISOs conduct risk assessments on systems and networks and document the result in accordance with NIST SP 800-30, \u003cem\u003eGuide for Conducting Risk Assessments\u003c/em\u003e, as amended\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.3\u003c/em\u003e Ensure the CMS Business Owners/ISOs review and update risks, as necessary, no less than annually or when significant changes occur to the system/network.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.4\u003c/em\u003e Ensure CMS Business Owners/ISOs implement appropriate information security and privacy controls as documented in an information system security and privacy plan for each CMS system and network in accordance with NIST SP 800-18, \u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e, and that CMS Business Owners/ISOs review and update plans as needed but no less than annually or when significant changes occur to the system/network.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.5\u003c/em\u003e Ensure CMS Business Owners/ISOs implement and document information security and privacy controls outlined in NIST SP 800-53, Revision 5.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.6 \u003c/em\u003eAssess the controls using the procedures outlined in NIST SP 800-53A, as amended, \u003cem\u003eAssessing Security and Privacy Controls in Information Systems and Organizations.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.7\u003c/em\u003e Develop, disseminate, and review/update: (i) formal, documented security assessment and authorization standards that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.8\u003c/em\u003e Determine (i) the required level of Security Control Assessor independence based on the security categorization of the information system and/or the ultimate risk to organizational operations and assets and to individuals; and (ii) if the level of Security Control Assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.9\u003c/em\u003e Ensure all CMS systems and networks are formally assessed and authorized using the methodology outlined in NIST SP 800-37 Revision 2, and in accordance with the minimum content requirements for the creation of security authorization packages, as stated in the ARS and the CMS established procedures.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.10 \u003c/em\u003eEnsure the \u003ca href=\"https://csrc.nist.gov/glossary/term/security_control_assessor\"\u003eSecurity Control Assessor(s)\u003c/a\u003e\u0026nbsp;is identified and assigned prior to applying the RMF tasks to the information system. The AO for the information system (i) is the CMS CIO, (ii) authorizes the information system for processing before commencing operations, and (iii) uses the results of the ISCM process to the maximum extent possible as the basis for rendering a re-authorization decision.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.11\u003c/em\u003e Require SIA and PIA review when any significant change occurs to a CMS system, network, physical environment, etc., to assess the impact of the change on the information security and privacy of the information processed.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.12 \u003c/em\u003eEnsure CMS Business Owners/ISOs request to re-authorize all systems at least every three years or when a significant change occurs to the system.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.13\u003c/em\u003e Develop a ISCM strategy and implement a ISCM program that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003e(i) a configuration management process for the information system and its constituent components;\u003c/li\u003e\u003cli\u003e(ii) determination of the security impact of changes to the information system and environment of operation;\u003c/li\u003e\u003cli\u003e(iii) ongoing information security and privacy control assessments in accordance with the organizational ISCM strategy; and\u003c/li\u003e\u003cli\u003e(iv) reporting on the security state of the information system to appropriate organizational officials.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe organization assesses the information security and privacy controls in an information system, at a minimum, as part of (i) security authorization or re-authorization, (ii) meeting the FISMA requirement for annual assessments, (iii) ISCM, and (iv) testing/evaluation of the information system as part of the SDLC process. Those controls that are the most volatile (e.g., controls mostly affected by ongoing changes to the information system or its environment of operation) or deemed essential to protecting CMS operations and assets, individuals, other organizations, and the nation are assessed more frequently in accordance with the CMS CISOs assessment of risk as defined in the CMS established procedures. All other controls are assessed at least once during the information systems three-year authorization cycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Systems Development Life Cycle (CMS-SDLC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity Architecture and Engineering (SA\u0026amp;E) activities help CMS Components align with enterprise information security and privacy capabilities, reporting processes, and requirements. SA\u0026amp;E ensures that the information security environment continues to meet business needs and address new and emerging threats by identifying risks and providing adequate information security and privacy protections through testing, implementation, and improvement of new and existing technologies and processes. To help guide a unified enterprise approach to implementing information security and privacy architecture, the risk management and compliance functional area publishes and updates information security and privacy technical guidance and provides input into the development of TRA security-related supplements.17 Security Assessment and Authorization (SA\u0026amp;A) processes help CMS Business Owners/ISOs comply with Capital Planning and Investment Control (CPIC) processes and CMSs SDLC processes to incorporate the security requirements of the ARS and the CMS TRA to obtain system authorization, also referred to as Authority to Operate (ATO), prior to operation. The CMS CISO and SOP follow the procedures outlined in the RMF for SA\u0026amp;A in accordance with FISMA and the direction of the CMS CIO.\u003c/p\u003e\u003cp\u003eThe SA\u0026amp;A processes help CMS stakeholders identify information security and privacy risks, assess the adequacy of information security and privacy controls, and ensure information security and privacy responsibilities are assigned prior to authorizing systems for operation. These processes incorporate ISCM and periodic manual assessment techniques to appropriately test the ongoing effectiveness of all controls.\u003c/p\u003e\u003cp\u003eBy following CPIC, SDLC, and RMF, System Developers and Maintainers include information security and privacy requirements from project initiation throughout the life cycle and implement the appropriate controls to manage information security and privacy risk.\u003c/p\u003e\u003cp\u003eThe ARS provides specific standards for completing the RMF process and include descriptions of the artifacts required to document information and information system controls. The SA\u0026amp;A processes result in identification of information security and privacy risks that must be managed by the POA\u0026amp;M processes.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-1\u003c/strong\u003e The CISO must integrate information security and privacy into the CMS life cycle processes. The SDLC provides the processes and practices of the CMS system development life cycle in accordance with the \u003cem\u003eCMS Policy for Information Technology (IT) Investment Management \u0026amp; Governance\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-2\u003c/strong\u003e Program Executives must engage the System Security and Privacy Officer (previously known as ISSO), CRA, and privacy team early and throughout the SDLC.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-3\u003c/strong\u003e The SDLC processes and procedures must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.1\u003c/em\u003e Integrate information security and privacy requirements into all CMS SDLC activities (i.e., The four distinct phases of the CMS TLC include Initiate, Develop, Operate, and Retire).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.2\u003c/em\u003e Ensure critical SDLC stage gate reviews are conducted to govern the information security and privacy posture of the system being developed. The TRB must evaluate the information security and privacy risk introduced by the system and provide guidance to improve system architecture and engineering.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eThe CMS Technical Review Board (TRB) provides technical guidance to assist project teams with their IT investments and enable them to be integrated within CMS' IT environment. At the project level, the TRB has advisory support services to ensure project solutions are technically sound and on track to deliver the target capabilities. The TRB also promotes IT reuse, information sharing, and systems integration across the Agency.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.3 \u003c/em\u003eAssign information security and privacy roles for the information system.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.4\u003c/em\u003e Ensure system information security and privacy controls are assessed.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.5\u003c/em\u003e Ensure system authorization prior to entering the O\u0026amp;M phase of the SDLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCloud Computing Requirements (CMS-CLD)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS developed CMS-CLD policies to provide guidance and direction on the acceptable uses of cloud service providers (CSP) and cloud computing services in compliance with the \u003cem\u003eFederal Cloud Computing Strategy (Cloud Smart) \u003c/em\u003ewhen used as part of a CMS FISMA system\u003cem\u003e. \u003c/em\u003eThe CMS-CLD policies define directives concerning the procurement, deployment, and utilization of cloud computing services across the CMS enterprise.\u003c/p\u003e\u003cp\u003eIn accordance with \u003ca href=\"https://cloud.cio.gov/strategy/\"\u003e\u003cem\u003eCloud Smart\u003c/em\u003e\u003c/a\u003e, CMS permits cloud services within the CMS environment. CMS established the policies in this section to guide the use of cloud services and cloud computing installations.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-1\u003c/strong\u003e All cloud service implementations used must have an approved Federal Risk and Authorization Management Program (FedRAMP) Authorization and CMS-issued ATO\u003cstrong\u003e.\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-CLD-1.1\u003c/em\u003e If a Software as a Service (SaaS) product does not have a current FedRAMP authorization, a Rapid Cloud Review (RCR) and a CMS-issued Provisional Authority to Operate (P-ATO) would be needed to assess FedRAMP readiness.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-2 \u003c/strong\u003eAll FISMA systems and applications deployed on a CSP service must have a valid CMS-issued ATO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-3\u003c/strong\u003e All CSP systems must integrate with continuous monitoring and identity management systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Email Encryption Requirements (CMS-EMAIL)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS must comply with information security and privacy encryption policies defined by federal laws, executive orders, directives, regulations, policies, standards, and guidance (e.g., HIPAA, Health Information Technology for Economic and Clinical Health [HITECH], Privacy Act, and IRS Publication 1075). The CMS Email Encryption Requirements control family provides the CMS standards for implementing information security and privacy controls.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMAIL-1\u003c/strong\u003e CMS Sensitive Information must be protected and only sent to recipients with a “need to know.” Emails containing sensitive information must be protected using one of the following steps:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.1\u003c/em\u003e Ensure unencrypted emails containing sensitive information remain within the CHS email service environment (i.e., “jane.doe@cms.hhs.gov”) or trusted domain.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2 \u003c/em\u003eFor recipients outside of the CMS email service environment or trusted domain:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.1\u003c/em\u003e Encrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.2 \u003c/em\u003ePlace the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.3\u003c/em\u003e Sending passwords for an encrypted attachment via email is prohibited. Instant messaging clients that are integrated with Microsoft Outlook, such as Lync/Skype, must not be used to communicate passwords. Acceptable approaches for sharing passwords include phone conversation, text message, or a shared secret. The method chosen must protect the password from compromise.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eProgram Specific Requirements\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eEnterprise Level Control Packages\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has enterprise-level security and privacy controls for inheritance that are based on information security and privacy policies, programs or services that are provided by the offices of the CIO and CISO. These controls must be accounted for within the CMS governance, risk and compliance (GRC) tool in order for them to be leveraged as inherited controls among the FISMA systems. As part of the GRC tool, the systems are designated as FISMA systems, but they are not actual FISMA systems and are not subject to the requirements listed in section 8.1.2. Risk Management Framework (CMS-RMF).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHigh Value Assets\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS must comply with the Office of Management and Budget (OMB) Memorandum M-19-03, \u003cem\u003eStrengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/em\u003e; the Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-02, \u003cem\u003eSecuring High Value Assets; \u003c/em\u003eand the \u003cem\u003eHHS High Value Asset (HVA) Program Polic\u003c/em\u003ey (August 2019).\u003c/p\u003e\u003cp\u003eThe \u003cem\u003eHHS HVA Program Policy \u003c/em\u003edefines HVAs as:\u003c/p\u003e\u003cp\u003eAssets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe HHS policy requires CMS to establish appropriate governance of HVA activities across its organization and integrate HVA remediation activities into its planning, programming, budgeting, and execution process. These efforts will align with federal law, regulations, standards, and guidelines, as well as CMS policies, processes, and procedures. To meet the HHS policy, CMS will conduct the following activities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-1\u003c/strong\u003e The CMS CIO develops a process for creating and maintaining an HVA inventory, consistent with any format and content specified by HHS. Upon request, the Program will complete or update the inventory. HHS may require the inventory to note any or all threats, vulnerabilities, and impacts, and the likelihood of each of these occurring, associated with each system. CMS will share its HVA inventory with HHS upon request, following HHS instructions.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-2\u003c/strong\u003e When creating or updating HVA-related contracts and acquisition requirements, CMS Contracting Officers Representatives (COR) must incorporate appropriate language from the HHS Security and Privacy Language for Information and Information Technology Procurements.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-3\u003c/strong\u003e HVA-related artifacts must be handled as directed by OMB and DHS. These documents include instructions for securing and encrypting all correspondence involving HVA- related information.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-4 \u003c/strong\u003eHVAs must have a valid Authority to Operate (ATO). An ATO must reflect that appropriate safeguards have been implemented to protect the HVA, many of which will be specific to HVAs.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-5 \u003c/strong\u003eSecurity assessments must be conducted as a minimum requirement by the CISA- Led Assessment Team for Tier 1 HVAs, Third Party/Independent Assessor for \u003ca href=\"https://www.cisa.gov/hva-pmo\"\u003eTier 2 HVAs\u003c/a\u003e, and Self-Assessment for \u003ca href=\"https://www.cisa.gov/hva-pmo\"\u003eTier 3 HVAs\u003c/a\u003e at the frequency and rigor stipulated by CISA.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-6\u003c/strong\u003e The CMS CIO, Senior Official for Privacy (SOP) or designated official, must develop a Standard Operating Procedure (SOP) for reviewing CMSs HVAs to identify those HVAs that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal Taxpayer Information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSystems that collect, maintain, use, or disclose Federal Tax Information (FTI) must follow IRS requirements for protecting FTI. Business Owners of CMS systems, with direction provided by the OIT, must ensure that all applicable information security and privacy controls, whether\u0026nbsp;imposed by an organization or office internal or external to CMS, are incorporated into CMS systems.\u003c/p\u003e\u003cp\u003eThe IRS defines Federal Tax Information as federal tax returns and return information (and information derived from it) that is in the agencys possession or control which is covered by the confidentiality protections of the Internal Revenue Code (IRC) and subject to the IRC 6103(p)(4) safeguarding requirements including IRS oversight. CMS often receives, accesses, and uses FTI in conducting its business processes.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-FTI-1\u003c/strong\u003e Business Owners that collect, maintain, use, or disclose FTI must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.1\u003c/em\u003e Comply with IRS Publication 1075, \u003cem\u003eTax Information Security Guidelines for Federal, State and Local Agencies\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.2\u003c/em\u003e Document and certify the incorporated controls in their respective system security and privacy plan and identify residual risks in the corresponding risk assessment for their systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.3\u003c/em\u003e Disclose FTI to its agents solely for purposes for which there is an appropriate legal authority, and for which IRS has granted an exception permitting its disclosure.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.4\u003c/em\u003e Notify the IRS Office of Safeguards prior to re-disclosing FTI to contractors. Notify and obtain written approval from the IRS Office of Safeguards prior to re-disclosing FTI to sub-contractors.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.5\u003c/em\u003e Notify the IRS Office of Safeguards when there has been a breach of FTI. CMS-FTI-1.6 Execute a contract or other agreement with any recipient of the FTI. The contract must require the recipient to abide by IRS Publication 1075, \u003cem\u003eTax Information Security Guidelines for Federal, State and Local Agencies\u003c/em\u003e, including its requirements for providing privacy and security controls for FTI\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-FTI-2\u003c/strong\u003e Users with access to FTI must adhere to the following when working from Alternative Work Sites\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.1\u003c/em\u003e Telework Locations - FTI remains subject to the same safeguard requirements and the highest level of attainable security. All the requirements of IRS Publication 1075, Section 4.5, Physical Security of Computers, Electronic, and Removable Media, apply to telework locations.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.2\u003c/em\u003e Equipment CMS must retain ownership and control, for all hardware, software, and end-point equipment connecting to public communication networks, where these are resident at all alternate work sites. Alternatively, the use of virtual desktop infrastructure with non-CMS-owned devices (including personally-owned devices) is acceptable, where all requirements in IRS Publication 1075, Section 9.4.13 Virtual Desktop Infrastructure are met.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.3 \u003c/em\u003eData Storage - FTI may be stored on hard disks only if CMS-approved security access control devices (hardware/software) have been installed, are receiving regularly scheduled maintenance including upgrades, and are being used. Access controls must include password security, an audit trail, encryption, virus detection, and data overwriting capabilities.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.4 \u003c/em\u003eInspection Alternate work sites may be subject to periodic inspections by CMS personnel to ensure that safeguards are adequate.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and Privacy Control Families\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS ARS is central to the security and privacy framework. Through this document, CMS identifies the essential set of security and privacy controls that must be implemented for CMS Information Systems. CMS established these safeguards based on the agencys interpretation of applicability of HHS and CMS internal policies and guidance, mandates and legislative guidance specific to the CMS environment. Each control family has a specific set of “dash one” controls that requires that policies be in place while the remaining controls provide details for implementing the policy. The “dash one” controls are included in this \u003cem\u003ePolicy \u003c/em\u003ewhile the required implementation of the details for each security and privacy controls are outlined in the ARS. This section provides an overview of the policy requirements associated with each “dash one” control family and includes additional details required for these “dash one” controls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAccess Control (AC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAC-1\u003c/strong\u003e The Program must develop and document an access control policy that addresses purpose, scope, responsibility, management commitment, coordination among organizational entities, and compliance. The Access Control family of controls ensures access to information systems is limited to authorized users, processes acting on behalf of authorized users, and devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Access Control Policies and Procedures\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.2\u003c/em\u003e Develop an Access Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Access Control family of controls and following defined events in the ARS, or as defined within the SSPP.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.4\u003c/em\u003e Disseminate policies, procedures, and standards for the Access Control family of controls to all personnel who perform roles defined within this \u003cem\u003ePolicy\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.5 \u003c/em\u003eMaintain all policies, procedures, and standards associated with the Access Control family of controls to reflect applicable federal laws, executive orders, directives, regulations, policies, standards, and guidance.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.6 \u003c/em\u003eDefine access control policies and procedures to provide the foundation required to ensure privacy protections are implemented for the identified uses of PII and PHI.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAwareness and Training (AT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAT-1 \u003c/strong\u003eThe Program must develop and maintain minimum controls to ensure managers and users of information systems are made aware of the information security and privacy risks associated with their activities and of the applicable federal and agency requirements related to the information security and privacy of CMS systems. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Awareness and Training family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eAT-1.1.1 Develop topic-based training to explain privacy processes carried out within CMS and update topic-based training courses when significant changes occur to privacy processes.\u003c/p\u003e\u003cp\u003eAT-1.1.2 Develop and implement an information security and privacy education, awareness, and training program for all employees and individuals working on behalf of CMS involved in managing, using, and/or operating information systems.\u003c/p\u003e\u003cp\u003eAT-1.1.2.1 Ensure information security awareness and training is provided to all employees and contractors, and that all employees and contractors review and acknowledge an approved RoB within sixty (60) days from entry on duty (EOD) date, or commencement of work on a contract or subcontract; and ensure and acknowledge the RoB annually thereafter.\u003c/p\u003e\u003cp\u003eAT-1.1.2.2 Ensure privacy awareness and training is provided within sixty (60) days from EOD date, or commencement of work on a contract or subcontract., and annually thereafter, to all employees and contractors to explain the importance and responsibility in safeguarding PII and PHI and ensuring privacy, as established in federal legislation, regulations, and OMB guidance.\u003c/p\u003e\u003cp\u003eAT-1.1.2.3 Ensure system information security and privacy training records are documented in support of annual FISMA reporting.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-2\u003c/strong\u003e The Program must develop and maintain minimum controls to ensure those with “significant information security and privacy responsibilities” receive adequate role-based training (RBT) to carry out those responsibilities. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.1 \u003c/em\u003eEnsure initial and periodic information security and privacy RBT is provided for all individuals in roles that possess significant information security and privacy responsibilities, including those that are CMS federal employees, contractors, and subcontractors. CMS RBT must meet or exceed HHS RBT requirements, as follows:\u003c/p\u003e\u003cp\u003eAT-2.1.1 CMS must identify all personnel (employees and contractors) and their associated work roles with significant information security and privacy responsibilities, in accordance with the HHS Cybersecurity Coding Guide and the National Initiative for Cybersecurity Education (NICE) Framework. The Program will identify appropriate minimum RBT requirements for each identified role with significant information security and privacy responsibilities.\u003c/p\u003e\u003cp\u003eAT-2.1.2 All CMS employees, including managers, Senior Executive Service (SES) personnel, and contractors who have significant information security and privacy responsibilities, must complete minimum RBT requirements within sixty (60) days from EOD date, or commencement of work on a contract or subcontract. Thereafter, all personnel with significant information security and privacy responsibilities must complete RBT at least annually.\u003c/p\u003e\u003cp\u003eAT-2.1.3 Individuals who change roles within CMS such that they assume new significant information security and privacy responsibilities, or who otherwise assume such responsibilities, must complete RBT within 60 days of assuming those new responsibilities. Thereafter, they must complete RBT at least annually.\u003c/p\u003e\u003cp\u003eAT-2.1.4 All CMS employees and contractors with significant information security and privacy responsibilities who have not completed the required training within the mandated timeframes will have their user accounts disabled until they have met their RBT requirement.\u003c/p\u003e\u003cp\u003eAT-2.1.5 All companies/vendors contracting with CMS are responsible for ensuring that their personnel who have significant information security and privacy responsibilities have training commensurate with their role. Training records must be submitted to CMS upon commencement of work and annually thereafter (or upon request whichever comes first).\u003c/p\u003e\u003cp\u003eAT-2.1.6 The CMS CISO, in coordination with the CMSs Training Coordinator(s) and Contracting Officers/Representatives (CO/COR), must track and maintain RBT records for all personnel with significant information security and privacy responsibilities. All training records must be retained consistently with an appropriately selected records retention schedule.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.2\u003c/em\u003e Develop appropriate security and privacy RBT for personnel with significant information security and privacy responsibilities in accordance with all relevant federal laws, regulations, and guidelines. The Program may provide such training in the form of CMS- or HHS-approved courses or professional development training, or in other appropriate formats. Personnel may also request approval for external training, such as certificate programs or college courses, to satisfy their RBT requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.3 \u003c/em\u003eRequire personnel wishing to receive credit for any form of RBT taken from an organization external to CMS, in satisfaction of any CMS or HHS training requirement to first seek review and approval from their supervisor (or for contractors, from their employer). The Program may further require personnel to supply information concerning completion of such external programs (such as grade reports or certificates of completion) before providing personnel with credit or acknowledgment for having satisfied the relevant RBT requirement.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.4\u003c/em\u003e In addition to periodically identifying all \u003cem\u003eroles \u003c/em\u003eof personnel that have significant information security and privacy responsibilities, CMS will also periodically identify all \u003cem\u003especific individuals \u003c/em\u003ewho serve in roles with significant information security and privacy responsibilities. CMS managers are responsible for cooperating with the Program to identify individuals with significant information security and privacy responsibilities, and for ensuring that the personnel they manage are appropriately categorized in their roles. CMS managers will be required to complete this identification process as a CMS personnel needs assessment.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.5\u003c/em\u003e Personnel who assume multiple roles must complete at least one training that addresses the unique responsibilities associated with at least one role. CMS managers must also ensure the personnel they manage complete the appropriate minimum RBT requirements in the required time frames.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.6\u003c/em\u003e The Program may request verification of completion of RBT of all personnel from CMS managers. The Program may require mangers to supply adequate information, for each individual completing RBT, to verify the individuals identity, the content of the RBT, and proof of completion of RBT.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-3\u003c/strong\u003e Develop an Awareness and Training Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-4 \u003c/strong\u003eReview and update policies, procedures, and standards for the Awareness and Training Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAudit and Accountability (AU)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAU-1\u003c/strong\u003e The Program must develop and maintain (within the Audit and Accountability family of controls) minimum controls to ensure information system audit records are created, protected, and retained to the extent needed to: (i) enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure the actions of individual information system users can be uniquely traced to those users so that they can be held accountable for their actions. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Audit and Accountability family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eAU-1.1.1 Identify which events the organization audits, based on a risk assessment and mission/business needs.\u003c/p\u003e\u003cp\u003eAU-1.1.2 Identify and ensure a subset of auditable events applicable to the information system is chosen, based on threat information and risk assessment.\u003c/p\u003e\u003cp\u003eAU-1.1.3 Identify and ensure the rationale is provided for why the list of auditable events is deemed adequate to support incident investigations.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.2\u003c/em\u003e Develop an Audit and Accountability Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.3\u003c/em\u003e Ensure audit record content for all CMS system components, at a minimum, includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of the event\u003c/li\u003e\u003cli\u003eComponent of the information system (e.g., software component, hardware component) where the event occurred\u003c/li\u003e\u003cli\u003eType of event\u003c/li\u003e\u003cli\u003eUser/subject identity\u003c/li\u003e\u003cli\u003eOutcome (success or failure) of the event\u003c/li\u003e\u003cli\u003eExecution of privileged functions.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eAU-1.4 \u003c/em\u003eEnsure audited events are significant and relevant to the information security and privacy needs associated with the information system.\u003c/p\u003e\u003cp\u003eAU-1.4.1 Auditing must be compliant with the \u003ca href=\"http://www.uscourts.gov/file/rules-evidence\"\u003eFederal Rules of Evidence \u003c/a\u003eas published by US Courts.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.5 \u003c/em\u003eDefine CMS processes, procedures, and standards for the maintenance and review of audit logs for indications of inappropriate or unusual activity to ensure:\u003c/p\u003e\u003cp\u003eAU-1.5.1 Findings are reported to the designated CMS officials, including system officials with a need to know (e.g., Business Owner, Security and Privacy Officer). AU-1.5.2 The level of audit review, analysis, and reporting is adjusted when there is a change in risk.\u003c/p\u003e\u003cp\u003eAU-1.5.3 A uniform time and time protocol is implemented across CMS, based on CMS approved sources.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.6\u003c/em\u003e Ensure audit and accountability policies, processes, procedures, and standards directly support privacy audit and accountability requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.7 \u003c/em\u003eCoordinate information security- and privacy-related audit functions with other entities that require audit information to enhance mutual support and guide the selection of auditable events.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.8\u003c/em\u003e Review and update policies, procedures, and standards for the Audit and Accountability Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssessment, Authorization, and Monitoring (CA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCA-1 \u003c/strong\u003eThe Program must develop and document a security assessment and authorization control policy governing the assessment and authorization of FISMA systems within the CMS enterprise environment or any systems storing, processing, or transmitting CMS information on behalf of CMS. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Security Assessment and Authorization family of security controls in the ARS to:\u003c/p\u003e\u003cp\u003eCA-1.1.1 Perform security assessments on information systems and the environments in which those systems operate as part of (i) initial and ongoing security authorizations, (ii) FISMA annual assessments, (iii) continuous monitoring, and (iv) system development life cycle activities.\u003c/p\u003e\u003cp\u003eCA-1.1.2 Authorize connections from the information system to other information systems through the use of Interconnection Security Agreements.\u003c/p\u003e\u003cp\u003eCA-1.1.3 Develop and submit a POA\u0026amp;M for the information system as a result of any security assessment findings.\u003c/p\u003e\u003cp\u003eCA-1.1.4 Develop an ISCM strategy and implement a program compliant with HHS ISCM Strategy.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.2\u003c/em\u003e Develop a Security Assessment and Authorization Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Security Assessment and Authorization Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConfiguration Management (CM)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCM-1 \u003c/strong\u003eThe CMS Configuration Management Executive must coordinate with the CMS CISO and the Program to document the configuration management processes and procedures to define configuration items at the system and component level (e.g., hardware, software, workstation); monitor configurations; and track and approve changes prior to implementation, including but not limited to flaw remediation, security patches, and emergency changes (e.g., unscheduled changes such as mitigating newly discovered security vulnerabilities, system crashes, replacement of critical hardware components). Baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) must be established and maintained throughout the respective system life cycles, and security configuration settings for information products employed in information systems must be established and enforced. In coordination with the CMS Configuration Management Executive, the Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Configuration Management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eCM-1.1.1 Ensure configuration management procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eCM-1.1.2 Ensure scheduled changes to networks or systems are authorized prior to implementation and are not permitted outside of the configuration management process.\u003c/p\u003e\u003cp\u003eCM-1.1.3 Monitor system configurations and changes to ensure configuration management processes and procedures are followed.\u003c/p\u003e\u003cp\u003eCM-1.1.4 Evaluate the configuration management process periodically, as specified in the ARS, as part of the required FISMA reporting process to verify adequacy and effectiveness.\u003c/p\u003e\u003cp\u003eThrough the Program the CMS CISO, in coordination with the CMS Configuration Management Executive, defines and develops policies to ensure CMS Business Owner/ISOs:\u003c/p\u003e\u003cp\u003eCM-1.1.5 Implement and enforce configuration management controls for all CMS systems and networks.\u003c/p\u003e\u003cp\u003eCM-1.1.6 Develop, document, and maintain a current baseline configuration of each system and the systems constituent components.\u003c/p\u003e\u003cp\u003eCM-1.1.7 Develop, document, and maintain an inventory of the components, both hardware and software, that includes relevant ownership information.\u003c/p\u003e\u003cp\u003eCM-1.1.8 Test, validate, and document proposed changes prior to implementation to assess the impact to the information security and privacy of data.\u003c/p\u003e\u003cp\u003eCM-1.1.9 Ensure systems categorized as “Moderate” or “High” under FIPS 199:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRetain older versions of baseline configurations as deemed necessary to support rollback\u003c/li\u003e\u003cli\u003eMaintain a baseline configuration for development and test environments to ensure development and test environments are managed separately from the operational environment\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThrough the program, the CMS CISO must ensure:\u003c/p\u003e\u003cp\u003eCM-1.1.10 Current (up-to-date) anti-virus (AV)/anti-malware and host-based intrusion detection system (HIDS) applications are included, as appropriate, on systems connected to the CMS network.\u003c/p\u003e\u003cp\u003eCM-1.1.11 AV software is configured to automatically perform periodic virus scanning. CM-1.1.12 HIDS software is configured to automatically scan all inbound and outbound network traffic.\u003c/p\u003e\u003cp\u003eThe CMS Configuration Management Executive must ensure:\u003c/p\u003e\u003cp\u003eCM-1.1.13 All systems and system components adhere to \u003cem\u003eHHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eCM-1.1.14 Appropriate CCBs are created and managed for the review and approval of changes.\u003c/p\u003e\u003cp\u003eCM-1.1.15 Configuration management includes a representative from the system as a member of the CCB. Participation on the CCB is at the Security Control Assessors discretion. If the Security and Privacy Officer or Security Control Assessor acts as a voting member of the CCB, they must be a federal employee.\u003c/p\u003e\u003cp\u003eCM-1.1.16 Personnel with configuration management responsibilities are trained on CMS configuration management processes.\u003c/p\u003e\u003cp\u003eCM-1.1.17 Change documentation is maintained for no less than 12 months after a change is made.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.2\u003c/em\u003e Develop a Configuration Management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.3\u003c/em\u003e For systems categorized as “High” under FIPS 199, ensure detection of unauthorized information security and privacy relevant configuration changes is incorporated into the incident response capability to ensure events are tracked, monitored, corrected, and available for historical purposes.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.4 \u003c/em\u003eReview and update policies, procedures, and standards for the Configuration Management Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContingency Planning (CP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCP-1\u003c/strong\u003e The Program must develop and maintain the Contingency Planning family of controls to ensure contingency plans for emergency response, backup operations, and disaster recovery for organizational information systems are established, maintained, and effectively implemented. IT Contingency Plans ensure the availability of critical information resources and continuity of operations in emergency situations. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Contingency Planning family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eCP-1.1.1 Work with Business Owners/ISOs to develop and document an IT contingency plan for all information systems in accordance with NIST SP 800-34 rev 1, \u003cem\u003eContingency Planning Guide for Information Technology Systems, \u003c/em\u003eand all other relevant CP documentations defined in the ARS.\u003c/p\u003e\u003cp\u003eIT contingency plans must support:\u003c/p\u003e\u003cp\u003eCP-1.1.1.1 Applicable CMS continuity of operations plans (COOP), particularly for information systems supporting the continuity of CMSs essential business functions.\u003c/p\u003e\u003cp\u003eCP-1.1.1.2 Recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.\u003c/p\u003e\u003cp\u003eCP-1.1.1.3 Implementation of privacy-applicable requirements to reduce the risk of avoidable information security and privacy incidents and breaches while executing contingency measures.\u003c/p\u003e\u003cp\u003eIT contingency plans, as part of the required FISMA reporting process, must be:\u003c/p\u003e\u003cp\u003eCP-1.1.1.4 Reviewed and updated periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003eCP-1.1.1.5 Tested periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003eCP-1.1.2 Ensure systems categorized as “High” or “Moderate” under FIPS 199:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement a transaction recovery system for transaction-based systems\u003c/li\u003e\u003cli\u003ePerform coordinated contingency testing and/or exercises with organizational elements responsible for related plans.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCP-1.1.3 Ensure systems categorized as “High” under FIPS 199 develop an IT contingency plan in coordination with organizational elements responsible for related plans (e.g., incident response).\u003c/p\u003e\u003cp\u003eCP-1.1.3.1 Business Owners/ISOs must develop and document a comprehensive system backup strategy for each system.\u003c/p\u003e\u003cp\u003eCP-1.1.3.1.1 The system backup strategy must document processes to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSupport the information system recovery\u003c/li\u003e\u003cli\u003eStore backup copies of the operating system and other critical information system software, as well as copies of the information system inventory, ina physically separate facility or in a fire-rated container not co-located with the operational system\u003c/li\u003e\u003cli\u003eMeet business continuity needs, including the identified RTO and RPO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCP-1.1.3.1.2 Applicable alternate processing sites must be established that are compliant with FIPS 199 system categorization requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.2 \u003c/em\u003eDevelop a Contingency Planning Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.3 \u003c/em\u003eFor systems categorized as “High” (or as “Moderate” and supporting essential CMS mission or business functions) under FIPS 199, ensure the CMS Business Owner/ISO establishes and maintains appropriate alternate processing and storage site agreements that require:\u003c/p\u003e\u003cp\u003eCP-1.3.1 Alternate processing sites:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe separated from the primary storage site(s) and primary processing site(s)\u003c/li\u003e\u003cli\u003eIdentify potential accessibility problems to the alternate processing site(s) and outline explicit mitigation actions\u003c/li\u003e\u003cli\u003eEnsure information security measures equivalent to those of the primary processing site(s) are provided\u003c/li\u003e\u003cli\u003eBe configurable for use as an operational site. CP-1.3.2 Alternate storage sites:\u003c/li\u003e\u003cli\u003eBe separated from the primary storage site(s)\u003c/li\u003e\u003cli\u003eIdentify potential accessibility problems to the alternate storage site(s) and outline explicit mitigation actions\u003c/li\u003e\u003cli\u003eEnsure information security measures equivalent to those of the primary storage site(s) are provided.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eCP-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Contingency Planning Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003eI\u003cstrong\u003edentification and Authentication (IA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIA-1 \u003c/strong\u003eThe Program must develop and maintain the Identification and Authentication family of controls to ensure information system users, processes acting on behalf of users, and devices are identified, and the identities authenticated (or verified) as a prerequisite to allowing access to information systems. Through the Program, the CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials manage the development, documentation, and dissemination of the System and Information Integrity family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eIA-1.1.1 Establish policy and procedures for the effective implementation of selected security controls and control enhancements in the IA control family.\u003c/p\u003e\u003cp\u003eIA-1.1.2 Ensure policy and procedures reflect applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eIA-1.1.3 Ensure the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users) and the organizations meet all the requirements specified by HHS policy and applicable implementation standard(s).\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.2 \u003c/em\u003eDevelop an Identification and Authentication Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.3 \u003c/em\u003eEnsure all users, including federal employees, contractors, and entities with network access to systems, use multi-factor authentication. External facing applications must offer consumers multi-factor authentication as an option.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Identity and Authentication Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncident Response (IR)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIR-1 \u003c/strong\u003eThe Program must develop and maintain the Incident Response family of controls to establish an operational incident handling capability for information systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Incidents must be tracked, documented, and reported. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Incident Response family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eIR-1.1.1 Document, maintain, and communicate policies and procedures in accordance with the \u003cem\u003eHHS Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response \u003c/em\u003eand the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of PII\u003c/em\u003e, including roles and responsibilities for information security and PII incidents and violation handling.\u003c/p\u003e\u003cp\u003eIR-1.1.2 Ensure CMS employees and contractors situational awareness through:\u003c/p\u003e\u003cp\u003eIR-1.1.2.1 Receipt of information system security and privacy alerts, advisories, and directives from designated external organizations on an ongoing basis.\u003c/p\u003e\u003cp\u003eIR-1.1.2.2 Generation of internal information security and privacy alerts, advisories, and directives as deemed necessary.\u003c/p\u003e\u003cp\u003eIR-1.1.2.3 Dissemination of information security and privacy alerts, advisories, and directives to personnel (see the ARS for a complementary, CMS-defined process).\u003c/p\u003e\u003cp\u003eIR-1.1.3 Ensure CMS employees and contractors awareness of privacy-related incidents through:\u003c/p\u003e\u003cp\u003eIR-1.1.3.1 Development and implementation of privacy breach notification and response policies, processes, and standards.\u003c/p\u003e\u003cp\u003eIR-1.1.3.2 Appropriate notification of the SOP for all incidents involving PII or PHI. IR-1.1.4 Ensure CMS employees and contractors maintain incident response processes and procedures by:\u003c/p\u003e\u003cp\u003eIR-1.1.4.1 Reviewing and updating Incident Response Plans periodically as defined in the ARS.\u003c/p\u003e\u003cp\u003eIR-1.1.4.2 Testing Incident Response Plans periodically as defined in the ARS.\u003c/p\u003e\u003cp\u003eIR-1.1.4.3 Incorporating lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.\u003c/p\u003e\u003cp\u003eIR-1.1.5 Ensure CMS employees and contractors maintain familiarity with incident response processes and procedures through periodic training, as defined in the ARS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.2 \u003c/em\u003eThe CMS CISO, in coordination with the CMS Director of CCIC and Business Owners/ISOs, must establish and maintain an information security and privacy incident and breach response capability that includes preparation, identification, containment, eradication, recovery, and follow-up capabilities to ensure effective recovery from information security and privacy incidents and breaches.\u003c/p\u003e\u003cp\u003eIR-1.2.1 For systems categorized as “Moderate” or “High” under FIPS 199, incident handling activities must be coordinated with contingency planning activities.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.3 \u003c/em\u003eDevelop an Incident Response Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Incident Response Control family of controls and following defined events in ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMaintenance (MA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eMA-1\u003c/strong\u003e The Program must develop and maintain the System Maintenance family of controls to ensure (i) periodic and timely maintenance on organizational information systems is performed and (ii) effective controls are established for the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. The Program must:\u003c/p\u003e\u003cp\u003eMA-1.1 Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Maintenance family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eMA-1.1.1 Ensure privacy considerations are included in system maintenance policy and procedures, especially when the system contains information subject to the \u003cem\u003ePrivacy Act \u003c/em\u003eand/or HIPAA.\u003c/p\u003e\u003cp\u003eMA-1.1.2 Ensure routine preventative and regular maintenance (including repairs) on the components of all CMS information systems, supporting utilities, and ancillary equipment (e.g., within the data center, used for testing) are scheduled, performed, documented, and reviewed.\u003c/p\u003e\u003cp\u003eMA-1.1.2.1 Maintenance processes and procedures must be compliant with CMS processes and procedures.\u003c/p\u003e\u003cp\u003eMA-1.1.2.2 Maintenance processes and procedures may reference manufacturer or vendor specifications.\u003c/p\u003e\u003cp\u003eMA-1.1.3 Ensure information system maintenance tools are approved, controlled, maintained, and monitored as required.\u003c/p\u003e\u003cp\u003eMA-1.1.4 Ensure only authorized personnel are allowed to perform maintenance on the information system through established processes and procedures.\u003c/p\u003e\u003cp\u003eMA-1.1.4.1 Personnel authorized to perform maintenance must be compliant with requirements defined under the Awareness and Training and Personnel Security sections of this document.\u003c/p\u003e\u003cp\u003eMA-1.1.5 For non-local (e.g., remote) maintenance and diagnostic services ensure:\u003c/p\u003e\u003cp\u003eMA-1.1.5.1 Services are authorized, monitored, and controlled.\u003c/p\u003e\u003cp\u003eMA-1.1.5.2 Tools are consistent with organizational policy and documented in the security plan for the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.5.3 Strong identification and authentication techniques are employed in the establishment of sessions.\u003c/p\u003e\u003cp\u003eMA-1.1.5.4 Activity records are maintained.\u003c/p\u003e\u003cp\u003eMA-1.1.5.5 All sessions and network connections are terminated when non-local maintenance is completed.\u003c/p\u003e\u003cp\u003eMA-1.1.6 Ensure appropriate protection of information systems and/or components being removed:\u003c/p\u003e\u003cp\u003eMA-1.1.6.1 The CMS Business Owner/ISO or designated federal employee must approve the removal of information systems and/or system components for offsite maintenance/repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.6.2 The equipment/media must be sanitized in a manner compliant with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\"\u003eNIST sanitization standards\u003c/a\u003e prior to removal from organizational facilities for offsite maintenance or repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.7 For systems categorized as “Moderate” or “High” under FIPS 199, maintenance records must include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of maintenance\u003c/li\u003e\u003cli\u003eName of the individual performing the maintenance\u003c/li\u003e\u003cli\u003eName of escort, if necessary\u003c/li\u003e\u003cli\u003eDescription of the maintenance performed\u003c/li\u003e\u003cli\u003eList of equipment (including components and parts), including the removal and/or replacement of applicable identification numbers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS Business Owners/ISOs must:\u003c/p\u003e\u003cp\u003eMA-1.1.7.1 Inspect all maintenance tools carried into a facility by maintenance personnel for improper modifications.\u003c/p\u003e\u003cp\u003eMA-1.1.7.2 Check all media containing diagnostic and test applications and programs for malicious code before the media is used in the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.7.3 Ensure non-local maintenance and diagnostic sessions, including review of the maintenance records of the sessions, are audited by the Security and Privacy Officer.\u003c/p\u003e\u003cp\u003eMA-1.1.7.4 Ensure installation and use of non-local maintenance and diagnostic connections are documented in the security plan for the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.8 For systems categorized as “High” under FIPS 199, CMS Business Owners/ISOs must:\u003c/p\u003e\u003cp\u003eMA-1.1.8.1 Employ automated mechanisms to schedule, conduct, and document any required maintenance and repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.8.2 Produce and maintain up-to-date, accurate, complete, and available records of all maintenance and repair actions that are needed, in process, and completed.\u003c/p\u003e\u003cp\u003eMA-1.1.8.3 Prevent the unauthorized removal of maintenance equipment/media by performing one of the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerifying there is no CMS sensitive information contained on the equipment/media\u003c/li\u003e\u003cli\u003eSanitizing or destroying the equipment/media in a manner compliant with NIST or DoD guidance\u003c/li\u003e\u003cli\u003eRetaining the equipment/media within the facility\u003c/li\u003e\u003cli\u003eDocumenting the removal of the equipment/media from the facility with an exemption signed by the Business Owner/ISO or designated federal employee\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eMA-1.2 \u003c/em\u003eDevelop a Maintenance Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMA-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Maintenance Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMedia Protection (MP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eMP-1 \u003c/strong\u003eThe Program must develop and maintain the Media Protection family of controls to ensure information system media containing sensitive information, both digital and non-digital, is protected by (i) limiting access to authorized users and (ii) sanitizing or destroying information system media before disposal or release for reuse. The program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Media Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eMP-1.1.1 Inform all employees and contractors with potential access to sensitive information, such as PII or PHI, about all policies and procedures to protect any sensitive information residing on the various media types used by CMS.\u003c/p\u003e\u003cp\u003eMP-1.1.2 Ensure procedures exist for protecting information system media during transport, specifically through the use of cryptography and restricting the transport of such media to authorized personnel commensurate with the sensitivity level of the data.\u003c/p\u003e\u003cp\u003eMP-1.1.3 Develop and maintain processes, procedures, and standards to ensure information system media, both digital and non-digital, are properly sanitized and/or disposed of.\u003c/p\u003e\u003cp\u003eMP-1.1.3.1 Ensure sanitization and disposal techniques (i.e., clear, purge, destroy) for digital and non-digital media are in compliance with NIST SP 800-88 Revision 1, \u003cem\u003eGuidelines for Media Sanitization, \u003c/em\u003eincluding the media sanitization decision matrix, prior to disposal, release, and transfer of custody for re-use.\u003c/p\u003e\u003cp\u003eMP-1.1.4 Ensure all confidential or classified information is sanitized and disposed of in accordance with policy, procedures, and standards established by the National Security Agency (NSA) and DoD.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.2 \u003c/em\u003eDevelop a Media Protection Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Media Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePhysical and Environmental Protection (PE)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePhysical controls are important for protecting FTI, PII and PHI against unauthorized access, use, and disclosure. Environmental controls can be critical when FTI and PII have high availability requirements (e.g., core mission capabilities of an organization rely on consistent and frequent access to PII/FTI)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePE-1\u003c/strong\u003e The Program must develop and maintain the Physical and Environmental Protection family of controls to ensure physical access to information systems, equipment, and the respective operating environments is limited to authorized individuals. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Physical and Environmental Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePE-1.1.1 Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals.\u003c/p\u003e\u003cp\u003ePE-1.1.2 Protect the physical plant and support infrastructure for information systems.\u003c/p\u003e\u003cp\u003ePE-1.1.3 Provide supporting utilities for information systems.\u003c/p\u003e\u003cp\u003ePE-1.1.4 Protect against environmental hazards.\u003c/p\u003e\u003cp\u003ePE-1.1.5 Consider the data sensitivity when defining physical and environmental controls for systems.\u003c/p\u003e\u003cp\u003ePE-1.1.6 Maintain an understanding that the sensitivity of information impacts the necessary physical and environmental controls.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.2 \u003c/em\u003eDevelop a Physical and Environmental Protection Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Physical and Environmental Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePlanning (PL)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePL-1\u003c/strong\u003e The Program must develop and maintain the Planning family of controls to ensure information security and privacy planning for FISMA systems are performed within the CMS enterprise environment and on any systems storing, processing, or transmitting CMS information on behalf of CMS. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.1 \u003c/em\u003eDesignate CMS Enterprise-level defined officials to manage the development, documentation, and dissemination of the Planning family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePL-1.1.1 Develop, document, and maintain information security and privacy plans for each CMS system and network:\u003c/p\u003e\u003cp\u003ePL-1.1.1.1 Security plans must be in accordance with NIST SP 800-18 Revision 1,\u003c/p\u003e\u003cp\u003e\u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e.\u003c/p\u003e\u003cp\u003ePL-1.1.1.2 Privacy plans must address the privacy requirements for confidentiality, availability, and integrity for the organization and individual information system(s). PL-1.1.1.3 Business Owners/ISOs must review and update the information security and privacy plans periodically as defined in the ARS, and following defined events in the ARS and \u003cstrong\u003ea\u003c/strong\u003epplicable control implementation statements of the associated PL controls.\u003c/p\u003e\u003cp\u003ePL-1.1.2 Develop, document, and maintain an Information Security Architecture to: PL-1.1.2.1 Document the information security segments of the CMS enterprise architecture in accordance with OMB Circular A-130.\u003c/p\u003e\u003cp\u003ePL-1.1.2.2 Fully integrate information security and privacy into the CMS architecture framework.\u003c/p\u003e\u003cp\u003ePL-1.1.3 Review and update the security segments of the CMS enterprise architecture periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003ePL-1.1.4 Develop, document, and maintain the CMS Acceptable Use standards within the \u003cem\u003eHHS Rules of Behavior For Use of HHS Information and IT Resources Policy.\u003c/em\u003e\u003c/p\u003e\u003cp\u003ePL-1.1.4.1 Privacy requirements must be identified in contracts and acquisition- related documents.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2 CMS employees and contractors (users) must:\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.1 Be informed that the use of CMS IT resources, other than for authorized purposes, is a violation of the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resource Policy \u003c/em\u003eand is grounds for disciplinary action, up to and including removal from federal service, monetary fines, and/or criminal charges, which could result in imprisonment.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.2 Be prohibited from transmitting sensitive CMS information using any non-CMS approved Internet-based mechanism, including but not limited to personal email, file-sharing, file transfer, and backup services.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.3 Read and sign the HHS RoB periodically, as defined in the ARS. PL-1.1.4.3 Personal use of CMS IT resources must comply with \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resource Policy\u003c/em\u003e, which governs the appropriate use of CMS IT resources to ensure personal use of those resources does not put CMS data at risk of unauthorized disclosure or dissemination.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.2\u003c/em\u003e Develop a Planning Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Planning Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProgram Management (PM)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePM-1 \u003c/strong\u003eThe Program must develop and maintain the Program Management family of controls to ensure CMS develops an organization-wide information security and privacy program. The Program Management (PM) controls are typically implemented at the organization level and not specifically directed at individual information systems. Through the PM implementation of the controls, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePM-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Program Management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePM-1.1.1 Periodic review and update of the Program Plan following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003ePM-1.1.2 CMS develops, maintains and reviews:\u003c/p\u003e\u003cp\u003ePM-1.1.2.1 Information security and privacy policy as an overview of the information security and privacy management controls and common controls.\u003c/p\u003e\u003cp\u003ePM-1.1.2.2 Policy and procedures to ensure requirements for protecting controlled unclassified information processed, stored, or transmitted on external systems are implemented.\u003c/p\u003e\u003cp\u003ePM-1.1.2.3 An accurate accounting of disclosures of personally identifiable information as specified in the ARS.\u003c/p\u003e\u003cp\u003ePM-1.1.2.4 Policies and procedures for reviewing the accuracy, relevance, timeliness, and completeness of PII across the information life cycle as specified in the ARS. PM-1.1.2.5 The process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices.\u003c/p\u003e\u003cp\u003ePM-1.1.2.6 A privacy program structured to inform the information security program of all privacy-related requirements.\u003c/p\u003e\u003cp\u003ePM-1.1.3 CMS identifies roles, responsibilities, and compliance requirements.\u003c/p\u003e\u003cp\u003ePM-1.1.3.1 CMS must appoint the CISO as the Senior Information Security Officer. PM-1.1.3.2 CMS must appoint individuals with specific roles and responsibilities.\u003c/p\u003e\u003cp\u003ePM-1.1.4 CMS holds the approved AO accountable for the risk to the operations within CMS, organizational assets, individuals, and the nation.\u003c/p\u003e\u003cp\u003ePM-1.1.5 CMS develops, implements, and maintains a Risk Management Strategy to: PM-1.1.5.1 Document remediation actions responding to identified risk.\u003c/p\u003e\u003cp\u003ePM-1.1.5.2 Develop and implement a POA\u0026amp;M process to address information security and privacy risks identified in its information systems.\u003c/p\u003e\u003cp\u003ePM-1.1.5.3 Develop and maintain inventory listings of its information systems.\u003c/p\u003e\u003cp\u003ePM-1.1.5.4 Measure the effectiveness of the Program, information security controls, and privacy controls.\u003c/p\u003e\u003cp\u003ePM-1.1.6 CMS develops, implements, and maintains a testing, training, and monitoring program.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePM-1.2 \u003c/em\u003eDevelop a Program Management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel Security (PS)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePS-1 \u003c/strong\u003eThe Program must develop and maintain the Personnel Security family of controls to ensure (i) CMS information systems employ personnel security controls consistent with applicable laws, executive orders, policies, directives, regulations, standards, and guidelines and (ii) procedures are developed to guide the implementation of personnel security controls. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Personnel Security family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePS-1.1.1 CMS information systems employ personnel security controls consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003ePS-1.1.2 Processes and procedures are developed to guide the implementation of personnel security controls.\u003c/p\u003e\u003cp\u003ePS-1.1.2.1 Where appropriate, roles that require access to sensitive information (such as PII and PHI) must apply additional personnel security measures.\u003c/p\u003e\u003cp\u003ePS-1.1.3 Individuals occupying positions of responsibility within organizations (i.e., including third-party service providers) are trustworthy and meet established security criteria for the positions of responsibility.\u003c/p\u003e\u003cp\u003ePS-1.1.4 Information and information systems are adequately protected when personnel actions occur such as initial employment, terminations, and transfers.\u003c/p\u003e\u003cp\u003ePS-1.1.5 Formal sanctions for personnel failing to comply with organizational security policies and procedures are employed.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.2\u003c/em\u003e Develop a Personnel Security Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Personnel Security Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePII Processing and Transparency (PT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePT-1\u003c/strong\u003e The Program must develop and maintain the Processing and Transparency family of controls to ensure the confidentiality of Personally Identifiable Information being processed and maintained by CMS organizational information systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Personally Identifiable Information Processing and Transparency family of controls in the ARS to. The Program Must:\u003c/p\u003e\u003cp\u003ePT-1-1-1 Coordinate with the SOP and the CISO in establishing the organizational authority for the use of Personally Identifiable Information being processed and developing processes to restrict the use of PII.\u003c/p\u003e\u003cp\u003ePT-1-1-2 Ensure public notices and policies are developed to describe the purpose for processing PII and monitoring changes.\u003c/p\u003e\u003cp\u003ePT-1-1-3 Ensure procedures are in place for individuals to consent to the processing of their personally identifiable information prior to its collection to allow for them to make informed decisions regarding the use of their personal information.\u003c/p\u003e\u003cp\u003ePT-1-1.4 Establish privacy risk assessments associated with the processing of personally identifiable information to help determine the appropriate elements to include in privacy notices.\u003c/p\u003e\u003cp\u003ePT-1-1-5 Develop, publish and maintain system of records notices in accordance with OMB guidance when systems are used to maintain a group of any record under the control of CMS from which information is retrieved by the name of an individual or some type of identifying number, symbol, or other identifier.\u003c/p\u003e\u003cp\u003ePT-1-1-5 Obtain approval from the Data Integrity Board when systems or organizations conduct computer matching programs.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-2 \u003c/em\u003eDevelop a Personally Identifiable Information Processing and Transparency Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-2\u003c/em\u003e Review and update policies, procedures, and standards for the Personally Identifiable Information Processing and Transparency Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Assessment (RA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRA-1 Designate CMS Enterprise-level defined officials to manage the development, documentation, and dissemination of the Risk Assessment family of controls to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the risk to organizational operations (e.g., mission, functions, image, reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information, is assessed.\u003c/li\u003e\u003cli\u003eDevelop, document, implement, and update a risk assessment at least every three years or whenever a significant change occurs to the information system, a change in the threat environment occurs, a significant data breach occurs, or the ATO has expired.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.1 \u003c/em\u003eDevelop and maintain effective implementation of selected information security and privacy controls and control enhancements in the Risk Assessment family of controls as described in the ARS to ensure formal risk assessment processes and policies provide the foundation for protecting sensitive information.\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.2 \u003c/em\u003eDevelop a Risk Assessment Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Risk Assessment Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Services Acquisition (SA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSA-1 \u003c/strong\u003eThe Program must develop and maintain the System and Services Acquisition family of controls to ensure contracts, especially the Statement of Work (SOW) within the contract, are reviewed for appropriate information security and privacy contracting language specific to the technology or service being acquired. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Services Acquisition family of controls defined in the ARS to ensure:\u003c/p\u003e\u003cp\u003eSA-1.1.1 Appropriate information security and privacy documentation (i.e., information security and privacy functional requirements/specifications, information security-related and privacy-related documentation requirements, and developmental and evaluation- related assurance requirements) are contractually required for the development or acquisition of new systems.\u003c/p\u003e\u003cp\u003eSA-1.1.2 Appropriate information security and privacy language to protect sensitive information, such as PII and PHI, is contractually required for the development, acquisition, or operation of systems, when applicable.\u003c/p\u003e\u003cp\u003eSA-1.1.3 Documented processes and procedures are developed and implemented effectively to facilitate the acquisition of information security and privacy controls in all system and services acquisitions.\u003c/p\u003e\u003cp\u003eSA-1.1.4 Processes and procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eSA-1.1.5 Sufficient resources to adequately protect organizational information systems are allocated by the responsible organization.\u003c/p\u003e\u003cp\u003eSA-1.1.6 System development life cycle processes, as defined under the SDLC, incorporate required information security and privacy considerations.\u003c/p\u003e\u003cp\u003eSA-1.1.7 Software usage and installation restrictions are employed and compliant with CMS policy.\u003c/p\u003e\u003cp\u003eSA-1.1.8 Security specifications, either explicitly or by reference, are included in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal requirements and industry best practices.\u003c/p\u003e\u003cp\u003eSA-1.1.9 Security measures consistent with applicable federal requirements and industry best practices to protect information, applications, and/or services outsourced from the organization are required of third-party vendors and are verified as specified in the ARS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.2 \u003c/em\u003eDevelop a System and Services Acquisition Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Services Acquisition Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Communications Protection (SC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSC-1\u003c/strong\u003e The Program must develop and maintain the System and Communications Protection family of controls to ensure the organization develops, documents, and maintains system and communications protection policy, processes, and procedures. Through the Program the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Communications Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eSC-1.1.1 Review and update the System and Communications Protection Policies and Procedures periodically and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003eSC-1.1.2 Protect the systems assets and information while in transmission or at rest with technical controls based on:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe confidentiality, integrity, and availability of the system\u003c/li\u003e\u003cli\u003eThe sensitivity of information (e.g., PII and PHI) processed or stored by the system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.3 Ensure the information system separates user functionality, including user interface services, from system management functionality. By applying the systems security engineering design principles within the TRA to:\u003c/p\u003e\u003cp\u003eSC-1.1.3.1 Isolate access and information flow control from non-security functions and from other security functions.\u003c/p\u003e\u003cp\u003eSC-1.1.3.2 Determine if the information system uses underlying hardware separation mechanisms to implement security function isolation.\u003c/p\u003e\u003cp\u003eSC-1.1.3.3 Minimize the number of non-security functions included within the isolation boundary containing security functions by implementing security and privacy functions as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLargely independent modules to maximize internal cohesiveness within modules and minimize coupling between modules\u003c/li\u003e\u003cli\u003eA layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.4 Implement information security and privacy controls throughout the SDLC of each system by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplementing usage restrictions based on the potential risk of harm to an information system\u003c/li\u003e\u003cli\u003eAuthorizing, monitoring, and controlling the use of such components within the information system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.5 Operate websites that are within the restrictions stated in federal policies and directives.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.2\u003c/em\u003e Develop a System and Communications Protection Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Communications Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Information Integrity (SI)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSI-1 \u003c/strong\u003eThe Program must develop and maintain the System and Information Integrity family of controls to establish and maintain policy and procedures for the effective implementation of selected information security controls and control enhancements. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Information Integrity family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eSI-1.1.1 Policy, processes, and procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eSI-1.1.2 Policy, processes, and procedures are implemented to protect the integrity of systems and information and to meet the \u003cem\u003ePrivacy Act \u003c/em\u003erequirements for protection against any anticipated threats or hazards to the security or integrity of records.\u003c/p\u003e\u003cp\u003eSI-1.1.3 Information and information system flaws are identified, reported, and corrected in a timely manner, as defined within the ARS.\u003c/p\u003e\u003cp\u003eSI-1.1.4 Protection from malicious code is provided at appropriate locations within organizational information systems.\u003c/p\u003e\u003cp\u003eSI-1.1.5 Information system security and privacy alerts and advisories issued are monitored and appropriate action taken in response.\u003c/p\u003e\u003cp\u003eSI-1.1.6 Minimum information security and privacy controls are supplemented, as warranted, based on an assessment of risk and local conditions, including organization- specific security requirements, specific threat information, cost-benefit analysis, and special circumstances.\u003c/p\u003e\u003cp\u003eSI-1.1.7 A monitoring strategy is developed to implement an ISCM program that is compliant with Federal Rules of Evidence Section 803(6).\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.2 \u003c/em\u003eDevelop a System and Information Integrity Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Information Integrity Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSupply Chain Risk Management (SR)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSR-1\u003c/strong\u003e The Program must develop and maintain the Supply Chain Risk Management (SR) family of controls to establish and maintain policy and procedures for the effective implementation of the selected information security controls and control enhancements. In coordination with the CISO, the program, the organization must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Supply chain risk management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.2\u003c/em\u003e Develop a Supply chain risk management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.3\u003c/em\u003e Coordinate with the CMS CISO to establish a process to identify and address weaknesses or deficiencies in the supply chain elements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.4 \u003c/em\u003eEstablish procedures and agreements with entities involved in the supply chain for systems, system components or system services to ensure notification of supply chain compromises that can potentially adversely affect organizational systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.5\u003c/em\u003e Review and update policies, procedures, and standards for the Supply chain risk management Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eNon-Compliance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe HHS Rules of Behavior (RoB) for Use of Information IT Resources Policy cannot account for every possible situation. Therefore, where this \u003cem\u003ePolicy \u003c/em\u003edoes not provide explicit guidance, personnel shall use their best judgment to apply the principles set forth in the \u003ca href=\"https://cmsintranet.share.cms.gov/ER/Pages/EthicsManagementOffice.aspx\"\u003estandards\u003c/a\u003e for \u003ca href=\"https://www.ecfr.gov/current/title-5/chapter-XVI/subchapter-B/part-2635\"\u003eethical conduct\u003c/a\u003e to guide their actions and seek guidance when appropriate from the Chief Information Officer (CIO) or his/her designee.\u003c/p\u003e\u003cp\u003eNon-compliance with the requirements in this Policy may be cause for disciplinary and non- disciplinary actions. Depending on the severity of the violation and management discretion, consequences may include one or more of the following actions:\u003c/p\u003e\u003col\u003e\u003cli\u003eSuspension of access privileges;\u003c/li\u003e\u003cli\u003eRevocation of access to federal information, information systems, and/or facilities;\u003c/li\u003e\u003cli\u003eReprimand;\u003c/li\u003e\u003cli\u003eTermination of employment;\u003c/li\u003e\u003cli\u003eSuspension without pay;\u003c/li\u003e\u003cli\u003eRemoval or disbarment from work on federal contracts or projects;\u003c/li\u003e\u003cli\u003eMonetary fines;\u003c/li\u003e\u003cli\u003eCriminal charges that may result in imprisonment;\u003c/li\u003e\u003cli\u003eDeactivate the accounts.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eInformation and Assistance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS ISPG is responsible for the development and management of this policy. Questions, comments, suggestions, and requests for information about this \u003cem\u003ePolicy \u003c/em\u003eshould be directed to: \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eEffective Date and Implementation\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe effective date of this policy is the date on which the policy is approved. This policy must be reviewed, at a minimum, every three (3) years from the approval date.\u003c/p\u003e\u003cp\u003eThe CMS CIO has the authority to grant a one (1) year extension of the policy. To archive this policy, approval must be granted, in writing, by the CMS CIO.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eApproval\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eGeorge Hoffmann\u003c/p\u003e\u003cp\u003eCMS Chief Information Officer\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConcurrence\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis document will be reviewed in accordance with the established review schedule located on the CMS website.\u003c/p\u003e\u003cp\u003eKeith Busby\u003c/p\u003e\u003cp\u003eCMS Chief Information Security Officer\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAuthoritative References, Statutes, Orders, Directives, Policies, and Guidance\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eFederal Directives and Policies\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eFederal Continuity Directive 1 (FCD 1): Federal Executive Branch National Continuity Program and Requirements, February 2008\u003c/li\u003e\u003cli\u003eHSPD-12, \u003cem\u003ePolicy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e, August 27, 2004\u003c/li\u003e\u003cli\u003eHSPD-7, \u003cem\u003eCritical Infrastructure Identification, Prioritization, and Protection\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOffice of Assistant Secretary for Administration and Management and Office of the Assistant Secretary for Resources and Technology: Statement of Organization, Functions, and Delegations of Authority, 74 Fed. Reg. 57679-57682 (2009)\u003c/li\u003e\u003cli\u003eOffice for Civil Rights: Delegation of Authority, 74 Fed. Reg. 38630 (2009) Office of Resources and Technology: Statement of Organization, Functions and Delegations of Authority, 73 Fed. Reg. 31486-31487 (2008)\u003c/li\u003e\u003cli\u003eOffice of the Secretary: Statement of Organization, Functions, and Delegations of Authority, 72 Fed. Reg. 19000-19001 (2007)\u003c/li\u003e\u003cli\u003eOffice of Personnel Management (OPM) Regulation 5 Code of Federal Regulations (CFR) 930.301\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eStatutes\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eThe Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009\u003c/li\u003e\u003cli\u003e\u003cem\u003ePublic Welfare\u003c/em\u003e, Title 45 Code of Federal Regulations, Pt. 160. 2009 ed.\u003c/li\u003e\u003cli\u003eFederal Acquisition Regulation (as amended)\u003c/li\u003e\u003cli\u003eE-Government Act of 2002\u003c/li\u003e\u003cli\u003eThe Federal Information Security Management Act (Pub. L. No. 107-347)\u003c/li\u003e\u003cli\u003eClinger-Cohen Act of 1996\u003c/li\u003e\u003cli\u003eThe Health Insurance Portability and Accountability Act of 1996\u003c/li\u003e\u003cli\u003ePaperwork Reduction Act of 1995\u003c/li\u003e\u003cli\u003eChildrens Online Privacy Protection Act of 1988\u003c/li\u003e\u003cli\u003eThe Computer Matching and Privacy Protection Act of 1988\u003c/li\u003e\u003cli\u003eThe Privacy Act of 1974 (as amended)\u003c/li\u003e\u003cli\u003eOffice of Federal Procurement Policy Act of 1974\u003c/li\u003e\u003cli\u003eFreedom of Information Act of 1966 (Public Law 89-554, 80 Stat. 383; Amended 1996,2002, 2007)\u003c/li\u003e\u003cli\u003eFederal Records Act of 1950\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eN.3. HHS Policy\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eHHS-OCIO-OIS-2021-11-006, \u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2021-03-001, \u003cem\u003eHHS Policy for Information Technology Procurements - Security and Privacy Language\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2020-01-001, \u003cem\u003eHHS Policy for Securing Wireless Local Area Networks\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-PIM-2020-05-003, \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-PIM-2020-06-004, \u003cem\u003eHHS Policy for Records Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2019-05-004, \u003cem\u003eHHS Rules of Behavior for the Use of HHS Information and IT Resources Policy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2018-0001.002S, \u003cem\u003eHHS System Inventory Management Standard\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2017-0001.001S\u003cem\u003e, HHS OCIO Minimum Security Configuration Standards Guidance\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2016-0005\u003cem\u003e, HHS Standard for Encryption of Computing Devices and Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2013-0004\u003cem\u003e, Policy for Personal Use of Information Technology Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2012-0001.001S, \u003cem\u003eStandard for Plans of Action and Milestones (POA\u0026amp;M) Management and Reporting\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2010-0002, \u003cem\u003eHHS-OCIO Policy for Capital Planning and Investment Control\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2008-0004.001, \u003cem\u003eHHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2008-0001.003, \u003cem\u003eHHS Policy for Responding to Breaches of Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS CSIRC Concept of Operations\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Minimum Security Configuration Standards\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eContinued Implementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eResolving Security Audit Finding Disputes\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eSecurity of Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eOffice of Inspector General Management Implication Report Need for Departmental Security Enhancements for Information Technology Assets\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eUpdated Departmental Standard for the Definition of Sensitive Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eRole-Based Training (RBT) of Personnel with Significant Security Responsibilities\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eSecurity Related to Hosting Foreign Visitors and Foreign Travel by HHS Personnel\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS \u003cem\u003ePolicy for Information Technology (IT): Security and Privacy Incident Reporting and Response\u003c/em\u003e\u003c/li\u003e\u003cli\u003e48 CFR Chapter 3 \u003cem\u003eHealth and Human Services Acquisition Regulation (HHSAR)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFAC-2005-46, Federal Acquisition Regulation (FAR), amendments\u003c/li\u003e\u003cli\u003e\u003cem\u003eDepartment Information Security Policy/Standard Waiver\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Information Security Program \u003cem\u003ePrivacy in the System Development Life Cycle\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eFederal Information Processing Standards (FIPS) 200 Implementation\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS National Security Information Manual\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Personnel Security/Suitability Handbook\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOMB Policy and Memoranda\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eOMB Circular A-108,\u003cem\u003e Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-127, \u003cem\u003eFinancial Management Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-130, \u003cem\u003eManagement of Federal Information Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-123, \u003cem\u003eManagement Accountability and Control\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-14-03, \u003cem\u003eEnhancing the Security of Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-13-13, \u003cem\u003eOpen Data Policy Managing Information as an Asset\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-12-20, \u003cem\u003eFY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-33, \u003cem\u003eFY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-29, \u003cem\u003eChief Information Officer Authorities\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-16, \u003cem\u003e2011 Issuance of Revised Parts I and II to Appendix C of OMB Circular A- 123\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-11, \u003cem\u003eContinued Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-02, \u003cem\u003eSharing Data While Protecting Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-22, \u003cem\u003eGuidance for Online Use of Web Measurement and Customization Technologies\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-23, \u003cem\u003eGuidance for Agency Use of Third-Party Websites and Applications\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-15, \u003cem\u003eFY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-06, \u003cem\u003eOpen Government Directive\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-09-29, \u003cem\u003eFY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-21, \u003cem\u003eFY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-23, \u003cem\u003eSecuring the Federal Governments Domain Name System Infrastructure\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-09, \u003cem\u003eNew FISMA Privacy Reporting Requirements for FY 2008\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-10, \u003cem\u003eUse of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-20, \u003cem\u003eFY 2007 E-Government Act Reporting Instructions\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-19, \u003cem\u003eFY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-16, \u003cem\u003eSafeguarding Against and Responding to the Breach of Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-20, \u003cem\u003eFY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-19, \u003cem\u003eReporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-16, \u003cem\u003eProtection of Sensitive Agency Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-15, \u003cem\u003eSafeguarding Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-24, \u003cem\u003eImplementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-15, \u003cem\u003eFY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-08, \u003cem\u003eDesignation of Senior Agency Officials for Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-04, \u003cem\u003ePolicies for Federal Agency Public Websites\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-04-26, \u003cem\u003ePersonal Use Policies and File Sharing Technology\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-03-22, \u003cem\u003eOMB Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002 (as amended)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-04-04, \u003cem\u003eE-Authentication Guidance for Federal Agencies\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-01-24, \u003cem\u003eReporting Instructions for the Government Information Security Reform Act\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-01-05, \u003cem\u003eGuidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-99-20, \u003cem\u003eSecurity of Federal Automated Information Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-99-05, \u003cem\u003eInstructions on Complying with President's Memorandum of May 14, 1998, \"Privacy and Personal Information in Federal Records\"\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-96-20, \u003cem\u003eImplementation of the Information Technology Management Reform Act of 1996\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eNIST Guidance\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eNIST SP 800-122, \u003cem\u003eGuide to Protecting Confidentiality of PII\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-81, \u003cem\u003eSecure Domain Name System (DNS) Deployment Guide\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-65, \u003cem\u003eIntegrating IT Security into the Capital Planning and Investment Control Process\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-64, \u003cem\u003eSecurity Considerations in the System Development Lifecycle\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-63, \u003cem\u003eElectronic Authentication Guideline\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-61, \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-60, \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-58, \u003cem\u003eSecurity Considerations for Voice Over IP Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-53A, \u003cem\u003eGuide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-53, \u003cem\u003eRecommended Security Controls for Federal Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-37, \u003cem\u003eGuide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-34, \u003cem\u003eContingency Planning Guide for Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-30, \u003cem\u003eRisk Management Guide for Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-18, \u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-16, \u003cem\u003eInformation Technology Security Training Requirements: A Role- and Performance-Based Model\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST \u003cem\u003eUnited States Government Configuration Baseline for Windows XP \u0026amp; Vista\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 200, \u003cem\u003eMinimum Security Requirements for Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 199, \u003cem\u003eStandards for Security Categorization of Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 140-3, \u003cem\u003eSecurity Requirements for Cryptographic Modules\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST United States Government Configuration Baseline (USGCB)\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Policy and Directives\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eCMS Information Security Acceptable Risk Safeguards, CMS ARS Version 5.0\u003c/li\u003e\u003cli\u003eCMS Vulnerability Disclosure Policy Program\u003c/li\u003e\u003cli\u003eCMS Supply Chain Risk Management Policy\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAssociated CMS Resources\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISPG Library is available at: \u003ca href=\"https://security.cms.gov/\"\u003ehttps://security.cms.gov.\u003c/a\u003e It contains up-to-date policies, procedures, and directives, including those approved after release of this Policy.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1d:{\"self\":\"$1e\"}\n21:[\"menu_ui\",\"scheduler\"]\n20:{\"module\":\"$21\"}\n24:[]\n23:{\"available_menus\":\"$24\",\"parent\":\"\"}\n25:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n22:{\"menu_ui\":\"$23\",\"scheduler\":\"$25\"}\n1f:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$20\",\"third_party_settings\":\"$22\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1d\",\"attributes\":\"$1f\"}\n28:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n27:{\"self\":\"$28\"}\n29:{\"display_name\":\"jcallan - retired\"}\n26:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$27\",\"attributes\":\"$29\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"mburgess\"}\n2a:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n2f:{\"self\":\"$30\"}\n32:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n31:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+0"])</script><script>self.__next_f.push([1,"0:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$32\"}\n36:{\"drupal_internal__target_id\":\"resource_type\"}\n35:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$36\"}\n38:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n39:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n37:{\"related\":\"$38\",\"self\":\"$39\"}\n34:{\"data\":\"$35\",\"links\":\"$37\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n3a:{\"data\":null,\"links\":\"$3b\"}\n44:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n43:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$44\"}\n42:{\"help\":\"$43\"}\n41:{\"links\":\"$42\"}\n40:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$41\"}\n3f:[\"$40\"]\n46:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n47:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n45:{\"related\":\"$46\",\"self\":\"$47\"}\n3e:{\"data\":\"$3f\",\"links\":\"$45\"}\n33:{\"vid\":\"$34\",\"revision_user\":\"$3a\",\"parent\":\"$3e\"}\n2e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$2f\",\"attributes\":\"$31\",\"relationships\":\"$33\"}\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n49:{\"self\":\"$4a\"}\n4c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4b:{\"drupal_in"])</script><script>self.__next_f.push([1,"ternal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4c\"}\n50:{\"drupal_internal__target_id\":\"roles\"}\n4f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$50\"}\n52:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n53:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n51:{\"related\":\"$52\",\"self\":\"$53\"}\n4e:{\"data\":\"$4f\",\"links\":\"$51\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n54:{\"data\":null,\"links\":\"$55\"}\n5e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5e\"}\n5c:{\"help\":\"$5d\"}\n5b:{\"links\":\"$5c\"}\n5a:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5b\"}\n59:[\"$5a\"]\n60:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n61:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5f:{\"related\":\"$60\",\"self\":\"$61\"}\n58:{\"data\":\"$59\",\"links\":\"$5f\"}\n4d:{\"vid\":\"$4e\",\"revision_user\":\"$54\",\"parent\":\"$58\"}\n48:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$49\",\"attributes\":\"$4b\",\"relationships\":\"$4d\"}\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/r"])</script><script>self.__next_f.push([1,"oles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}\n63:{\"self\":\"$64\"}\n66:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n65:{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$66\"}\n6a:{\"drupal_internal__target_id\":\"roles\"}\n69:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6a\"}\n6c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"}\n6d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}\n6b:{\"related\":\"$6c\",\"self\":\"$6d\"}\n68:{\"data\":\"$69\",\"links\":\"$6b\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6e:{\"data\":null,\"links\":\"$6f\"}\n78:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n77:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$78\"}\n76:{\"help\":\"$77\"}\n75:{\"links\":\"$76\"}\n74:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$75\"}\n73:[\"$74\"]\n7a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"}\n7b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}\n79:{\"related\":\"$7a\",\"self\":\"$7b\"}\n72:{\"data\":\"$73\",\"links\":\"$79\"}\n67:{\"vid\":\"$68\",\"revision_user\":\"$6e\",\"parent\":\"$72\"}\n62:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c"])</script><script>self.__next_f.push([1,"0e-6e5076b6cf26\",\"links\":\"$63\",\"attributes\":\"$65\",\"relationships\":\"$67\"}\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n7d:{\"self\":\"$7e\"}\n80:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7f:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$80\"}\n84:{\"drupal_internal__target_id\":\"roles\"}\n83:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$84\"}\n86:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n87:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n85:{\"related\":\"$86\",\"self\":\"$87\"}\n82:{\"data\":\"$83\",\"links\":\"$85\"}\n8a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n8b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n89:{\"related\":\"$8a\",\"self\":\"$8b\"}\n88:{\"data\":null,\"links\":\"$89\"}\n92:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n91:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$92\"}\n90:{\"help\":\"$91\"}\n8f:{\"links\":\"$90\"}\n8e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8f\"}\n8d:[\"$8e\"]\n94:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n95:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n93:{\"related\":\"$94"])</script><script>self.__next_f.push([1,"\",\"self\":\"$95\"}\n8c:{\"data\":\"$8d\",\"links\":\"$93\"}\n81:{\"vid\":\"$82\",\"revision_user\":\"$88\",\"parent\":\"$8c\"}\n7c:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$7d\",\"attributes\":\"$7f\",\"relationships\":\"$81\"}\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n97:{\"self\":\"$98\"}\n9a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n99:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9a\"}\n9e:{\"drupal_internal__target_id\":\"roles\"}\n9d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9e\"}\na0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\na1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n9f:{\"related\":\"$a0\",\"self\":\"$a1\"}\n9c:{\"data\":\"$9d\",\"links\":\"$9f\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\na3:{\"related\":\"$a4\",\"self\":\"$a5\"}\na2:{\"data\":null,\"links\":\"$a3\"}\nac:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nab:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ac\"}\naa:{\"help\":\"$ab\"}\na9:{\"links\":\"$aa\"}\na8:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a9\"}\na7:[\"$a8\"]\nae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\naf:{\"href\":\"https://cybe"])</script><script>self.__next_f.push([1,"rgeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\nad:{\"related\":\"$ae\",\"self\":\"$af\"}\na6:{\"data\":\"$a7\",\"links\":\"$ad\"}\n9b:{\"vid\":\"$9c\",\"revision_user\":\"$a2\",\"parent\":\"$a6\"}\n96:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$97\",\"attributes\":\"$99\",\"relationships\":\"$9b\"}\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\nb1:{\"self\":\"$b2\"}\nb4:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb3:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b4\"}\nb8:{\"drupal_internal__target_id\":\"roles\"}\nb7:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$b8\"}\nba:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\nbb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\nb9:{\"related\":\"$ba\",\"self\":\"$bb\"}\nb6:{\"data\":\"$b7\",\"links\":\"$b9\"}\nbe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\nbf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\nbd:{\"related\":\"$be\",\"self\":\"$bf\"}\nbc:{\"data\":null,\"links\":\"$bd\"}\nc6:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc5:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c6\"}\nc4:{\"help\":\"$c5\"}\nc3:{\"links\":\"$c4\"}\nc2:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$c3\"}\nc1:[\"$c2\"]\nc8:{\"href\":\"https://cyberge"])</script><script>self.__next_f.push([1,"ek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nc9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nc7:{\"related\":\"$c8\",\"self\":\"$c9\"}\nc0:{\"data\":\"$c1\",\"links\":\"$c7\"}\nb5:{\"vid\":\"$b6\",\"revision_user\":\"$bc\",\"parent\":\"$c0\"}\nb0:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$b1\",\"attributes\":\"$b3\",\"relationships\":\"$b5\"}\ncc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}\ncb:{\"self\":\"$cc\"}\nce:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncd:{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$ce\"}\nd2:{\"drupal_internal__target_id\":\"topics\"}\nd1:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d2\"}\nd4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"}\nd5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}\nd3:{\"related\":\"$d4\",\"self\":\"$d5\"}\nd0:{\"data\":\"$d1\",\"links\":\"$d3\"}\nd8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"}\nd9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}\nd7:{\"related\":\"$d8\",\"self\":\"$d9\"}\nd6:{\"data\":null,\"links\":\"$d7\"}\ne0:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ndf:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"met"])</script><script>self.__next_f.push([1,"a\":\"$e0\"}\nde:{\"help\":\"$df\"}\ndd:{\"links\":\"$de\"}\ndc:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$dd\"}\ndb:[\"$dc\"]\ne2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}\ne1:{\"related\":\"$e2\",\"self\":\"$e3\"}\nda:{\"data\":\"$db\",\"links\":\"$e1\"}\ncf:{\"vid\":\"$d0\",\"revision_user\":\"$d6\",\"parent\":\"$da\"}\nca:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":\"$cb\",\"attributes\":\"$cd\",\"relationships\":\"$cf\"}\ne6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf?resourceVersion=id%3A31\"}\ne5:{\"self\":\"$e6\"}\ne8:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ne7:{\"drupal_internal__tid\":31,\"drupal_internal__revision_id\":31,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:48+00:00\",\"status\":true,\"name\":\"Privacy\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$e8\"}\nec:{\"drupal_internal__target_id\":\"topics\"}\neb:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ec\"}\nee:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/vid?resourceVersion=id%3A31\"}\nef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/vid?resourceVersion=id%3A31\"}\ned:{\"related\":\"$ee\",\"self\":\"$ef\"}\nea:{\"data\":\"$eb\",\"links\":\"$ed\"}\nf2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/revision_user?resourceVersion=id%3A31\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/revision_user?resourceVersion=id%3A31\"}\nf1:{\"related\":\"$f2\",\"self\":\"$f3\"}\nf0:{\"data\":null,\"links\":\"$f1\"}\nfa:{\"about\":\"Usage "])</script><script>self.__next_f.push([1,"and meaning of the 'virtual' resource identifier.\"}\nf9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$fa\"}\nf8:{\"help\":\"$f9\"}\nf7:{\"links\":\"$f8\"}\nf6:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$f7\"}\nf5:[\"$f6\"]\nfc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/parent?resourceVersion=id%3A31\"}\nfd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/parent?resourceVersion=id%3A31\"}\nfb:{\"related\":\"$fc\",\"self\":\"$fd\"}\nf4:{\"data\":\"$f5\",\"links\":\"$fb\"}\ne9:{\"vid\":\"$ea\",\"revision_user\":\"$f0\",\"parent\":\"$f4\"}\ne4:{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"links\":\"$e5\",\"attributes\":\"$e7\",\"relationships\":\"$e9\"}\n100:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a?resourceVersion=id%3A19045\"}\nff:{\"self\":\"$100\"}\n102:[]\n104:Tbd2,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is considered “sensitive information”?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS sensitive information is any kind of data or information that, if accessed by the wrong people or used improperly, could:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCompromise the security or privacy of CMS employees or customers\u003c/li\u003e\u003cli\u003eNegatively impact CMS or its programs\u003c/li\u003e\u003cli\u003eCompromise the security of proprietary CMS information or systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAnother way to think of it is, “any information that is not public or is sensitive.” When in doubt, its best to be cautious and treat the information as sensitive.\u003c/p\u003e\u003cp\u003eEmails containing CMS sensitive information should only be sent to people on a “need to know” basis.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhen do I need to encrypt my email?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eYou \u003cstrong\u003edo not\u003c/strong\u003e need to encrypt emails that will remain within the CMS email environment (i.e.,“jane.doe@cms.hhs.gov”) or trusted domain — even if the email contains CMS sensitive information. If an email with sensitive information \u003cstrong\u003ewill go outside\u003c/strong\u003e the CMS domain, it should be encrypted.\u003c/p\u003e\u003cp\u003eCMS is no longer part of the HHS email shared service environment.\u0026nbsp; HHS and other OpDivs need to be treated the same as all other non-CMS entities.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow do I encrypt my email?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor recipients \u003cstrong\u003eoutside of the CMS email\u003c/strong\u003e service environment or trusted domain:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEncrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.\u003c/li\u003e\u003cli\u003ePlace the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).\u003c/li\u003e\u003cli\u003eStep-by-step instructions for encrypting your email can be found on \u003ca href=\"https://cmsitsm.servicenowservices.com/connect?page=search\u0026amp;q=email%20encryption\u0026amp;disableAllSuggestions=false\u0026amp;search_application=35b361901b5191100888ed7bbc4bcba5\u0026amp;disableSpellCheck=false\u0026amp;spa=1\"\u003eCMS Connect\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003ePasswords for encrypted attachments\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSometimes you may need to share a password for someone to access an encrypted email attachment.\u0026nbsp; The method for sharing the password should protect it from compromise.\u003c/p\u003e\u003cp\u003eThe following mediums \u003cstrong\u003eare not\u003c/strong\u003e acceptable for sharing these passwords:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmail\u003c/li\u003e\u003cli\u003eInstant messaging clients that are integrated with Microsoft Outlook (e.g., Lync / Skype)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe following mediums \u003cstrong\u003eare\u003c/strong\u003e acceptable for sharing these passwords:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOver the phone\u003c/li\u003e\u003cli\u003eText message\u003c/li\u003e\u003cli\u003eShared secret (e.g., “Its the name of our citys baseball team”)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWho enforces email encryption policies?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Operations Executive is responsible for ensuring that CMS employees and contractors keep sensitive information safe. This includes making sure that sensitive emails are always encrypted when going outside the trusted domain.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"105:Tbd2,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is considered “sensitive information”?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS sensitive information is any kind of data or information that, if accessed by the wrong people or used improperly, could:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCompromise the security or privacy of CMS employees or customers\u003c/li\u003e\u003cli\u003eNegatively impact CMS or its programs\u003c/li\u003e\u003cli\u003eCompromise the security of proprietary CMS information or systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAnother way to think of it is, “any information that is not public or is sensitive.” When in doubt, its best to be cautious and treat the information as sensitive.\u003c/p\u003e\u003cp\u003eEmails containing CMS sensitive information should only be sent to people on a “need to know” basis.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhen do I need to encrypt my email?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eYou \u003cstrong\u003edo not\u003c/strong\u003e need to encrypt emails that will remain within the CMS email environment (i.e.,“jane.doe@cms.hhs.gov”) or trusted domain — even if the email contains CMS sensitive information. If an email with sensitive information \u003cstrong\u003ewill go outside\u003c/strong\u003e the CMS domain, it should be encrypted.\u003c/p\u003e\u003cp\u003eCMS is no longer part of the HHS email shared service environment.\u0026nbsp; HHS and other OpDivs need to be treated the same as all other non-CMS entities.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow do I encrypt my email?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor recipients \u003cstrong\u003eoutside of the CMS email\u003c/strong\u003e service environment or trusted domain:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEncrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.\u003c/li\u003e\u003cli\u003ePlace the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).\u003c/li\u003e\u003cli\u003eStep-by-step instructions for encrypting your email can be found on \u003ca href=\"https://cmsitsm.servicenowservices.com/connect?page=search\u0026amp;q=email%20encryption\u0026amp;disableAllSuggestions=false\u0026amp;search_application=35b361901b5191100888ed7bbc4bcba5\u0026amp;disableSpellCheck=false\u0026amp;spa=1\"\u003eCMS Connect\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003ePasswords for encrypted attachments\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eSometimes you may need to share a password for someone to access an encrypted email attachment.\u0026nbsp; The method for sharing the password should protect it from compromise.\u003c/p\u003e\u003cp\u003eThe following mediums \u003cstrong\u003eare not\u003c/strong\u003e acceptable for sharing these passwords:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEmail\u003c/li\u003e\u003cli\u003eInstant messaging clients that are integrated with Microsoft Outlook (e.g., Lync / Skype)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe following mediums \u003cstrong\u003eare\u003c/strong\u003e acceptable for sharing these passwords:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOver the phone\u003c/li\u003e\u003cli\u003eText message\u003c/li\u003e\u003cli\u003eShared secret (e.g., “Its the name of our citys baseball team”)\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eWho enforces email encryption policies?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Operations Executive is responsible for ensuring that CMS employees and contractors keep sensitive information safe. This includes making sure that sensitive emails are always encrypted when going outside the trusted domain.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"103:{\"value\":\"$104\",\"format\":\"body_text\",\"processed\":\"$105\"}\n101:{\"drupal_internal__id\":1106,\"drupal_internal__revision_id\":19045,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:42:34+00:00\",\"parent_id\":\"716\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$102\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$103\"}\n109:{\"drupal_internal__target_id\":\"page_section\"}\n108:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$109\"}\n10b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a/paragraph_type?resourceVersion=id%3A19045\"}\n10c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a/relationships/paragraph_type?resourceVersion=id%3A19045\"}\n10a:{\"related\":\"$10b\",\"self\":\"$10c\"}\n107:{\"data\":\"$108\",\"links\":\"$10a\"}\n10f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a/field_specialty_item?resourceVersion=id%3A19045\"}\n110:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a/relationships/field_specialty_item?resourceVersion=id%3A19045\"}\n10e:{\"related\":\"$10f\",\"self\":\"$110\"}\n10d:{\"data\":null,\"links\":\"$10e\"}\n106:{\"paragraph_type\":\"$107\",\"field_specialty_item\":\"$10d\"}\nfe:{\"type\":\"paragraph--page_section\",\"id\":\"2a7eced9-d779-4ebd-869f-7edd2aa83b8a\",\"links\":\"$ff\",\"attributes\":\"$101\",\"relationships\":\"$106\"}\n113:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886?resourceVersion=id%3A19046\"}\n112:{\"self\":\"$113\"}\n115:[]\n114:{\"drupal_internal__id\":1926,\"drupal_internal__revision_id\":19046,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:50:20+00:00\",\"parent_id\":\"716\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$115\",\"default_langcode\":true,\"revision_translation_affected\":true}\n119:{\"drupal_internal__target_id\":\"int"])</script><script>self.__next_f.push([1,"ernal_link\"}\n118:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$119\"}\n11b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886/paragraph_type?resourceVersion=id%3A19046\"}\n11c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886/relationships/paragraph_type?resourceVersion=id%3A19046\"}\n11a:{\"related\":\"$11b\",\"self\":\"$11c\"}\n117:{\"data\":\"$118\",\"links\":\"$11a\"}\n11f:{\"drupal_internal__target_id\":706}\n11e:{\"type\":\"node--explainer\",\"id\":\"adea5bd3-a6c3-4b20-a953-0673e8f5ac17\",\"meta\":\"$11f\"}\n121:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886/field_link?resourceVersion=id%3A19046\"}\n122:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886/relationships/field_link?resourceVersion=id%3A19046\"}\n120:{\"related\":\"$121\",\"self\":\"$122\"}\n11d:{\"data\":\"$11e\",\"links\":\"$120\"}\n116:{\"paragraph_type\":\"$117\",\"field_link\":\"$11d\"}\n111:{\"type\":\"paragraph--internal_link\",\"id\":\"5262afc3-2920-4b7e-b083-cec3ede07886\",\"links\":\"$112\",\"attributes\":\"$114\",\"relationships\":\"$116\"}\n125:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76?resourceVersion=id%3A19047\"}\n124:{\"self\":\"$125\"}\n127:[]\n126:{\"drupal_internal__id\":1931,\"drupal_internal__revision_id\":19047,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:49:44+00:00\",\"parent_id\":\"716\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$127\",\"default_langcode\":true,\"revision_translation_affected\":true}\n12b:{\"drupal_internal__target_id\":\"internal_link\"}\n12a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$12b\"}\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76/paragraph_type?resourceVersion=id%3A19047\"}\n12e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/parag"])</script><script>self.__next_f.push([1,"raph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76/relationships/paragraph_type?resourceVersion=id%3A19047\"}\n12c:{\"related\":\"$12d\",\"self\":\"$12e\"}\n129:{\"data\":\"$12a\",\"links\":\"$12c\"}\n131:{\"drupal_internal__target_id\":601}\n130:{\"type\":\"node--library\",\"id\":\"f8e23203-8567-43de-8aa4-a901b33bc95b\",\"meta\":\"$131\"}\n133:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76/field_link?resourceVersion=id%3A19047\"}\n134:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76/relationships/field_link?resourceVersion=id%3A19047\"}\n132:{\"related\":\"$133\",\"self\":\"$134\"}\n12f:{\"data\":\"$130\",\"links\":\"$132\"}\n128:{\"paragraph_type\":\"$129\",\"field_link\":\"$12f\"}\n123:{\"type\":\"paragraph--internal_link\",\"id\":\"d5fd9ffa-0508-4b94-85d9-d04727a36e76\",\"links\":\"$124\",\"attributes\":\"$126\",\"relationships\":\"$128\"}\n137:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca?resourceVersion=id%3A19048\"}\n136:{\"self\":\"$137\"}\n139:[]\n138:{\"drupal_internal__id\":1936,\"drupal_internal__revision_id\":19048,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:51:14+00:00\",\"parent_id\":\"716\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$139\",\"default_langcode\":true,\"revision_translation_affected\":true}\n13d:{\"drupal_internal__target_id\":\"internal_link\"}\n13c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$13d\"}\n13f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca/paragraph_type?resourceVersion=id%3A19048\"}\n140:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca/relationships/paragraph_type?resourceVersion=id%3A19048\"}\n13e:{\"related\":\"$13f\",\"self\":\"$140\"}\n13b:{\"data\":\"$13c\",\"links\":\"$13e\"}\n143:{\"drupal_internal__target_id\":671}\n142:{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"meta\":\"$143\"}\n145:{\"href\""])</script><script>self.__next_f.push([1,":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca/field_link?resourceVersion=id%3A19048\"}\n146:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca/relationships/field_link?resourceVersion=id%3A19048\"}\n144:{\"related\":\"$145\",\"self\":\"$146\"}\n141:{\"data\":\"$142\",\"links\":\"$144\"}\n13a:{\"paragraph_type\":\"$13b\",\"field_link\":\"$141\"}\n135:{\"type\":\"paragraph--internal_link\",\"id\":\"3f396b7c-369d-4927-9ed4-674b54a646ca\",\"links\":\"$136\",\"attributes\":\"$138\",\"relationships\":\"$13a\"}\n149:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17?resourceVersion=id%3A5740\"}\n148:{\"self\":\"$149\"}\n14b:{\"alias\":\"/learn/cms-enterprise-data-encryption-cede\",\"pid\":696,\"langcode\":\"en\"}\n14c:{\"value\":\"How CMS satisfies federal requirements for the encryption of data to keep sensitive information safe\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eHow CMS satisfies federal requirements for the encryption of data to keep sensitive information safe\u003c/p\u003e\\n\"}\n14d:[\" #ispg-sec_privacy-policy\"]\n14a:{\"drupal_internal__nid\":706,\"drupal_internal__vid\":5740,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T23:05:04+00:00\",\"status\":true,\"title\":\"CMS Enterprise Data Encryption (CEDE)\",\"created\":\"2023-02-08T23:02:09+00:00\",\"changed\":\"2024-07-31T23:05:04+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$14b\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$14c\",\"field_slack_channel\":\"$14d\"}\n151:{\"drupal_internal__target_id\":\"explainer\"}\n150:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$151\"}\n153:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/node_type?resourceVersi"])</script><script>self.__next_f.push([1,"on=id%3A5740\"}\n154:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/node_type?resourceVersion=id%3A5740\"}\n152:{\"related\":\"$153\",\"self\":\"$154\"}\n14f:{\"data\":\"$150\",\"links\":\"$152\"}\n157:{\"drupal_internal__target_id\":6}\n156:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$157\"}\n159:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/revision_uid?resourceVersion=id%3A5740\"}\n15a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/revision_uid?resourceVersion=id%3A5740\"}\n158:{\"related\":\"$159\",\"self\":\"$15a\"}\n155:{\"data\":\"$156\",\"links\":\"$158\"}\n15d:{\"drupal_internal__target_id\":6}\n15c:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$15d\"}\n15f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/uid?resourceVersion=id%3A5740\"}\n160:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/uid?resourceVersion=id%3A5740\"}\n15e:{\"related\":\"$15f\",\"self\":\"$160\"}\n15b:{\"data\":\"$15c\",\"links\":\"$15e\"}\n164:{\"target_revision_id\":18947,\"drupal_internal__target_id\":991}\n163:{\"type\":\"paragraph--page_section\",\"id\":\"4b1d8d6e-a8a2-4e11-80a6-27a405215623\",\"meta\":\"$164\"}\n162:[\"$163\"]\n166:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_page_section?resourceVersion=id%3A5740\"}\n167:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_page_section?resourceVersion=id%3A5740\"}\n165:{\"related\":\"$166\",\"self\":\"$167\"}\n161:{\"data\":\"$162\",\"links\":\"$165\"}\n16b:{\"target_revision_id\":18948,\"drupal_internal__target_id\":1766}\n16a:{\"type\":\"paragraph--internal_link\",\"id\":\"fd0df184-c977-437e-a3cf-dca03ceb1ece\",\"meta\":\"$16b\"}\n16d:{\"target_revision_id\":18949,\"drupal_internal__target_id\":1771}\n16c:{\"type\":\"paragraph--internal_link\",\"id\":\"30c05b72-b1c5-4a6c-8763"])</script><script>self.__next_f.push([1,"-f01546196041\",\"meta\":\"$16d\"}\n169:[\"$16a\",\"$16c\"]\n16f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_related_collection?resourceVersion=id%3A5740\"}\n170:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_related_collection?resourceVersion=id%3A5740\"}\n16e:{\"related\":\"$16f\",\"self\":\"$170\"}\n168:{\"data\":\"$169\",\"links\":\"$16e\"}\n173:{\"drupal_internal__target_id\":131}\n172:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$173\"}\n175:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_resource_type?resourceVersion=id%3A5740\"}\n176:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_resource_type?resourceVersion=id%3A5740\"}\n174:{\"related\":\"$175\",\"self\":\"$176\"}\n171:{\"data\":\"$172\",\"links\":\"$174\"}\n17a:{\"drupal_internal__target_id\":61}\n179:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$17a\"}\n17c:{\"drupal_internal__target_id\":76}\n17b:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$17c\"}\n178:[\"$179\",\"$17b\"]\n17e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_roles?resourceVersion=id%3A5740\"}\n17f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_roles?resourceVersion=id%3A5740\"}\n17d:{\"related\":\"$17e\",\"self\":\"$17f\"}\n177:{\"data\":\"$178\",\"links\":\"$17d\"}\n183:{\"drupal_internal__target_id\":16}\n182:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$183\"}\n181:[\"$182\"]\n185:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_topics?resourceVersion=id%3A5740\"}\n186:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_topics?resourceVersion=id%3A5740\"}"])</script><script>self.__next_f.push([1,"\n184:{\"related\":\"$185\",\"self\":\"$186\"}\n180:{\"data\":\"$181\",\"links\":\"$184\"}\n14e:{\"node_type\":\"$14f\",\"revision_uid\":\"$155\",\"uid\":\"$15b\",\"field_page_section\":\"$161\",\"field_related_collection\":\"$168\",\"field_resource_type\":\"$171\",\"field_roles\":\"$177\",\"field_topics\":\"$180\"}\n147:{\"type\":\"node--explainer\",\"id\":\"adea5bd3-a6c3-4b20-a953-0673e8f5ac17\",\"links\":\"$148\",\"attributes\":\"$14a\",\"relationships\":\"$14e\"}\n189:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b?resourceVersion=id%3A5865\"}\n18a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b?resourceVersion=rel%3Aworking-copy\"}\n188:{\"self\":\"$189\",\"working-copy\":\"$18a\"}\n18c:{\"alias\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"pid\":591,\"langcode\":\"en\"}\n18e:T34350,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs required under the Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35), and in compliance with the updated requirements of the National Institute of Standards and Technology's (NIST) Special Publications (SP) 800-53, Revision 5, and other federal requirements, this \u003cem\u003ePolicy \u003c/em\u003edefines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems. It also provides direction for all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information. As the federal agency responsible for administering the Medicare, Medicaid, Childrens Health Insurance Program (CHIP), and Health Insurance Exchange (HIX), CMS collects, creates, uses, discloses, maintains, and stores personal, healthcare, and other sensitive information subject to federal law, regulation, or guidance. All NIST Special Publication (SP) 800 series are applicable to CMS policy including the \u003cem\u003eIS2P2\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003erequires all CMS stakeholders, including Business Owners and System Security and Privacy Officer (previously known as ISSO) to implement adequate information security and privacy safeguards to protect all CMS-sensitive information. The Chief Information Officer (CIO), Chief Information Security Officer (CISO), and the Senior Official for Privacy (SOP) jointly develop and maintain this document. All references contained in this \u003cem\u003ePolicy \u003c/em\u003eare subject to periodic revision, update, and reissuance.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBackground\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS Information Security and Privacy Group (ISPG), under the direction of the CMS Chief Information Security Officer (CISO) and the Senior Official for Privacy (SOP), is tasked with overseeing the Cybersecurity and Privacy Programs for the agency. Following the Federal and HHS requirements, CMS ISPG identifies cybersecurity and privacy risks, implements mitigation strategies and ensures the confidentiality, integrity and availability of CMS-sensitive information and information systems. These activities are aimed at safeguarding and preventing unauthorized disclosure of Personally Identifiable Information (PII) and Protected Health Information (PHI) entrusted to CMS.\u003c/p\u003e\u003cp\u003eISPG recognized the need to develop a policy that references and incorporates the security and privacy requirements from authoritative sources while tailoring it to suit the CMS physical and information technology environments. This \u003cem\u003ePolicy \u003c/em\u003eexplains the scope and applicability of security and privacy requirements as it pertains to CMS information systems. This \u003cem\u003ePolicy \u003c/em\u003ealso defines the security and privacy control baselines as well as the supplemental controls available for selection and should be used in conjunction with the \u003cem\u003eAcceptable Risk Safeguards (ARS)\u003c/em\u003e, CMS process guidelines and other supporting CMS-established policies, procedures, and standards. The format of these requirements is scalable to accommodate modifications or the addition of new requirements over time as a result of the ever-changing cybersecurity landscape.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003esupersedes the \u003cem\u003eCMS Information System Security and Privacy Policy (IS2P2) v 3.3\u003c/em\u003e, and supplements the HHS-OCIO-OIS-2021-11-006, \u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P) v 1.1\u003c/em\u003e, and it applies to all CMS personnel or entities:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConducting business for CMS\u003c/li\u003e\u003cli\u003eCollecting or maintaining information for CMS\u003c/li\u003e\u003cli\u003eUsing or operating information systems on behalf of CMS whether directly or through contractual relationships.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe below list of CMS personnel or entities include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational components, centers, or offices\u003c/li\u003e\u003cli\u003eFederal employees, contractor personnel, interns, or other non-government employees operating on behalf of CMS.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003edoes not supersede any other applicable laws, higher-level agency directives, or the existing labor-management agreement in place.\u003c/p\u003e\u003cp\u003eThe contents of and the compliance with this \u003cem\u003ePolicy \u003c/em\u003emust be incorporated into the applicable contract language, as appropriate. Any contract, agreement, or other arrangement that collects, creates, uses, discloses, or maintains sensitive information, including but not limited to Personally Identifiable Information (PII) and Protected Health Information (PHI), must comply with this \u003cem\u003ePolicy\u003c/em\u003e. In some cases, other external agency policies may also apply (e.g., if a system processes, stores, or transmits Federal Tax Information [FTI]).\u003c/p\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003edoes not apply to any network or system that processes, stores, or transmits foreign intelligence or national security information under the cognizance of the Special Assistant to the Secretary (National Security) pursuant to Executive Order (E.O.) 12333, \u003cem\u003eUnited States Intelligence Activities, \u003c/em\u003eor subsequent orders. The Special Assistant to the Secretary (National Security) is the point of contact (POC) for issuing IT security and privacy policy and guidance for these systems. Privacy Act questions should be directed to the CMS Privacy Act Officer.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAuthorities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Office of Management and Budget (OMB) designated the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) as authorities to provide guidance to federal agencies for implementing information security and privacy laws and regulations, including FISMA, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Privacy Act of 1974 (“Privacy Act”). This \u003cem\u003ePolicy \u003c/em\u003eaddresses CMS applicable information security and privacy requirements arising from federal legislation, mandates, directives, executive orders, and the Department of Health and Human Services (HHS) policies by integrating NIST Special Publication (SP) 800-53 Revision 5, \u003cem\u003eSecurity and Privacy Controls for Federal Information Systems and Organizations \u003c/em\u003ewith the \u003cem\u003eDepartment of Health and Human Services Policy for Information Systems Security and Privacy Protection (HHS IS2P) \u003c/em\u003eand other specific programmatic legislations and CMS regulations. The authoritative references include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBuy American Act, 41 U.S.C §§ 8301-8305\u003c/li\u003e\u003cli\u003eDHS Binding Operational Directive 18-02, Securing High-Value Assets May 7, 2018\u003c/li\u003e\u003cli\u003eExecutive Order 13556, the Controlled Unclassified Information (CUI) program\u003c/li\u003e\u003cli\u003eE-Government Act of 2002 (44 U.S.C. Chapters 35 and 36)\u003c/li\u003e\u003cli\u003eFamily Educational Rights and Privacy Act (FERPA) 20 U.S.C. § 1232g\u003c/li\u003e\u003cli\u003eFederal Acquisition Supply Chain Security Act of 2018\u003c/li\u003e\u003cli\u003eFederal Information Processing Standards: FIPS 140-2, FIPS 199, FIPS 200, FIPS 201-1\u003c/li\u003e\u003cli\u003eFederal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C § 3551\u003c/li\u003e\u003cli\u003eFinancial Audit Manual (FAM), GAO-18-G01G: Published June 14, 2018\u003c/li\u003e\u003cli\u003eHealth Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub.L. 104191, 110 Stat. 1936, enacted August 21, 1996)\u003c/li\u003e\u003cli\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/li\u003e\u003cli\u003eHomeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004\u003c/li\u003e\u003cli\u003eHSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004\u003c/li\u003e\u003cli\u003eH.R. 1232 Federal Information Technology Acquisition Reform\u003c/li\u003e\u003cli\u003eNational Archives and Records Administration, CUI Registry\u003c/li\u003e\u003cli\u003eNIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u003c/li\u003e\u003cli\u003eNIST SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security\u003c/li\u003e\u003cli\u003eNIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003eNIST SP 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)\u003c/li\u003e\u003cli\u003eNIST SP 800-88 Revision 1, Guidelines for Media Sanitization\u003c/li\u003e\u003cli\u003eNIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices\u003c/li\u003e\u003cli\u003eNIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eNIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing\u003c/li\u003e\u003cli\u003eNIST SP 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)\u003c/li\u003e\u003cli\u003eNIST SP 800-171, Rev. 2, Protecting CUI in Nonfederal Systems\u003c/li\u003e\u003cli\u003eNIST SP 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies\u003c/li\u003e\u003cli\u003eNIST SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-130, Managing Information as a Strategic Resource\u003c/li\u003e\u003cli\u003eOMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information\u003c/li\u003e\u003cli\u003eOMB memorandums M-02-01, M-03-22, M-10-22, M-10-23, M-16-17. M-14-03, M-17-12\u003c/li\u003e\u003cli\u003eOPM Information systems security awareness training program, 5 CFR § 930.301\u003c/li\u003e\u003cli\u003ePublic Law 113-291, Title VIII, Subtitle D of the National Defense Authorization Act (NDAA) for Fiscal Year 2015\u003c/li\u003e\u003cli\u003ePublic Law 115-232 § 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, August 13, 2018\u003c/li\u003e\u003cli\u003eSection 508 of the Rehabilitation Act of 1973, as amended in 1998 (29 U.S.C 794d)\u003c/li\u003e\u003cli\u003eThe Privacy Act of 1974 as amended (5 U.S.C. 552a).\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eDocument Organization\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS CIO, CISO, and SOP designed this \u003cem\u003ePolicy \u003c/em\u003eto comply with the NIST 800-53, Revision 5, Program Management (PM) control family. This \u003cem\u003ePolicy \u003c/em\u003eintegrates information security and privacy roles, responsibilities, and controls into the CMS Information Security and Privacy Program. The key contents of this \u003cem\u003ePolicy \u003c/em\u003einclude:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn overall description of the Information Security and Privacy Program (Section 6)\u003c/li\u003e\u003cli\u003eDescriptions of specific roles and responsibilities of key CMS security and privacy Stakeholders (Section 7)\u003c/li\u003e\u003cli\u003eDefining HHS and CMS-specific tailored policies, policies associated with the security and privacy control families, and the consequences for non-compliance (Sections 8, 9, \u0026amp; 10)\u003c/li\u003e\u003cli\u003eSupporting Appendices provide references, a glossary of terms, and acronyms:\u003cul\u003e\u003cli\u003eAppendix A: References\u003c/li\u003e\u003cli\u003eAppendix B: Glossary of Terms and Acronyms.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn accordance with HHS policy, CMS must update this \u003cem\u003ePolicy \u003c/em\u003eat least every three years (36 months). In cases where existing policy is insufficient to address changes in governance (e.g., legislation, directives, mandates, executive orders, or HHS policy) or emerging technology, the CMS CIO may publish ad hoc or specialized interim directives or memorandums to address the area of concern. As appropriate, the interim directive or memorandum may be integrated into future releases of or incorporated as an appendix to this \u003cem\u003ePolicy\u003c/em\u003e. The CMS CISO and SOP may develop \u003cem\u003ememorandums \u003c/em\u003ethat provide actionable guidance that supports best practices and procedures in support of the implementation of CIO policies and directives, along with legislation, mandates, executive orders and other federal mandates.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eInformation Security and Privacy Program Summary\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS CISO and SOP are responsible for managing the Information Security and Privacy Program (henceforth “Program”). This section describes how specific functional areas of the Program help CMS stakeholders apply this \u003cem\u003ePolicy \u003c/em\u003ein protecting CMS information and information systems.\u003c/p\u003e\u003cp\u003eCMS security and privacy disciplines are now integrated into a single Program. However, there are requirements unique to each discipline. Privacy as well as security policies apply to CMS programs and activities at their inception, even before information systems are identified or defined. Business Owners must identify the security and privacy requirements, compliance documentation, and contract requirements prior to system development.\u003c/p\u003e\u003cp\u003ePrivacy policies apply to the collection, creation, use, disclosure, and retention of information that identifies an individual (i.e., PII, including PHI) in electronic or physical form. CMSs responsibility for protecting the privacy interests of individuals applies to all types of information, regardless of its form. All CMS standards, regulations, directives, practices, and procedures must clearly state that all forms of information must be protected.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePolicy and Governance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe policy and governance functional area establishes and implements the information security and privacy program which develops organizational security and privacy policies, standards, directives, practices, and procedures within the CMS environment. The responsibilities include developing, implementing, and disseminating this \u003cem\u003ePolicy \u003c/em\u003eto align with and supplement HHS policies, federal legislation, and best practices. The \u003cem\u003eCMS Acceptable Risk Safeguards (ARS) \u003c/em\u003eis the HHS Operating Division (OpDiv) of CMSs implementation of the National Institute of Standards and Technologys (NIST) Special Publications (SP) 800-53, Revision 5, and it contains detailed minimum control standards that are traceable to the policies contained herein. Each security and privacy control description provides CMS-specified implementation details for all the security and privacy controls allocated as a baseline to an identified CMS FISMA system based on the FIPS 199 Security Category. Additional CMS-established policies and procedures can serve as further guidance for administering CMS standards, requirements, directives, practices, and procedures for protecting CMS information and information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Management and Compliance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe risk management and compliance functional area provides a multi-level approach to managing information system-related security and privacy risks at the \u003cem\u003eenterprise level\u003c/em\u003e, the \u003cem\u003emission/business process \u003c/em\u003elevel, and the \u003cem\u003einformation system \u003c/em\u003elevel to protect CMS information system assets and individuals accessing these assets. CMS provides a risk-based approach for managing information system-related security and privacy risk which is based on NIST SP 800- 37, Revision 2, \u003cem\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. \u003c/em\u003eThis framework includes developing and updating risk management and compliance processes and procedures to align with HHS policies, federal legislation, and federal cybersecurity and privacy frameworks. The CMS security and privacy program, under the direction of the Chief Information Security Officer (CISO) and the Senior Official for Privacy (SOP) oversees the agency-wide implementation of this framework which includes Security Assessment and Authorization (SA\u0026amp;A), Continuous Diagnostics and Mitigation (CDM), FISMA reporting, internal assessments/audits, and other external assessments/audits.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe awareness and training functional area provides organizational security and privacy awareness training and specific role-based training (RBT) for all CMS stakeholders with Significant Security Responsibilities (SSR). The responsibilities include developing curriculum and content, delivering training, ensuring training policies and procedures are current, tracking training status, and reporting on completed security awareness and RBT courses.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCyber Threat and Incident Handling\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe cyber threat and incident handling functional area support CMSs cyber threat intelligence, information sharing, and incident handling, including breach response. The responsibilities include developing, updating, and disseminating processes and procedures to coordinate information sharing and investigating incidents across CMS, following established CMS incident Response (IR) procedures.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContinuity of Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe continuity of operations functional area provides plans and procedures to ensure continuity of operations for information systems that support CMS operations and assets. The responsibilities include developing processes and procedures for system contingency planning, disaster recovery, and participation in federal continuity exercises.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis section details significant information security and privacy roles and responsibilities for CMS stakeholders. The responsibilities, defined by role rather than position, are derived from the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, RBT requirements, and CMS-specific responsibilities. This section also enhances the responsibilities defined within the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, to address CMSs needs. Therefore, CMS stakeholders must also refer to the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003efor additional detail.\u003c/p\u003e\u003cp\u003eA current version of the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003emay be requested via the HHS Office of Information Security (OIS) mailbox at \u003ca href=\"mailto:HHSCybersecurityPolicy@hhs.gov\"\u003eHHSCybersecurityPolicy@hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eMost of the roles described in this section are restricted to federal employees based on the specific position and role they fulfill within the CMS organization, while others may be filled by either a federal employee or a contractor.\u003c/p\u003e\u003cp\u003eFor additional information, please check CMS Organizational Charts.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGeneral Roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS personnel, whether federal employees, contractors (including subcontractors), or entities operating on behalf of CMS, must adhere to the information security and privacy responsibilities defined within this section. This subsection describes CMS-specific responsibilities for the roles “All Users” and “Supervisors.”\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFederal Employees and Contractors (All Users)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAll CMS federal employees and contractors (including subcontractors) must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, Section 7.36, \u003cem\u003eAll Users\u003c/em\u003e. All users have the responsibility to protect CMSs information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction by complying with the information security and privacy requirements maintained in this Policy.\u003c/p\u003e\u003cp\u003eIn addition to the HHS IS2P the responsibilities of the CMS federal employees and contractors must include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConsider all \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf\"\u003ebrowsing activities sensitive\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNotify the CMS CISO and SOP of actual or suspected information security and privacy incidents and breaches, including CMS sensitive data, using CMS specified procedures established in the CMS Incident Response (IR) procedures and applicable Rules of Behavior (RoB).\u003c/li\u003e\u003cli\u003eComplete mandatory security and privacy awareness training before accessing CMS information systems and annually thereafter.\u003c/li\u003e\u003cli\u003eFor all newly hired personnel and staff, and those who transfer into a new position with significant security and/or privacy responsibilities, complete specialized security or privacy RBT as appropriate for their assigned roles within 60 days of entry on duty or upon assuming new responsibilities. Thereafter, they must complete RBT at least annually.\u003c/li\u003e\u003cli\u003eFor contractors with significant security and/or privacy responsibilities, complete specialized RBT within 60 days of beginning work on a contract. They must complete RBT at least annually thereafter.\u003c/li\u003e\u003cli\u003eReport anomalies when CMS programs, systems, or applications are collecting, creating, using, disclosing, or retaining more than the minimum data necessary.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSupervisors\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSupervisors may be federal employees or contractors2 and must fulfill all responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.37, \u003cem\u003eSupervisors\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eIn addition to the HHS IS2P, the responsibilities of Supervisors include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNotify the appropriate System Security and Privacy Officer (Previously known as ISSO) (or the CMS CISO or designee, if the System Security and Privacy Officer (Previously known as the ISSO) \u0026nbsp;is not available) within one hour of any unexpected departure or separation of a CMS employee or contractor.\u003c/li\u003e\u003cli\u003eEnsure personnel under their direct report complete all required information security training, including privacy and RBT, within the mandated time frames established in the CMS Incident Response (IR) procedures.\u003c/li\u003e\u003cli\u003eEnsure background checks are conducted on all individuals identified by system owners with access to CMS information systems in accordance with \u003ca href=\"https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/\"\u003eposition sensitivity\u003c/a\u003e\u0026nbsp;designation as derived by the use of the \u003ca href=\"https://nbib.opm.gov/e-qip-background-investigations/\"\u003eappropriate CMS tool\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eHuman Resource Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eHuman Resource Officer must be an agency official (federal government employee) and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinating with appropriate CMS CIO POCs and Office of Security, Facilities and Logistics Operations (OSFLO) POCs to ensure background checks are conducted for individuals with significant security responsibilities.\u003c/li\u003e\u003cli\u003eNotifying the appropriate CMS POC (Manager, Supervisor, COR or CIO designated official) within one business day when CMS personnel are separated from the Department.\u003c/li\u003e\u003cli\u003eEnsuring relevant paperwork, interviews, and notifications are sent to the appropriate CMS POC (Manager, Supervisor, COR or CIO designated official) when personnel join, transfer within, or leave the organization, either permanently or on detail.\u003c/li\u003e\u003cli\u003eParticipating at the request of the CMS CCIC in the investigation of \u003cstrong\u003eFederal employees \u003c/strong\u003ewith regard to security incidents.\u003c/li\u003e\u003cli\u003eParticipating at the request of the CMS CCIC in the investigation of \u003cstrong\u003eFederal employees\u003c/strong\u003e\u0026nbsp;relative to PII breaches and violations.\u003c/li\u003e\u003cli\u003eEnsuring all HR systems and records/data are maintained, used and shared in compliance with the Privacy Act of 1974, as amended (5 U.S.C. 552a) and the HHS implementing regulations and applicable Systems of Records Notices (SORNs), and, all other applicable laws, policies and procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Federal Executives\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of CMS Federal Executives, including the Administrator, Chief Financial Officer (CFO), Personnel and Physical Security Officers (PPSO), and Operations Executive (OE). Only agency officials (federal government employees) are authorized to fill these roles.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAdministrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Administrator must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.2, \u003cem\u003eOpDiv Heads, \u003c/em\u003eincluding “Delegating responsibility and authority for management of HHS Operating Division (OpDiv) IT security and privacy programs to the OpDiv CIOs,” and those identified in the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII). \u003c/em\u003eThese responsibilities include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDelegating responsibility and authority for making final decisions regarding external breach notification and issuing written notification to individuals affected by a privacy breach.\u003c/li\u003e\u003cli\u003eReceiving inquiries, investigations, or audits from enforcement authorities, such as any initiated by the HHS Office for Civil Rights related to compliance with HIPAA or the HIPAA Privacy and Security Rules and coordinating responses with the Chief Information Officer and other appropriate staff.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHHSs Continuity of Operations Program Policy also requires that the Administrator must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncorporate continuity of operations requirements into all CMS activities and operations\u003c/li\u003e\u003cli\u003eDesignate in writing an accountable official as the Agency Continuity Point of Contact, who is directly responsible to the Administrator for management oversight of the CMS continuity program and who is the single point of contact for coordination within CMS for continuity matters.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Financial Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CFO must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.3, \u003cem\u003eOffice of Finance (OF)/Assistant Secretary for Financial Resources (ASFR)/Chief Financial Officer (CFO).\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePersonnel and Physical Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe PPSO must fulfill the shared responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, Section 7.6, \u003cem\u003eOffice of National Security (ONS). \u003c/em\u003eIn addition to the HHS IS2P, the general and incident response responsibilities of the PPSO must include, but are not limited to:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProtect employees, visitors, and CMS-owned and CMS-occupied critical infrastructure\u003c/li\u003e\u003cli\u003eCoordinate national security information services to all components within the Office of the Administrator (OA).\u003c/li\u003e\u003cli\u003eCoordinate with appropriate CMS CIO POCs and HHS POCs to ensure background checks are conducted on all individuals identified by system owners with access to CMS information systems in accordance with \u003ca href=\"https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/\"\u003eposition sensitivity designation\u003c/a\u003e\u0026nbsp;as derived by the use of the \u003ca href=\"https://nbib.opm.gov/e-qip-background-investigations/\"\u003eappropriate CMS tool\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eParticipate at the request of law enforcement, the HHS Computer Security Incident Response Center (CSIRC), the HHS Office of the Inspector General (OIG), and/or the CMS Cybersecurity Integration Center (CCIC) in investigating security and privacy incidents and breaches involving federal employees and/or CMS contractor personnel.\u003c/li\u003e\u003cli\u003eParticipate at the request of the HHS Privacy Incident Response Team (PIRT) and/or the CMS Breach Analysis Team (BAT) in investigating incidents and/or violations involving federal employees, PII, PHI, and/or Federal Tax Information (FTI).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOperations Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Operations Executive must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOversee day-to-day information security and privacy operations for CMS employees.\u003cul\u003e\u003cli\u003eDevelop and maintain, in coordination with the CISO and SOP, the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resources Policy\u003c/em\u003e, to address, at a minimum, the following Acceptable Use standards:\u003cul\u003e\u003cli\u003ePrivacy requirements must be identified in contracts and acquisition-related documents.\u003c/li\u003e\u003cli\u003ePersonal use of CMS IT resources must comply with \u003cem\u003eHHS Policy for Personal Use of Information Technology Resources\u003c/em\u003e, such that personal use of CMS IT resources does not put CMS data at risk of unauthorized disclosure or dissemination.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure all CMS system users annually read and sign the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information Resources\u003c/em\u003e, which governs the appropriate use of CMS IT resources.\u003c/li\u003e\u003cli\u003eInform CMS employees and contractors that use of CMS information resources, other than for authorized purposes, is a violation of the HHS RoB and Article 35 of the Master Labor Agreement and is grounds for disciplinary action, up to and including removal from federal service, monetary fines, and/or criminal charges that could result in imprisonment. CMS bargaining unit employees must also adhere to Article 35 of the Master Labor Agreement.\u003c/li\u003e\u003cli\u003eEnsure CMS employees and contractors encrypt CMS sensitive information transmitted to a non-CMS controlled environment,7 including but not limited to email, using Federal Information Processing Standard (FIPS) 140-3 compliant encryption solutions/modules.\u003c/li\u003e\u003cli\u003eEnsure CMS employees and contractors are prohibited from transmitting sensitive CMS information using any non-CMS approved, Internet-based mechanism, including but not limited to, personal email, file-sharing, file transfer, or backup services.\u003c/li\u003e\u003cli\u003eEnsure that any CMS contractor, other person, or organization that performs functions or activities that involve the use or disclosure of PHI on behalf of CMS have Business Associate Agreement provisions in their contracts or agreements per OAGM standard contract language requirements.\u003c/li\u003e\u003cli\u003eEnsure CMS uses PII internally only for the purpose(s) that are authorized by statute, regulation, or Executive Order; and when the PII is also considered PHI for treatment, payment, healthcare operations, or as permitted under HIPAA (e.g., for research as permitted under 45 CFR §164.512).\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOffice Director, Office of Enterprise Data and Analytics and Chief Data Officer\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eThe Office Director of the Office of Enterprise Data and Analytics (OEDA) also serves as the CMS Chief Data Officer (CDO). The CDO must be an agency official (federal government employee). The CDO must establish and implement policies, practices, and standards for maximizing the value and impact of CMS data for internal and external stakeholders.\u003c/p\u003e\u003cp\u003eOEDA develops and implements a data services strategy to maximize use of data on all CMS programs, including issue papers, chart books, dashboards, interactive reports, data enclave services, public use files, and research identifiable files. OEDA oversees the creation of data sets that de-identify individuals and makes these data sets publicly available when there is legal authority permitting their creation. Methods for creating these data sets may include:\u003c/p\u003e\u003c/li\u003e\u003cli\u003eThe methodology set out at 45 CFR §164.514(b)(2) (the “Safe Harbor Rule”).\u003c/li\u003e\u003cli\u003eThe methodology set out at 45 CFR §164.514(b)(1) (the “Expert Determination Rule”)\u003c/li\u003e\u003cli\u003e\u003cp\u003eOEDA also oversees the creation of “limited data sets” (LDS), which are data sets to be used or disclosed for purposes of research, public health, or healthcare operations, using the methodology set out at 45 CFR §164.514(e).\u003c/p\u003e\u003cp\u003eThe Administrator may designate other specific responsibilities to the CDO as necessary.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eOffice Director, Office of Acquisition and Grants Management and Head of Contracting Activity\u003c/h4\u003e\u003cp\u003eThe Office Director of the Office of Acquisition and Grants Management (OAGM) and Head of Contracting Activity (HCA) also serve as the CMS Chief Acquisition Officer (CAO). The CAO must be an agency official (federal government employee) designated to advise and assist the head of the agency and other agency officials to ensure that the mission of CMS is achieved through the management of the agencys acquisition activities. The responsibilities of the Chief Acquisition Officer include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAdvise and assist the administrator and other agency officials to ensure that the mission of CMS is achieved through the management of the agency's acquisition activities.\u003c/li\u003e\u003cli\u003eCoordinate with the authorizing official, business owners, system owners, common control providers, chief information security officer, senior official for privacy, and risk executive (function) to ensure that security and privacy requirements are defined in organizational procurements and acquisitions.\u003c/li\u003e\u003cli\u003eMonitor the performance of the acquisition activities and programs.\u003c/li\u003e\u003cli\u003eEstablish clear lines of authority, accountability, and responsibility for acquisition decision-making within CMS.\u003c/li\u003e\u003cli\u003eManage the direction and implementation of the acquisition policy.\u003c/li\u003e\u003cli\u003eEstablish policies, procedures, and practices that promote full and open competition from responsible sources to fulfill best value requirements considering the nature of the property or service procured.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCenter and Office Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEach CMS Center and Office Executive must nominate an appropriately qualified staff member as a Data Guardian to the Senior Official for Privacy (SOP) for approval. The executive must ensure the Data Guardian meets the following qualifications:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe a proficient consumer advocate\u003c/li\u003e\u003cli\u003eHave experience in identifying information security and privacy requirements\u003c/li\u003e\u003cli\u003eBe trained in using the CMS Risk Management Framework (RMF)\u003c/li\u003e\u003cli\u003eUnderstand the CMS Center/Office business processes and operations\u003c/li\u003e\u003cli\u003eHave respect for the role and impact PII and PHI play within the Center/Office and across the CMS enterprise.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation Security and Privacy Officers\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of those federal employees with roles related to establishing this \u003cem\u003ePolicy \u003c/em\u003eand the associated Program designed to protect CMS information and information systems, including the CIO, CISO, SOP, Privacy Act Officer, Chief Technology Officer (CTO), Configuration Management Executive, Cyber Risk Advisor (CRA), Privacy Advisor, and Marketplace Senior Information Security Officer.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eChief Information Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CIO must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.11, \u003cem\u003eOpDiv CIOs, \u003c/em\u003eincluding serving as the Chief Risk Officer and Authorizing Official (AO) for all CMS FISMA systems. There is only one AO for all CMS FISMA systems.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CIO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDesignate the CISO as the authority for managing CMS incident response activities identified in the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDefine recommended minimum System Security and Privacy Officer (previously known as ISSO) qualifications commensurate with the System Security and Privacy Officer (previously known as ISSO) role within CMS for both federal employees and contractors defined with NIST Significant Information Security and Privacy Responsibilities (SISPRs)\u003c/li\u003e\u003cli\u003eDefine mandatory information security and privacy training, education, and awareness activities undertaken by all personnel, including contractors, commensurate with identified roles and responsibilities\u003c/li\u003e\u003cli\u003eShare threat information as mandated by the Cybersecurity Enhancement Act of 2014\u003c/li\u003e\u003cli\u003eCoordinate with the CISO to establish configuration management processes and procedures\u003c/li\u003e\u003cli\u003eCreate and manage the review and approval of changes through the appropriate IT governance; change control bodies/boards\u003c/li\u003e\u003cli\u003eCoordinate with the CISO, SOP, Data Guardian, System Security and Privacy Officer (previously know as ISSO), and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications\u003c/li\u003e\u003cli\u003eRespond to any inquiries, investigations, or audits received from enforcement authorities, such as any initiated by the HHS Office for Civil Rights related to compliance with HIPAA or the HIPAA Privacy and Security Rules\u003c/li\u003e\u003cli\u003eEnsure that all CMS key stakeholders, including the Chief Financial Officer (CFO); Office Director, Office of Acquisition and Grants Management (OAGM) and Head of Contracting Activity (HCA); Senior Official for Privacy (SOP); mission, business, and policy owners; as well as the CISO organizations, are aware of risks associated with High Value Assets (HVAs)\u003c/li\u003e\u003cli\u003eEnsure the establishment and implementation of an HHS-specific or CMS-specific HVA Policy and HVA Management Program.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Information Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CISO must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.12, \u003cem\u003eOpDiv CISOs. \u003c/em\u003eThe CISO carries out the CIOs information security responsibilities under federal requirements in conjunction with the SOP.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CISO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy control requirements through the \u003cem\u003eCMS ARS\u003c/em\u003e.\u003c/li\u003e\u003cli\u003ePublish CISO Directives as required to augment existing policy.\u003c/li\u003e\u003cli\u003eReview any requested waivers and deviations from this Policy and provide recommendations to the AO for risk acceptance.\u003c/li\u003e\u003cli\u003eServe as the security official who is responsible for the development and implementation of the policies and procedures that are required by the HIPAA Security Rule (please refer to 45 CFR §164.308(a)(2)).\u003c/li\u003e\u003cli\u003eDelegate the authority to approve system configuration deviations to the CRA and System Security and Privacy Officer (previously known as the ISSO), where appropriate.\u003c/li\u003e\u003cli\u003eEnsure CMS-wide implementation of HHS and CMS information security and privacy capabilities, policies, and procedures consistent with the NIST Risk Management Framework (RMF).\u003c/li\u003e\u003cli\u003eLead the investigation and resolution of information security and privacy incidents and breaches across CMS.\u003c/li\u003e\u003cli\u003eDefine and oversee the goals and requirements of Agency Security Operations.\u003c/li\u003e\u003cli\u003eCoordinate incident response and threat information sharing with the HHS CSIRC and/or HHS PIRT, as appropriate.\u003c/li\u003e\u003cli\u003eEnsure the information security continuous monitoring (ISCM) capabilities accomplish the goals identified in the ISCM strategy.\u003c/li\u003e\u003cli\u003ePublish an Ongoing Authorization process as part of the Program\u003c/li\u003e\u003cli\u003eApprove the appointment of the System Security and Privacy Officer (previously know as ISSO) by the Program Executive\u003c/li\u003e\u003cli\u003eApprove the independent security control assessment deliverables\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, SOP, Data Guardian, System Security and Privacy Officer (previously known as ISSO), and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of any interconnection by coordinating with the SOP and the CCIC Director to (1) disconnect or suspend interconnections and (2) ensure interconnections remain disconnected or suspended until the AO orders reconnection.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRisk Executive (Function)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Risk Executive must be an agency official (federal government employee). The Risk Executive must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.13. \u003cem\u003eRisk Executive (Function)\u003c/em\u003e. The Administrator may designate specific responsibilities to the RE as necessary.\u003c/p\u003e\u003cp\u003eThe Risk Executive must also fulfill the responsibilities for agency-wide risk management strategies that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinate with the CCIC to:\u003c/li\u003e\u003cli\u003eManage risk(s) identified in the threat landscape via; cyber threat intelligence, vulnerability assessment, penetration testing, forensics, malware, insider threat, etc., and security and privacy risk(s) identified via; risk assessments, security control assessments, internal/external audits, etc. (including supply chain risk[s] via the Division of Strategic Information [DSI]) information for organizational systems and the environments in which the systems operate.\u003c/li\u003e\u003cli\u003eUse the CDM program to identify and report on the risk posture of the portfolio of FISMA reported systems in near real time\u003c/li\u003e\u003cli\u003eUtilize the CFACTS system to report on the risk posture of the FISMA reported systems.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSenior Official for Privacy\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe SOP must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.18, \u003cem\u003eOpDiv SOP \u003c/em\u003ealso include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLead CMS privacy programs and promote proper information security and privacy practices.\u003c/li\u003e\u003cli\u003eLead the development and implementation of privacy policies and procedures, including the following actions:\u003cul\u003e\u003cli\u003eEvaluate any new legislation that obligates the Program to create any regulations, policies, procedures, or other documents concerning collecting, creating, using, disclosing, or retaining PII/PHI.\u003c/li\u003e\u003cli\u003eEnsure an appropriate party will develop all such required policies or other documents.\u003c/li\u003e\u003cli\u003eEnsure policies exist to impose criminal penalties and/or other sanctions on CMS employees (consistent with the CMS Master Labor Agreement) and non-employees, including contractors and researchers, for violations of law and policy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure privacy controls are implemented and enforced.\u003c/li\u003e\u003cli\u003eServe as the privacy official responsible for developing and implementing policies and procedures, receiving complaints, and providing further information related to the Notice of Privacy Practices, as required by the HIPAA Privacy Rule (please refer to 45 CFR §164.530(a)).\u003c/li\u003e\u003cli\u003eEnsure individuals are able to exercise their rights to access, inspect, request additions or amendments, and obtain copies of their PII/PHI in a designated record set or in a Privacy Act system of records (SOR).\u003c/li\u003e\u003cli\u003eEnsure individuals are able to exercise their right to an accounting of disclosures of their PII/PHI by CMS or its business associates.\u003c/li\u003e\u003cli\u003eEnsure any use or disclosure of PII/PHI that is not for treatment, payment, health operations, or otherwise permitted or required by the HIPAA Privacy Rule or Privacy Act is disclosed only with the individuals authorization.\u003c/li\u003e\u003cli\u003eEnsure the Program develops and documents a Notice of Privacy Practices for all Medicare Fee-for-Service beneficiaries, as required by the HIPAA Privacy Rule, that defines the uses and disclosures of PHI.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, Data Guardian, System Security and Privacy Officer (previously known as ISSO), and Website Owner / Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eCoordinate as the lead and collaborate with the CISO to:\u003cul\u003e\u003cli\u003eDocument privacy requirements and manage privacy implementation as CMS information systems are designed, built, operated, or updated\u003c/li\u003e\u003cli\u003eProvide recommendations to the CIO regarding the privacy posture of FISMA systems and the use/disclosure of CMS information\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCo-chair the CMS Data Governance Board.\u003c/li\u003e\u003cli\u003eApprove the appointment of Data Guardians by the Center or Office Executive.\u003c/li\u003e\u003cli\u003eProvide overall direction for incident handling, which includes all incidents involving PII/PHI.\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of any interconnection\u003cul\u003e\u003cli\u003eCoordinate with the CISO and the CCIC Director to disconnect or suspend interconnections\u003c/li\u003e\u003cli\u003eCoordinate with the CISO and the CCIC Director to ensure interconnections remain disconnected or suspended until the AO orders reconnection\u003c/li\u003e\u003cli\u003eReview HVAs and identify those that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII/PHI\u003c/li\u003e\u003cli\u003eEnsure that all required privacy documentation and materials are complete, accurate, and up to date.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Act Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Privacy Act Officer must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.20, \u003cem\u003eOpDiv Privacy Act Contact\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Privacy Act Officer must also include, but not be limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop, implement, and maintain policies and procedures related to the Privacy Act.\u003c/li\u003e\u003cli\u003eProcess Privacy Act requests, including requests requiring exceptions to the Privacy Act.\u003c/li\u003e\u003cli\u003eProvide guidance and advice on federal Privacy Act policies and procedures.\u003c/li\u003e\u003cli\u003eEvaluate the impact of the Privacy Act and regulations on the organizations activities.\u003c/li\u003e\u003cli\u003eCoordinate with CMS Offices and staff as needed.\u003c/li\u003e\u003cli\u003eRepresent CMS on issues related to the Privacy Act.\u003c/li\u003e\u003cli\u003eAssess Privacy Act-related risks associated with programs, operations, and technology.\u003c/li\u003e\u003cli\u003eSupport efforts across CMS to comply with the Privacy Act.\u003c/li\u003e\u003cli\u003ePlan and conduct training sessions on Privacy Act requirements.\u003c/li\u003e\u003cli\u003eEnsure procedures exist to:\u003cul\u003e\u003cli\u003eAuthenticate the identity of a person requesting PII/PHI and, as appropriate, the authority of any such person permitted access to PII/PHI\u003c/li\u003e\u003cli\u003eObtain any documentation, statements, or representations, as appropriate, whether oral or written, from the authorized person requesting the PII/PHI\u003c/li\u003e\u003cli\u003eIn responses to requests for disclosures, limit the PII/PHI disclosed to that which is the minimum amount reasonably necessary to achieve the intended purpose of the disclosure or request, relying (if such reliance is reasonable under the circumstances) on the precise scope of the requested disclosure to determine the minimum necessary information to be included in the disclosure\u003c/li\u003e\u003cli\u003eIn structuring all CMS processes, ensuring that to the greatest degree practicable each person receives only the PII/PHI data elements and records that the person needs (e.g., the data elements the person needs to perform all tasks within the scope of their assigned responsibilities); When CMS requests PII/PHI from third parties, ensure the PII/PHI requested is limited to the amount reasonably necessary to accomplish the purpose for which the request is made.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Technology Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Chief Technology Officer (CTO) must be an agency official (federal government employee). The CIO may designate specific responsibilities to a CTO as necessary.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eConfiguration Management Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Configuration Management Executive must be an agency official (federal government employee) and must provide executive-level oversight for configuration management and contingency planning.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCyber Risk Advisor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Cyber Risk Advisor (CRA) may be federal employees or contractors. The CISO may designate the authority to approve system configuration deviations to the CRA where appropriate.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CRA must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAct as the subject matter expert in all areas of the \u003cem\u003eCMS RMF.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEvaluate, maintain, and communicate the risk posture of each FISMA system to executive leadership and make risk-based recommendations to the AO.\u003c/li\u003e\u003cli\u003eSupport the CMS stakeholders in ensuring that all requirements specified by the \u003cem\u003eCMS ARS \u003c/em\u003eare implemented and enforced; serve as an active participant in the system development life cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs considering security, functionality, and cost.\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, Information System Owner (ISO), Business Owner, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eDetermine the privacy impacts and manage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure information security and privacy testing is performed throughout the SDLC as appropriate and results are considered during the development phase of the SDLC.\u003c/li\u003e\u003cli\u003eMonitor system security posture by reviewing all proposed information security and privacy artifacts to provide recommendations to the System Security and Privacy Officer (previously known as ISSO).\u003c/li\u003e\u003cli\u003eProvide guidance to CMS stakeholders on required actions, potential strategies, and best practices for closure of identified weaknesses.\u003c/li\u003e\u003cli\u003eUpload findings spreadsheets to the CMS FISMA Controls Tracking System (CFACTS).\u003c/li\u003e\u003cli\u003eEnsure AO-issued authorization is updated in CFACTS.\u003c/li\u003e\u003cli\u003eServe as the authority to approve selected system configuration deviations from the required baseline.\u003c/li\u003e\u003cli\u003eRemind System Security and Privacy Officer (previously known as ISSO) with expiring or expired letters to resubmit their appointment letters using a new letter.\u003c/li\u003e\u003cli\u003eUpload signed System Security and Privacy Officer (previously known as ISSO) appointment letter(s) to CFACTS.\u003c/li\u003e\u003cli\u003eCoordinate with the BO, ISO, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact the organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Advisor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePrivacy Advisors may be federal employees or contractors and work under the direction of the SOP. The Privacy Advisor must fulfill responsibilities that include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify opportunities to integrate Fair Information Practice Principles (FIPP) into CMS business processes and information systems.\u003c/li\u003e\u003cli\u003eEvaluate legislation, regulations, and policies that may affect how CMS collects, uses, stores, discloses, or retires PII; identify their potential impacts on CMS; and recommend responsive actions to the CMS management or others that request guidance.\u003c/li\u003e\u003cli\u003eFor IT systems, coordinate with the Business Owner, CRA, Data Guardian, ISO, and System Security and Privacy Officer (previously known as ISSO) to identify the types of information processed, assign the appropriate security categorizations to the information systems, determine the privacy impacts, and manage information security and privacy risk, including:\u003cul\u003e\u003cli\u003eReview the Privacy Impact Assessment (PIA) and existing CFACTS documentation to verify that the PIA follows HHS/CMS guidance and verify that privacy risks have been appropriately documented\u003c/li\u003e\u003cli\u003eEvaluate privacy-related agreements (e.g., Computer Matching Agreements [CMA], Information Exchange Agreements [IEAs], and Memoranda of Agreement / Understanding [MOA/MOU]) to verify that privacy requirements are satisfied and privacy risks are adequately addressed, both initially and when periodically reviewed, and provide guidance and advice on these agreements to Business Owners, ISOs, and other CMS staff as needed\u003c/li\u003e\u003cli\u003eContinuously monitor all findings of privacy risk or deficiency, including by monitoring progress against privacy-related POA\u0026amp;Ms\u003c/li\u003e\u003cli\u003eTrack the progress of enterprise privacy risk mitigation activities across portfolios\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eProvide ISPG perspective during TRB reviews to assess the impact of changes to IT systems on privacy issues and work to mitigate those impacts.\u003c/li\u003e\u003cli\u003eWork with System Security and Privacy Officer (previously known as ISSO) to evaluate system changes to determine whether privacy risks are sufficiently significant to require updates to Authority To Operate (ATO) documents.\u003c/li\u003e\u003cli\u003eWork with BO, ISO, CRA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003cli\u003eWorks with CRAs to verify that decommission and disposition plans for IT systems do not create significant privacy risks.\u003c/li\u003e\u003cli\u003eAssist in developing reports on any aspect of privacy requested by CMS senior management, HHS, external auditors, or any other party authorized to request and receive such information.\u003c/li\u003e\u003cli\u003eProvide recommendations concerning the privacy risks and practices relevant to IT systems.\u003c/li\u003e\u003cli\u003eProvide incident handling support for incidents involving PII.\u003c/li\u003e\u003cli\u003eAdvise CMS healthcare programs on compliance with privacy and related cybersecurity requirements.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAffordable Care Act (ACA) Senior Information Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe ACA Senior Information Security Officer must be an agency official (federal government employee).\u003c/p\u003e\u003cp\u003eThe responsibilities of the ACA Senior Information Security Officer must include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the overall information security and privacy of the Health Insurance Marketplace (HIM) by driving integration, collaboration, and innovation across disparate groups under the HIM program.\u003c/li\u003e\u003cli\u003eRepresent the interests of the CCIIO, as well as the CIO, CISO, and SOP by integrating the work of the managers and staff of multiple units to ensure an acceptable information security and privacy posture through visibility, compatibility, and situational awareness.\u003c/li\u003e\u003cli\u003eProvide technical and policy guidance during all phases of the SDLC to balance risk-based tradeoffs among information security, privacy, functionality, and cost.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Records Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Records Officer must be an agency official (federal government employee), and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsuring compliance with the Federal Records Act of 1950, National Archives and Records Administration (NARA) regulations and/or guidance, OMB directives, and Government Accountability Office (GAO) audit requirements.\u003c/li\u003e\u003cli\u003eServing as Chairperson of the CMS Records Management Office.\u003c/li\u003e\u003cli\u003eDevelop CMS records management policies and procedures.\u003c/li\u003e\u003cli\u003eProviding agency-wide guidance, training, and assistance for compliance with laws and regulations\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSupply Chain Risk Management (SCRM) Manager\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe SCRM Manager must be an agency official (federal government employee), and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eManaging the development, documentation, and dissemination of the supply chain risk management policy and procedures.\u003c/li\u003e\u003cli\u003eAnalyze and assess the effects and impacts of existing and proposed federal legislation on CMS policies as it relates to supply chain risk management.\u003c/li\u003e\u003cli\u003eFacilitate or attend SCRM-related working group meetings to promote supply chain risk management program and share policy updates and supply chain risk challenges and solutions to relevant CMS stakeholders.\u003c/li\u003e\u003cli\u003eResearch, identify, analyze and recommend countermeasures and mitigations for supply chain risks that promote supply chain resilience.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eProgram and Information System Roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of those with roles related to CMS programs and the associated information systems. Program Executives oversee CMS programs and may also serve as ISOs and/or Business Owners. ISOs, referred to as “System Owners” in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e(IS2P)\u003c/em\u003e, take responsibility for the operation of information systems required by the CMS program. Business Owners, referred to in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eas “Data Owners/Business Owners,” take primary responsibility for the information and data processed by the CMS program.\u003c/p\u003e\u003cp\u003eThis subsection also identifies specific information security and privacy responsibilities of the ISOs, Data Guardians, Business Owners, Contracting Officers (CO), Contracting Officers Representatives (COR), and Program/Project Managers. This subsection also describes the responsibilities of the System Security and Privacy Officer (previously known as ISSO), including auxiliary responsibilities of the Security Control Assessor and Contingency Planning Coordinator (CPC) that may be filled by the System Security and Privacy Officer (previously known as ISSO). The final subsection describes specific responsibilities of the Security Operations Center/Incident Response Team (SOC/IRT).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Owner\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISO must be an agency official (federal government employee) and must fulfill all of the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.23 IS2P, \u003cem\u003eSystem Owner\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS ISO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIn coordination with the Data Guardian and Business Owner\u003cul\u003e\u003cli\u003eNominate appropriately qualified System Security and Privacy Officer (previously known as ISSO) appointees, as defined under FISMA, to the CISO for approval.\u003c/li\u003e\u003cli\u003eEnsure that information security and privacy for each information system are planned, documented, and integrated from project inception through all phases of the CMS SDLC.\u003c/li\u003e\u003cli\u003eConsult and coordinate with the CIO and SOP to identify, negotiate, and execute appropriate governing artifacts and agreements before sharing CMS information.\u003c/li\u003e\u003cli\u003eIdentify program or system roles that have NIST Significant Information Security or Privacy Responsibilities (SISPRs) within their purview and oversee the system-specific Rules of Behavior (RoB) training applicable to system(s) in their portfolio.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, Business Owner, CRA, Privacy Steward, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS or the component of CMS conducting the collection of PII/PHI has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, sharing, and disclosure of PII/PHI and subsequent appropriate disposal after disposition and retirement\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure each systems Change Control Board (CCB):\u003c/li\u003e\u003cli\u003eIs an integral part of the information system change management process.\u003c/li\u003e\u003cli\u003eImplements applicable governing standards as defined in the \u003cem\u003eARS.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eSupports the creation of baseline configuration documentation to reflect ongoing implementation of the operational configuration baseline updates.\u003c/li\u003e\u003cli\u003eSupports the change management processes to address change requests (CRs) for each system so that an appropriate Security Impact Analysis is performed by the System Security and Privacy Officer (previously known as ISSO) or designated staff\u003c/li\u003e\u003cli\u003eApproves System Security and Privacy Officer (previously known as ISSO) information security configuration recommendations to address weaknesses and system deficiencies.\u003c/li\u003e\u003cli\u003eEnsure employees and contractors receive the appropriate training and education regarding relevant information security and privacy laws, regulations, and policies governing the information assets they are responsible for protecting.\u003c/li\u003e\u003cli\u003eServe as the attestation official for approving the common controls provided by the system.\u003c/li\u003e\u003cli\u003eInclude the Security Control Assessor or representative from the system as a member of the CCB in all configuration management processes that include the system. If the System Security and Privacy Officer (previously known as ISSO) or Security Control Assessor acts as a voting member of the CCB, they must be federal employees.\u003c/li\u003e\u003cli\u003eMaintain change documentation in accordance with the CMS Records Retention Policy\u003c/li\u003e\u003cli\u003eCoordinate with BO, CRA, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Data Guardian must be an agency official (federal government employee) and must fulfill shared responsibilities with the CMS Business Owner identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.27, \u003cem\u003eData Owner/Business Owner\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Data Guardian must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRepresent the Center or Office on the Data Guardian Committee under the auspices of the CMS Data Governance Board to ensure a coordinated and consistent approach to protecting PII across the CMS enterprise.\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the ISO, Business Owner, CRA, and ISSO (Now referred to as Security and Privacy Officer) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eIdentify and pursue opportunities to proactively enhance information security and privacy controls and increase awareness of the evolving information security and privacy threats to the information assets of the Center or Office.\u003c/li\u003e\u003cli\u003eAttend quarterly Data Guardian Meetings.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSafeguard PII by creating an information security and privacy awareness culture that adheres to information security and privacy standards and requirements designed to protect CMS data assets as directed by the CISO and SOP.\u003c/li\u003e\u003cli\u003eGather lessons learned and communicate best practices for protecting PII to their Center or Office.\u003c/li\u003e\u003cli\u003eParticipate in incident response activities affecting the Center or Office information security and privacy posture.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Business Owner must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.27, \u003cem\u003eData Owner/Business Owner \u003c/em\u003ein coordination with the Data Guardian. CMS Business Owners are the Group Directors or Deputy Group Directors who have the primary business needs that are or will be addressed by CMS IT investments/projects. The responsibilities of the CMS Business Owner must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eComply with the requirements of the CMS Policy for IT Investment Management \u0026amp; Governance or its successor policy.\u003c/li\u003e\u003cli\u003eFor each FISMA system and collection of PII/PHI, coordinate with the Data Guardian, ISO, CRA, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the information security and privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eWork with the COs and CORs to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized.\u003c/li\u003e\u003cli\u003eCoordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the SOP to ensure appropriate information security and privacy contracting language from relevant sources is incorporated into each IT contract. Relevant sources must include, but are not limited to, the following:\u003cul\u003e\u003cli\u003eHHS ASFR\u003c/li\u003e\u003cli\u003eHHS Office of Grants and Acquisition Policy and Accountability (OGAPA)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Office of Acquisition and Grants Management (OAGM).\u003c/li\u003e\u003cli\u003eFor each FISMA system and collection of PII/PHI, coordinate with the Data Guardian, ISO, CRA, and System Security and Privacy Officer (previously known as ISSO) to ensure compliance with the \u003cem\u003eCMS ARS\u003c/em\u003e, and when collecting or using FTI, with Internal Revenue Service (IRS) \u003cem\u003ePublication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies10.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eCoordinate with ISO, CRA, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocument data that are collected and maintained and certify that the data are authorized, relevant, and necessary to CMSs mission.\u003c/li\u003e\u003cli\u003eOwn the information stored, processed, or transmitted in CMSs information systems and limit access to the data/information.\u003c/li\u003e\u003cli\u003eManage and approve all use and disclosure of data from CMS programs or systems that are permitted by routine use under CMS System of Records Notices (SORN) through appropriate vehicles to authorize or deny the release of PII.\u003c/li\u003e\u003cli\u003eVerify that CMSs programs or systems only disclose the minimum data necessary.\u003c/li\u003e\u003cli\u003eDetermine and certify that the information security and privacy controls that protect CMSs systems are commensurate with the sensitivity of the data being protected.\u003c/li\u003e\u003cli\u003eEstablish and revise, in coordination with the Privacy Act Officer, SORNs and computer matching agreements in accordance with the established procedures.\u003c/li\u003e\u003cli\u003ePrepare PIAs for programs or systems in accordance with the direction provided by the CRA.\u003c/li\u003e\u003cli\u003eSupport the analysis of incidents involving PII and the determination of the appropriate action to be taken regarding external notification of privacy breaches as well as the reporting, monitoring, tracking, and closure of PII incidents.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eContracting Officer and Contracting Officer's Representative\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CO and COR must be agency officials (federal government employees) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.34, \u003cem\u003eCO and COR.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS CO and COR must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the CISO, SOP, Privacy Act Officer, and Data Guardian are consulted during contract development and that the latest information security and privacy contract language is included in all contracts, as applicable.\u003c/li\u003e\u003cli\u003eWork with the Business Owner to determine the minimum necessary PII/PHI required to conduct each activity for which the agency is authorized.\u003c/li\u003e\u003cli\u003e\u003cp\u003eCollect training records demonstrating that all CMS contractors with significant security and/or privacy responsibilities complete specialized RBT commensurate with their roles\u0026nbsp;\u003c/p\u003e\u003cp\u003ewithin 60 days of beginning work on a contract, upon commencement of the contractors work, annually thereafter, and upon request.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eProgram/Project Manager\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Program/Project Manager must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.35, \u003cem\u003eProject/Program Manager \u003c/em\u003ein coordination with the Data Guardian.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Program/Project Manager must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure information security and privacy-related actions identified by the CMS SDLC meet all identified information security and privacy requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure contractors follow all required information security and privacy policies, standards, and procedures\u003c/li\u003e\u003cli\u003eEnsure contractors follow all required procedures and provide all required documentation when requesting/gaining access to PII\u003c/li\u003e\u003cli\u003eEnsure contractors use the minimum data required to perform approved tasks\u003c/li\u003e\u003cli\u003eEnsure contractors return data covered by approved information sharing agreements at the end of the contract or task to the COR for proper destruction\u003c/li\u003e\u003cli\u003eEnsure appropriate notification and corrective actions, as described in the CMS Incident Handling procedure, are taken when a privacy breach is declared and involves a contractor or a public-private partnership operating a SOR on behalf of CMS.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrimary System Security and Privacy Officer (previously known as P-ISSO)\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Primary System Security and Privacy Officer (previously known as P-ISSO) may be either a federal government employee or a contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.24, \u003cem\u003eSystem Security and System Privacy Officers (previously referred to as ISSO)\u003c/em\u003e. The System Security and Privacy Officer (previously known as ISSO) must ensure the duties of the Security Control Assessor and Contingency Planning Coordinator are completed as described in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSections 7.26 and 7.30, and further elaborated in this subsection.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Primary System Security and Privacy Officer (previously known as P-ISSO)) must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, ISO, Business Owner, PA, and CRA to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the information security and privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReport compliance on secure protocol use in websites periodically as defined within the \u003cem\u003eCMS ARS\u003c/em\u003e.\u003c/li\u003e\u003cli\u003eSubmit System Security and Privacy Officer (previously known as ISSO) appointment letter for assigned system when nominated for approval and resubmit every two (2) years for review.\u003c/li\u003e\u003cli\u003eSubmit recommendations to the CRA for system configuration deviations from the required baseline.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, SOP, Data Guardian, and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and application.\u003c/li\u003e\u003cli\u003eCoordinate with the System Developer and Maintainer in identifying the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems.\u003c/li\u003e\u003cli\u003eDocument the controls in the information security and privacy plan (or equivalent document) to ensure implemented controls meet or exceed the minimal controls defined by CISO guidance.\u003c/li\u003e\u003cli\u003eCoordinate with BO, CRA, and the PA in documenting Risk-based Decisions which impact their organizational FISMA system in accordance to CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003cli\u003eAct as one of the attestation officials for any authorization request for certification for an Authority-To-Operate (ATO) from the CMS Authorization Official (AO).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinate with the Data Guardian, ISO, Business Owner, PA, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for PII, PHI, and FTI in accordance with the \u003cem\u003ePrivacy Act\u003c/em\u003e, \u003cem\u003eE-Government Act\u003c/em\u003e, the HIPAA Privacy and Security Rules, and all applicable guidance.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAssessment and Authorization\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain current system information in CFACTS (such as POCs and artifacts) to support organizational requirements and processes (e.g., communication, contingency planning, training, and data calls).\u003c/li\u003e\u003cli\u003eCoordinate with the Business Owner, ISO, and CISO to ensure that all requirements specified by the \u003cem\u003eCMS ARS \u003c/em\u003eare implemented and enforced for applicable information and information systems.\u003c/li\u003e\u003cli\u003e• Ensure anomalies identified under the CMS Continuous Diagnostics and Mitigation (CDM) program and ISCM activities are addressed and remediated in a manner that is commensurate with the risks posed to the system from the anomalies.\u003c/li\u003e\u003cli\u003eEvaluate the impact of network and system changes using standard processes.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem Development Life Cycle\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eInitiation\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview and confirm that contracts include appropriate information security and privacy language.\u003cul\u003e\u003cli\u003eCoordinate with Enterprise Architecture.\u003c/li\u003e\u003cli\u003eEnsure the system appears in CFACTS.\u003c/li\u003e\u003cli\u003eGenerate a draft PIA in coordination with the Business Owner.\u003c/li\u003e\u003cli\u003eEvaluate whether other privacy artifacts are required.\u003c/li\u003e\u003cli\u003eComplete System Security Categorization.\u003c/li\u003e\u003cli\u003eIdentify system-specific, information security and privacy training needs.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eConcept\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify and discuss risk with the Program Manager and Business Owner.\u003c/li\u003e\u003cli\u003eIdentify any investment needs to ensure each FISMA system meets security and privacy requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003ePlanning\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop a System Security and Privacy Plan (SSPP).\u003c/li\u003e\u003cli\u003eEnsure Security Control Assessment is scheduled.\u003c/li\u003e\u003cli\u003eIdentify training needs.\u003c/li\u003e\u003cli\u003eReview or develop a corresponding security architecture diagram.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eRequirements Analysis\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eConduct formal information security risk assessment (ISRA)\u003cem\u003e.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eComplete documentation activities, including the privacy documents.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDesign\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that security architecture ingress/egress points are reviewed to meet CMS security requirements.\u003c/li\u003e\u003cli\u003eEnsure data is transmitted, processed, and stored securely.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDevelopment\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify software code is developed in accordance with the \u003cem\u003eCMS Technical Reference Architecture (TRA) \u003c/em\u003eand SDLC information security and privacy guidelines.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eTest\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSchedule internal tests such as penetration testing.\u003c/li\u003e\u003cli\u003eCoordinate with the CCIC to ensure assets are identified within monitoring tools.\u003c/li\u003e\u003cli\u003eEnsure use case security testing is incorporated into system functional testing.\u003c/li\u003e\u003cli\u003eEnsure change control processes are followed in accordance with the system security and privacy plan (SSPP).\u003c/li\u003e\u003cli\u003eEnsure auditing logs are appropriately capturing required information.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eImplementation\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure third-party testing begins and weaknesses are resolved quickly.\u003c/li\u003e\u003cli\u003eEnsure each FISMA system is authorized for operation before the go-live date.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eOperation and Maintenance\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAddress weaknesses and POA\u0026amp;Ms.\u003c/li\u003e\u003cli\u003eReview available reports.\u003c/li\u003e\u003cli\u003eRoutinely evaluate risk posture based on change requests.\u003c/li\u003e\u003cli\u003eConduct Security Impact Analysis (SIA) at the direction of the Business Owner.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDisposition\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify the proper disposition of hardware and software.\u003c/li\u003e\u003cli\u003eVerify data are archived securely in accordance with the National Archives and Records Administration (NARA) requirements and in coordination with the Data Guardian.\u003c/li\u003e\u003cli\u003eInitiate the request to close out the project file in CFACTS.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSecondary System Security and Privacy Officer (previously known as S-ISSO) and System Security and Privacy Officer Contractor Support (previously known as ISSOCS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Secondary System Security and Privacy Officer (previously known as S-ISSO) may be either a federal government employee or a contractor identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.25, \u003cem\u003eSystem Security and Privacy Officer (previously referred to as ISSO) Designated Representative / Security Steward \u003c/em\u003eand must assist the Primary System Security and Privacy Officer (previously known as P-ISSO). The System Security and Privacy Officer Contractor Support (previously known as ISSOCS) is a contractor only role that assists and supports the Primary System Security and Privacy Officer (previously known as P-ISSO) and Secondary Systems Security and Privacy Officer (previously known as S-ISSO) roles in fulfillment of their CMS cybersecurity duties.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or Privacy Control Assessor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Security or Privacy Control Assessor (also referred to as Certification Agent) role may be performed by a System Security and Privacy Officer (previously known as ISSO). The CMS Security or Privacy Control Assessor must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eInformation Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.23, \u003cem\u003eSecurity or Privacy Control Assessor\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eContingency Planning Coordinator\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Contingency Planning Coordinator may either be a federal government employee or a contractor. The role may also be performed by a System Security and Privacy Officer (previously known as ISSO). The CMS Contingency Planning Coordinator must fulfill all the responsibilities identified in the HHS \u003cem\u003ePolicy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.30, \u003cem\u003eContingency Planning Coordinator.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Contingency Planning Coordinator must also include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWork as part of an integrated project team to ensure contingency plans and related operational procedures accommodate all business resumption priorities and the defined applicable Maximum Tolerable Downtimes (MTD)\u003c/li\u003e\u003cli\u003eEnsure procedures exist that achieve continuity of operations of business objectives within appropriately targeted systems with any applicable Recovery Time Objective (RTO) and Recovery Point Objective (RPO) identified in the Business Impact Assessment\u003c/li\u003e\u003cli\u003eEnsure that the contingency plan is activated if any computer security incident disrupts the system; if the disruption is not resolved within the systems RTO, implement the systems disaster recovery procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Operations Center/Incident Response Team\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe FISMA system SOC/IRT may consist of federal employees or contractors and must fulfill all the FISMA system-level responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.16, \u003cem\u003eOpDiv CSIRT, \u003c/em\u003eand the applicable responsibilities under the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.17, \u003cem\u003eHHS PIRT\u003c/em\u003e. The FISMA system SOC/IRT reports to the Agency Security Operations, which is responsible for CMS-wide incident management.\u003c/p\u003e\u003cp\u003eThe Data Guardian, Business Owner, and ISO, in coordination with the CISO, have ownership of and responsibility for incident response and reporting for the FISMA system. The execution of this function begins at the data center/contractor site housing the FISMA system. Once an incident is declared, the CCIC coordinates with FISMA system SOC/IRT and Agency Security Operations personnel for all incident management activities.\u003c/p\u003e\u003cp\u003eThe FISMA system SOC/IRT operates under the direction and authority of the System Security and Privacy Officer (previously known as ISSO) and the Business Owner/ISO. The FISMA system SOC/IRT monitors for, detects, and responds to information security and privacy incidents within the FISMA system environment. The FISMA system SOC/IRT also provides timely, accurate, and meaningful reporting to the FISMA system stakeholders.\u003c/p\u003e\u003cp\u003eFISMA systems may perform the SOC/IRT capability by using a separate CMS CISO-approved SOC/IRT service provider. Any FISMA system SOC/IRT that is unable to deploy the required capabilities may establish an agreement with the CCIC to provide SOC/IRT services.\u003c/p\u003e\u003cp\u003eThe responsibilities of the FISMA system SOC/IRT must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor the FISMA system, perform:\u003cul\u003e\u003cli\u003eReal-time network and system security monitoring and triage\u003c/li\u003e\u003cli\u003eAnalysis, coordination, and response to information security and privacy incidents and breaches\u003c/li\u003e\u003cli\u003eSecurity sensor tuning and management and infrastructure operations and maintenance (O\u0026amp;M).\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure flaw remediation (e.g., patching and installation of compensating controls), planning, ongoing scanning (e.g., ISCM), help desk, asset management, and ticketing are performed for the FISMA system in a manner that meets or exceeds CMS requirements.\u003c/li\u003e\u003cli\u003eEnsure the SOC/IRT-specific tools are implemented and deployed according to the CCIC and vendor technical guidance.\u003c/li\u003e\u003cli\u003eEnsure SOC/IRT-specific tools/equipment are isolated, as appropriate, from operational networks and systems.\u003c/li\u003e\u003cli\u003eServe as the FISMA systems information security and privacy lead on behalf of CCIC and HHS CSIRC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReport FISMA system information security and privacy incidents and breaches to CCIC and HHS CSIRC as required by federal law, regulations, mandates, and directives, and as reflected in the CMS established procedures.\u003c/li\u003e\u003cli\u003eReport cyber threat/intelligence/information to CCIC as required by federal law, regulations, mandates, and directives.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePrivileged Users\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes specific information security and privacy responsibilities of users with privileged access to CMS information systems. For example, a privileged user11 is any user that has sufficient access rights to modify, including disabling, controls that are in place to protect the system. The responsibilities for all privileged users must include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLimit the use of privileged access to those administrative functions requiring elevated privileges\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSystem/Network Administrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS System/Network Administrator may be a federal employee or a contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.33, \u003cem\u003eSystem Administrator\u003c/em\u003e. Per the HHS IS2P, the system administrator role includes, and are not limited to, other types of system administrators (e.g., database administrators, network administrators, web administrators, and application administrators).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWebsite Owner/Administrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Website Owner/Administrator may be a federal employee or contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.28, \u003cem\u003eWebsite Owner/Administrator\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Website Owner/Administrator must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement proper system backups and patch management processes.\u003c/li\u003e\u003cli\u003eAssess the performance of security and privacy controls associated with the web service to ensure the residual risk is maintained within an acceptable range.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, SOP, Data Guardian, and System Security and Privacy Officer (previously known as ISSO) to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eLimit connections to publicly accessible federal websites and web services to approved secure protocols.\u003c/li\u003e\u003cli\u003eEnsure federal websites and web services adhere to Hypertext Transfer Protocol (HTTP) Strict Transport Security (HSTS)12 practices.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSystem Developer and Maintainer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS System Developer and Maintainer must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.31, \u003cem\u003eSystem Developer and Maintainer\u003c/em\u003e. The responsibilities of the CMS System Developer and Maintainer must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify, tailor, document, and implement information security- and privacy-related functional requirements necessary to protect CMS information, information systems, missions, and business processes, including:\u003cul\u003e\u003cli\u003eEnsure the requirements are effectively integrated into IT component products and information systems through purposeful security architecting, design, development, and configuration in accordance with the CMS SDLC and change management processes\u003c/li\u003e\u003cli\u003eEnsure the requirements are adequately planned and addressed in all aspects of system architecture, including reference models, segment and solution architectures, and information systems that support the missions and business processes\u003c/li\u003e\u003cli\u003eEnsure automated information security and privacy capabilities are integrated and deployed as required.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the System Security and Privacy Officer (previously known as ISSO) to identify the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems.\u003c/li\u003e\u003cli\u003eFollow the CMS SDLC in developing and maintaining a CMS system, including:\u003cul\u003e\u003cli\u003eUnderstand the relationships among planned and implemented information security and privacy safeguards and the features installed on the system\u003c/li\u003e\u003cli\u003eEnsure all development practices comply with the \u003cem\u003eCMS TRA.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eExecute the RMF tasks listed in NIST SP 800-37 Revision 2\u003cem\u003e.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEnsure CMS systems or applications that currently disseminate data for any purpose are capable of extracting data by pre-approved categories.\u003c/li\u003e\u003cli\u003eShare only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eEnterprise Architect (Function)\u003c/h3\u003e\u003cp\u003eThe Enterprise Architect must be an agency official (federal government employee). The Enterprise Architect must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e Section 7.32. \u003cem\u003eEnterprise Architect\u003c/em\u003e. The CIO may designate specific responsibilities to the Enterprise Architect as necessary.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Enterprise Architect must also include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop and disseminate strategies, policies, and standards to implement the Enterprise Architecture program.\u003c/li\u003e\u003cli\u003eManage the agency's Enterprise Architecture resources.\u003c/li\u003e\u003cli\u003eProvide leadership in developing, maintaining, and implementing a sound and integrated Enterprise Architecture for the agency and its sub-organizations.\u003c/li\u003e\u003cli\u003eOrganize and chair the agency's Enterprise Architecture advisory group to provide cross-organization business and technical input to Enterprise Architecture-related matters, ensuring CMS programmatic and technical participation in Enterprise Architecture-related activities.\u003c/li\u003e\u003cli\u003eDefine, document, and align the agency's Enterprise Architecture with HHS Enterprise Architecture.\u003c/li\u003e\u003cli\u003eEnsure implementation of the Enterprise Architecture alignment reviews, verification of Enterprise Architecture approvals, and granting of waivers within the agency's Capital Planning and Investment Control (CCIC) investment planning and reviews, acquisition procedures, and SDLC project phase reviews.\u003c/li\u003e\u003cli\u003eMonitor program and project artifacts for alignment with Enterprise Architecture requirements, identifying and reporting non-conforming projects for resolution.\u003c/li\u003e\u003cli\u003eAdvise and inform all contractors and developers of Enterprise Architecture standards and compliance requirements.\u003c/li\u003e\u003cli\u003eEnsure that CMS adopts data stewardship mechanisms necessary for Enterprise Architecture data of acceptable quality to be created, captured, entered, and maintained promptly in the HHS Enterprise Architecture Repository.\u003c/li\u003e\u003cli\u003eRecommend technical standards to the agency Technical Review Board, ensuring submission to the HHS Chief Enterprise Architect of proposed modifications to HHS Enterprise Architecture and technology standards to meet CMS business requirements.\u003c/li\u003e\u003cli\u003eEnsure that CMS Enterprise Architecture-related training requirements are identified, planned for, and implemented.\u003c/li\u003e\u003cli\u003eAdvise or ensure that Enterprise Architecture advice is available to all CMS IT project teams.\u003c/li\u003e\u003cli\u003eRepresent CMS on the HHS Enterprise Architecture Review Board (EARB), and all agency, departmental, and intergovernmental Enterprise Architecture-related advisory bodies or working groups.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAgency Security Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAgency Security Operations must fulfill all OpDiv responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.16, \u003cem\u003eOpDiv Computer Security Incident Response Team (CSIRT), \u003c/em\u003eand applicable responsibilities under the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.17, \u003cem\u003eHHS Privacy Incident Response Team (PIRT)\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eSecurity operations are a shared responsibility between CMS Agency Security Operations and the ISOs SOC/IRT. For each FISMA system, System Developers and Maintainers are expected to establish, maintain, and operate a SOC/IRT to provide FISMA system situational awareness and incident response. For the CMS enterprise, Agency Security Operations maintains visibility and incident management across all FISMA systems, providing management, information sharing and coordination, unified response (including containment and mitigation approaches), and required reporting across the enterprise to CMS Management.\u003c/p\u003e\u003cp\u003eThe responsibilities for Agency Security Operations, both within the CCIC and across all SOC/IRTs, must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure all personnel with responsibilities for incident response complete annual RBT.\u003c/li\u003e\u003cli\u003eEnsure non-federal technical personnel (SOC/IRT and CCIC) obtain and maintain appropriate commercial information assurance certification credentials that have been accredited by the American National Standards Institute (ANSI) or an equivalent authorized body under the ANSI/International Standards Organization (ISO)/ International Electrotechnical Commission (IEC) 17024 Standard.\u003cul\u003e\u003cli\u003ePersonnel who do not hold a commercial information assurance certification credential must obtain an appropriate credential within six months of the individuals start date or the release date of this document, whichever is later.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEncourage federal oversight personnel (SOC/IRT and CCIC) to obtain and maintain a commercial information assurance certification credential that has been accredited by ANSI or an equivalent authorized body under the ANSI/ISO/IEC 17024 Standard.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eDirector for the CMS Cybersecurity Integration Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CCIC operates under the direction and authority of the CMS CISO, who appoints the Director for the CCIC.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Director for the CCIC must include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the operational execution of the CCIC function enables the CMS CISOs strategic vision.\u003c/li\u003e\u003cli\u003eOversee the operation of the CCIC.\u003c/li\u003e\u003cli\u003eEnable CCIC capabilities (penetration testing, security engineering, etc.) to efficiently and effectively enhance the CMS enterprise security posture by performing their roles across the enterprise in coordination with CMS groups, partners, and contractors.\u003c/li\u003e\u003cli\u003eSupport the CISO and SOP when immediate disconnection or suspension of any interconnection is required.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy RBT requirements for CCIC and FISMA system SOC/IRT personnel.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Cybersecurity Integration Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CCIC monitors, detects, and isolates information security and privacy incidents and breaches across the CMS enterprise IT environment. The CCIC provides continual situational awareness of the risks associated with CMS data and information systems throughout CMS. The CCIC also provides timely, accurate, and meaningful reporting across the technical, operational, and executive spectrum.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CCIC must include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eServe as the primary entity in CMS responsible for maintaining CMS-wide operational cyber security situational awareness, based on coordinated enterprise ISCM activities and the overall information security and privacy risk posture of CMS.\u003c/li\u003e\u003cli\u003eServe as the information security and privacy lead organization for coordinating within CMS and identified external organizations for Cyber Threat Intelligence (CTI) sharing, analysis, and response activities, including:\u003cul\u003e\u003cli\u003eIdentify enterprise threats and disseminate advisories and guidance\u003c/li\u003e\u003cli\u003eIdentify and coordinate response with SOC/IRT to ongoing threats to CMS\u003c/li\u003e\u003cli\u003eDevelop and share Indicators of Compromise (IOC)\u003c/li\u003e\u003cli\u003eDevelop and disseminate unified containment and mitigation approaches\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDefine minimum interoperable defensive technology requirements for CMS systems.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eServe as CMSs primary POC with HHS CSIRC.\u003c/li\u003e\u003cli\u003eReport CMS information security and privacy incidents and breaches to HHS CSIRC.\u003c/li\u003e\u003cli\u003ePerform malware analysis and advanced analytics in support of unified incident response.\u003c/li\u003e\u003cli\u003eCoordinate with the Data Guardian when PII is involved.\u003c/li\u003e\u003cli\u003eCoordinate with the CMS Counterintelligence and Insider Threat Program Office, as appropriate.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAssessment and Authorization\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine enterprise-wide information security and privacy requirements for all phases of the SDLC.\u003c/li\u003e\u003cli\u003eDefine an enterprise-wide, continual assessment process that:\u003cul\u003e\u003cli\u003eValidates incident response processes and procedures\u003c/li\u003e\u003cli\u003eMeets federal law, regulations, mandates, and directives for continual assessment\u003c/li\u003e\u003cli\u003eDefines security data monitored by all SOCs/IRTs and is made available to the CCIC\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDefine reporting metrics that are compliant with federal law, regulations, mandates, and directives for:\u003cul\u003e\u003cli\u003ePenetration testing\u003c/li\u003e\u003cli\u003eInformation security continuous monitoring\u003c/li\u003e\u003cli\u003eInformation security and privacy incident and breach response\u003c/li\u003e\u003cli\u003eCyber threat intelligence\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDetermine risk and impact on the CMS enterprise based on:\u003cul\u003e\u003cli\u003eReal-time monitoring and triage\u003c/li\u003e\u003cli\u003eAnalysis, coordination, and response to incidents\u003c/li\u003e\u003cli\u003eCollection, sharing, and analysis of CTI (i.e., knowing the adversary)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e• Develop, in coordination with the CCIC Director, information security and privacy RBT requirements for CCIC and FISMA system SOC/IRT personnel.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAgency Continuity Point of Contact\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Agency Continuity Point of Contact must be an agency official (federal government employee) and is the individual the Administrator designates as the accountable official who will:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePerform the duties and responsibilities of the Agency Continuity Point of Contact, as set out in HHSs Continuity of Operations Program Policy.\u003c/li\u003e\u003cli\u003eBe directly responsible to the Administrator for management oversight of the CMS continuity program.\u003c/li\u003e\u003cli\u003eServe as the single POC for coordination within CMS for continuity matters.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eIT Advisory Organizations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS Executive Management established IT advisory and decision-making bodies. These organizations ensure proper project planning; proper use of CMS information; and provide technical guidance ensuring IT projects properly integrate within the CMS environment. These organizations promote CMS strategic objectives and enforce federal requirements, including information security and privacy.\u003c/p\u003e\u003cp\u003eThe primary IT Advisory Organizations relevant to information system security and privacy policy are:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe \u003cstrong\u003eStrategic Planning Management Council (SPMC)\u003c/strong\u003e, co-chaired by the Chief Operating Officer (COO) and CIO, manages oversight of all CMS investment-related governance boards.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eGovernance Review Board (GRB) \u003c/strong\u003eChaired by the CIO, CFO, and Head of Contracting Activity. Members are the Budget Development Group Chairs. The Agencies IT Investment Review Boards and serves as the decision or approval authority for IT expenditure. Capital Planning and Investment Control.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eGovernance Review Team (GRT) \u003c/strong\u003e- Support staff which gathers information to assist the GRB in making decisions.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eTechnical Review Board (TRB) \u003c/strong\u003eChaired by the CTO and supported by IT Governance serves as a key member of the Target Life Cycle Governance Program. They advise and guide IT Projects Teams that are moving through the Target Life Cycle to ensure it conforms to the CMS Technical Reference Architecture.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eData Governance Board (DGB) \u003c/strong\u003esupports overall agency data governance. Led by OEDA CMS Chief Data Officer. works with the national data sets supplied by CMS to different programs.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eStrategic Planning Management Council (SPMC)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Strategic Planning Management Council (SPMC) provides leadership and support for executing CMS strategic objectives across all CMS investments. The SPMC provides a forum for ongoing collaboration among teams and overall management of the CMS Strategy.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGovernance Review Board (GRB)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Governance Review Board (GRB) is established as part of the CMS IT Governance process to enforce the implementation of CMS enterprise standards and strategy. The GRB consists of CMS Senior Leadership which reviews the recommendations for project alternatives. The GRB does not make funding decisions, however, they review proposed options and potential solutions to ensure the best solution is implemented by the project team to address the business needs.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGovernance Review Team (GRT)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Governance Review Team (GRT) is a project planning body that supports project teams in determining the steps needed to ensure projects are in alignment with CMS Security and Privacy Policy. The GRT will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMake recommendations to the GRB on proposed business cases and alternative analysis ensuring the project:\u003cul\u003e\u003cli\u003eFulfills a need,\u003c/li\u003e\u003cli\u003eDoes not duplicate current processes or functions; and\u003c/li\u003e\u003cli\u003eIs in alignment with current IT Portfolio Goals\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAdvise Project Teams on the IT Governance Process.\u003c/li\u003e\u003cli\u003eConsist of Subject Matter Experts which support CMS stakeholders in the development of their projects and business cases.\u003c/li\u003e\u003cli\u003eReview Business Cases and support the GRB by providing ongoing review of proposed and operational systems for adherence to CMS policies.\u003c/li\u003e\u003cli\u003eCoordinate with other governance boards when necessary to ensure further reviews are implemented when necessary.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eTechnical Review Board\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Technical Review Board (TRB) is an advisory board established to ensure IT investments are consistent with CMSs IT strategy. The board manages updates to the \u003cem\u003eCMS TRA \u003c/em\u003eto promote the CMS IT strategy and assists projects by ensuring solutions are technically sound and are on track to deliver promised capabilities on time and on budget. The TRB:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides technology leadership to deliver business value and anticipate change to meet the current and long-term needs of CMS programs.\u003c/li\u003e\u003cli\u003eImplements and communicates CMSs IT strategy to ensure projects solutions are cost- effective, sustainable, and support the agencys business.\u003c/li\u003e\u003cli\u003eProvides technical guidance to ensure CMSs IT Investments are properly integrated into the CMS environment.\u003c/li\u003e\u003cli\u003eSupports teams in building IT features.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eData Governance Board\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Data Governance Board (DGB) provides executive leadership and stewardship of the agencys data assets, including oversight for the development and implementation of the policies and processes which govern the collection or creation, management, use, and disclosure of CMS data.\u003c/p\u003e\u003cp\u003eThe DGB ensures intra-agency transparency and data stewardship to promote efficient and appropriate use of, and investment into, agency data resources. Transparency and data stewardship include:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eOpenness: \u003c/em\u003ePromoting and facilitating the open sharing of knowledge about CMS data, including an understanding of how and where agency data are collected or created, stored, managed, and made available for analysis.\u003c/li\u003e\u003cli\u003e\u003cem\u003eCommunication: \u003c/em\u003ePromoting partnerships across the CMS enterprise to eliminate duplication of effort, stove-piping, and one-off solution designs.\u003c/li\u003e\u003cli\u003e\u003cem\u003eAccountability: \u003c/em\u003eEnsuring agency-wide compliance with approved data management principles and policies. Understanding the objectives of current and future strategic or programmatic initiatives and how they impact, or are impacted by, existing data management principles and policies as well as current privacy and security protocols.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIntegrated Information Security and Privacy Policies\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eCMS Tailored Policies\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003edelineates information security and privacy policies, including both mandated security controls and a provision for CMS to develop its own controls over CMS information and information systems as long as the HHS baseline requirements are met. CMS tailored specific security controls to ensure they meet the mission and vision of the organization. This section lists the tailored controls which include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControls explicitly mandated for CMS by an authoritative agent (e.g., HHS or other federal agency requirements).\u003c/li\u003e\u003cli\u003eControls modified to address the CMS implementation (e.g., CMS architecture, risk framework, and life cycle management).\u003c/li\u003e\u003cli\u003eControls that address specialized topics that extend beyond NIST 800-53, Revision 5 (e.g., the Federal Risk and Authorization Management Program [FedRAMP], and FISCAM).\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEmployee Monitoring / Insider Threat (CMS-EMP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-1 \u003c/strong\u003eThe use of warning banners is mandatory on all CMS information systems in accordance with federal and HHS policy and the ARS control requirements. A warning banner\u003c/p\u003e\u003cp\u003estates that by accessing a CMS information system, (e.g., logging onto a CMS computer or network), the employee consents to having no reasonable expectation of privacy regarding any communication or data transiting or stored on that system, and the employee understands that, at any time, CMS may monitor the use of CMS IT resources for lawful government purposes. \u003cem\u003e(For the purposes of this policy requirement, the term “employee” includes all individuals who have been provided and currently have access to CMS IT resources and who are current employees, contractors, guest researchers, visiting scientists, and fellows. The term excludes individuals who are not or are no longer CMS employees, contractors, guest researchers, visiting scientists, or fellows.)\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-2 \u003c/strong\u003eIn accordance with HHS policy the CMS CIO must carry out monitoring in a fashion that protects employee interests and ensures the need for monitoring has been thoroughly vetted and documented.\u003c/p\u003e\u003cp\u003eComputer monitoring of an employee at CMS may be requested by HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program Office, or an outside law enforcement authority.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cem\u003e(For the purposes of this policy, the term “computer monitoring” covers monitoring of CMS IT resources, including real-time or contemporaneous observation, prospective monitoring, (e.g., using monitoring software), and retrospective review and analyses (e.g., of email sent or received, of computer hard-drive contents) focusing on an individual employee. This section of policy does not apply to passive monitoring (computer incident response monitoring) of systems relating to national security or FISMA that perform general system and network monitoring or examinations of computers for malware. Additionally, computer monitoring excludes any review and analysis requested by or approved by the employee(s) being covered. This does not apply to retrospective searches for documents in response to valid information requests in the context of litigation, Congressional oversight, Freedom of Information Act (FOIA) requests, and investigations by the Government Accountability Office (GAO) and the Office of Special Counsel. Such retrospective searches may be conducted with the consent of the employee or the authorization of the CMS CIO.)\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-3 \u003c/strong\u003eAll requests from outside law enforcement agencies must be coordinated through the HHS/OIG, except for requests relating to national security or non-criminal insider threat matters. The latter must be coordinated via the Counterintelligence and Insider Threat Program of the Division of Strategic Information (DSI), which in turn coordinates with the HHS/ONS on all requests. Such external computer monitoring requests may be subject to different standards, partly because they are covered by the internal controls of the requesting agency or judicial process.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-4 \u003c/strong\u003eNo CMS official may initiate computer monitoring without advance written authorization by the CMS Administrator or the CMS CIO. By HHS policy, this authority to authorize monitoring may not be delegated below the CMS CIO. Prior to submission of a monitoring request, the CMS CIO or HHS/ONS consults with the HHS Office of the General Counsel (OGC). The requesting organization documents the basis for approving any request for computer monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-5\u003c/strong\u003e Computer monitoring may only be authorized for the following reasons:\u003c/p\u003e\u003col\u003e\u003cli\u003eMonitoring has been requested by the HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program Office, or an outside law enforcement authority in accordance with CMS Administrative Services Group, DSI and federally recognized jurisdiction.\u003c/li\u003e\u003cli\u003eReasonable grounds exist to conclude that the individual to be monitored may be responsible for an unauthorized disclosure of legally protected information (e.g., confidential commercial information or \u003cem\u003ePrivacy Act \u003c/em\u003eprotected information).\u003c/li\u003e\u003cli\u003eReasonable grounds exist to believe that the individual to be monitored may have violated an applicable law, regulation, or written HHS or CMS policy.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eRoutine IT equipment examinations are permissible when malware searches are involved. Any unintended discoveries of problematic content and resulting follow-up actions are not subject to this policy except for follow-up actions that involve computer monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-6 \u003c/strong\u003eIn circumstances in which HHS/OIG requests computer monitoring for purposes of an HHS/OIG investigation or where HHS/OIG requires assistance in the conduct of computer monitoring, HHS/OIG will provide such information or notification as is consistent with its responsibilities, duties, and obligations under the \u003cem\u003eInspector General Act of 1978, \u003c/em\u003eas amended.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.1\u003c/em\u003e In concert with the HHS/OGC, the CMS CIO must develop a memorandum of understanding (MOU) or similar written agreement with outside law enforcement agencies as a precondition for approving monitoring requests from these organizations. The MOU must include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eTitle and organizational component of the person(s) authorized to make monitoring requests on behalf of the law enforcement agency.\u003c/li\u003e\u003cli\u003eDocumentation of the source of the official request demonstrating approval by an official of the governmental entity that has the authority to request the initiation of such monitoring (e.g., a subpoena [administrative or grand jury], warrant, national security letter [NSL], or other acceptable documented request [e.g., a written law enforcement administrative request that meets applicable requirements of the \u003cem\u003ePrivacy Act \u003c/em\u003eand/or HIPAA requirements for certain disclosures to law enforcement agencies]).\u003c/li\u003e\u003cli\u003eAny restrictions applicable to the handling and disclosure of confidential information that may be produced by monitoring.\u003c/li\u003e\u003cli\u003eOther items consistent with this memorandum, including handling sensitive communications, as described in the following bullet (Documentation).\u003c/li\u003e\u003cli\u003eDocumentation the written authorization for computer monitoring describes the reason for the monitoring. If the monitoring is initiated at the request of outside law enforcement authorities, the authorization documents that the request was approved, consistent with the applicable MOU with that organization by an official of the governmental entity that has the authority to request the initiation of such monitoring.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.2\u003c/em\u003e Except for monitoring initiated at the request of an outside law enforcement authority or the HHS/OIG, the party requesting the monitoring must document the factual basis justifying the request for monitoring and the proposed scope of the request. Requests for such monitoring must include an explanation of how monitoring will be conducted, how the information collected during monitoring will be controlled and protected, and a list of individuals who will have access to the resulting monitoring information.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.3\u003c/em\u003e A record of all requests for monitoring must be maintained by the CMS CIO along with any other summary results or documentation produced during the period of monitoring. The record must also reflect the scope of the monitoring by documenting search terms and techniques. All information collected from monitoring must be controlled and protected with distribution limited to the individuals identified in the request for monitoring and other individuals specifically designated by the CMS Administrator or CMS CIO as having a specific need to know such information.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-7 \u003c/strong\u003eThe CMS Administrator or CMS CIO must ensure authorized computer monitoring is appropriately narrow in scope and time-limited and takes the least invasive approach to accomplish monitoring objectives. The CMS Administrator or CMS CIO, in reviewing requests for monitoring, must consider whether there are alternative information gathering methods that CMS can utilize to address the concern in lieu of monitoring. When the monitoring request originates from HHS/OIG or outside law enforcement, CMS will grant appropriate deference to a request made in accordance with this policy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-8\u003c/strong\u003e No monitoring authorized or conducted may target communications with law enforcement entities, the Office of Special Counsel, members of Congress or their staff, employee union officials, or private attorneys. Employee union officials of CMS will be treated, for non-targeted monitoring purposes, as all other employees of CMS when monitoring is necessary. If such protected communications are inadvertently collected or identified from more general searches, they may not be shared with a non-law enforcement party who requested the monitoring or anyone else without express written authorization from the HHS/OGC and other appropriate HHS official(s).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-9 \u003c/strong\u003eWhen a request for computer monitoring is made by a party other than an outside law enforcement authority or the HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program, CMS must consult with the OGC as to whether the monitoring is consistent with all applicable legal requirements, including the \u003cem\u003eWhistleblower Protection Act \u003c/em\u003eand \u003cem\u003eHIPAA, \u003c/em\u003eand consider whether there are any additional limits. In addition, except for monitoring initiated at the request of outside law enforcement or the HHS/OIG, parties that receive information derived from monitoring must consult with the OGC as to potential restrictions on the use of such information under applicable law.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-10 \u003c/strong\u003eThe CMS CIO must review all employee monitoring every month and, in consultation with the party who requested the monitoring, assess whether it remains justified or is to be discontinued. The CMS CIO must consider whether or not the decision for ongoing monitoring must be reviewed by the OGC. A decision to continue monitoring must be explained and documented in writing by the CMS CIO, who must report at least monthly to the CMS Administrator regarding the status of any ongoing monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-11\u003c/strong\u003e The CMS CIO and the OGC may make recommendations to the CMS Administrator for additional procedures, if necessary, to address specific circumstances not addressed in this policy. Insider threat policies and procedures that deviate from the elements of this policy, however, must not be implemented without the written concurrence of the HHS CIO in consultation with the OGC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Management Framework (CMS-RMF)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS-RMF-1\u003c/strong\u003e The CMS CISO must develop and maintain within the ARS \u003cem\u003eAssessment, Authorization, and Monitoring \u003c/em\u003efamily of controls minimum controls to ensure information systems: (i) are assessed at least every three years or whenever a significant change occurs (as defined in the CMS established procedures; NIST SP 800-37, revision 2, describes examples of significant changes to an information system that should be reviewed for possible re-authorization) to the information system to determine if security and privacy controls are effective in their application; (ii) have POA\u0026amp;Ms designed to correct\u0026nbsp;deficiencies and reduce or eliminate vulnerabilities; (iii) are authorized for processing (including any associated information system connections) by the CMS CIO; and (iv) are monitored on an ongoing basis to ensure the continued effectiveness of the controls. In addition, the CMS CISO, where necessary to add clarity, provides methods in the form of \u003cem\u003eChapters, Procedures, \u003c/em\u003eand/or \u003cem\u003eStandards \u003c/em\u003ewithin the CMS established procedures to facilitate implementation, assurance, and tracking effectiveness of those controls. Minimally, these processes and procedures must address the following:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.1 \u003c/em\u003eEnsure all systems and networks receive a system categorization in accordance with the frameworks set forth in FIPS 199, NIST SP 800-60, \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories\u003c/em\u003e, as amended, and please refer to the CMS established procedures.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.2 \u003c/em\u003eEnsure CMS Business Owners/ISOs conduct risk assessments on systems and networks and document the result in accordance with NIST SP 800-30, \u003cem\u003eGuide for Conducting Risk Assessments\u003c/em\u003e, as amended\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.3\u003c/em\u003e Ensure the CMS Business Owners/ISOs review and update risks, as necessary, no less than annually or when significant changes occur to the system/network.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.4\u003c/em\u003e Ensure CMS Business Owners/ISOs implement appropriate information security and privacy controls as documented in an information system security and privacy plan for each CMS system and network in accordance with NIST SP 800-18, \u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e, and that CMS Business Owners/ISOs review and update plans as needed but no less than annually or when significant changes occur to the system/network.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.5\u003c/em\u003e Ensure CMS Business Owners/ISOs implement and document information security and privacy controls outlined in NIST SP 800-53, Revision 5.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.6 \u003c/em\u003eAssess the controls using the procedures outlined in NIST SP 800-53A, as amended, \u003cem\u003eAssessing Security and Privacy Controls in Information Systems and Organizations.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.7\u003c/em\u003e Develop, disseminate, and review/update: (i) formal, documented security assessment and authorization standards that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.8\u003c/em\u003e Determine (i) the required level of Security Control Assessor independence based on the security categorization of the information system and/or the ultimate risk to organizational operations and assets and to individuals; and (ii) if the level of Security Control Assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.9\u003c/em\u003e Ensure all CMS systems and networks are formally assessed and authorized using the methodology outlined in NIST SP 800-37 Revision 2, and in accordance with the minimum content requirements for the creation of security authorization packages, as stated in the ARS and the CMS established procedures.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.10 \u003c/em\u003eEnsure the \u003ca href=\"https://csrc.nist.gov/glossary/term/security_control_assessor\"\u003eSecurity Control Assessor(s)\u003c/a\u003e\u0026nbsp;is identified and assigned prior to applying the RMF tasks to the information system. The AO for the information system (i) is the CMS CIO, (ii) authorizes the information system for processing before commencing operations, and (iii) uses the results of the ISCM process to the maximum extent possible as the basis for rendering a re-authorization decision.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.11\u003c/em\u003e Require SIA and PIA review when any significant change occurs to a CMS system, network, physical environment, etc., to assess the impact of the change on the information security and privacy of the information processed.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.12 \u003c/em\u003eEnsure CMS Business Owners/ISOs request to re-authorize all systems at least every three years or when a significant change occurs to the system.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.13\u003c/em\u003e Develop a ISCM strategy and implement a ISCM program that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003e(i) a configuration management process for the information system and its constituent components;\u003c/li\u003e\u003cli\u003e(ii) determination of the security impact of changes to the information system and environment of operation;\u003c/li\u003e\u003cli\u003e(iii) ongoing information security and privacy control assessments in accordance with the organizational ISCM strategy; and\u003c/li\u003e\u003cli\u003e(iv) reporting on the security state of the information system to appropriate organizational officials.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe organization assesses the information security and privacy controls in an information system, at a minimum, as part of (i) security authorization or re-authorization, (ii) meeting the FISMA requirement for annual assessments, (iii) ISCM, and (iv) testing/evaluation of the information system as part of the SDLC process. Those controls that are the most volatile (e.g., controls mostly affected by ongoing changes to the information system or its environment of operation) or deemed essential to protecting CMS operations and assets, individuals, other organizations, and the nation are assessed more frequently in accordance with the CMS CISOs assessment of risk as defined in the CMS established procedures. All other controls are assessed at least once during the information systems three-year authorization cycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Systems Development Life Cycle (CMS-SDLC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity Architecture and Engineering (SA\u0026amp;E) activities help CMS Components align with enterprise information security and privacy capabilities, reporting processes, and requirements. SA\u0026amp;E ensures that the information security environment continues to meet business needs and address new and emerging threats by identifying risks and providing adequate information security and privacy protections through testing, implementation, and improvement of new and existing technologies and processes. To help guide a unified enterprise approach to implementing information security and privacy architecture, the risk management and compliance functional area publishes and updates information security and privacy technical guidance and provides input into the development of TRA security-related supplements.17 Security Assessment and Authorization (SA\u0026amp;A) processes help CMS Business Owners/ISOs comply with Capital Planning and Investment Control (CPIC) processes and CMSs SDLC processes to incorporate the security requirements of the ARS and the CMS TRA to obtain system authorization, also referred to as Authority to Operate (ATO), prior to operation. The CMS CISO and SOP follow the procedures outlined in the RMF for SA\u0026amp;A in accordance with FISMA and the direction of the CMS CIO.\u003c/p\u003e\u003cp\u003eThe SA\u0026amp;A processes help CMS stakeholders identify information security and privacy risks, assess the adequacy of information security and privacy controls, and ensure information security and privacy responsibilities are assigned prior to authorizing systems for operation. These processes incorporate ISCM and periodic manual assessment techniques to appropriately test the ongoing effectiveness of all controls.\u003c/p\u003e\u003cp\u003eBy following CPIC, SDLC, and RMF, System Developers and Maintainers include information security and privacy requirements from project initiation throughout the life cycle and implement the appropriate controls to manage information security and privacy risk.\u003c/p\u003e\u003cp\u003eThe ARS provides specific standards for completing the RMF process and include descriptions of the artifacts required to document information and information system controls. The SA\u0026amp;A processes result in identification of information security and privacy risks that must be managed by the POA\u0026amp;M processes.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-1\u003c/strong\u003e The CISO must integrate information security and privacy into the CMS life cycle processes. The SDLC provides the processes and practices of the CMS system development life cycle in accordance with the \u003cem\u003eCMS Policy for Information Technology (IT) Investment Management \u0026amp; Governance\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-2\u003c/strong\u003e Program Executives must engage the System Security and Privacy Officer (previously known as ISSO), CRA, and privacy team early and throughout the SDLC.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-3\u003c/strong\u003e The SDLC processes and procedures must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.1\u003c/em\u003e Integrate information security and privacy requirements into all CMS SDLC activities (i.e., The four distinct phases of the CMS TLC include Initiate, Develop, Operate, and Retire).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.2\u003c/em\u003e Ensure critical SDLC stage gate reviews are conducted to govern the information security and privacy posture of the system being developed. The TRB must evaluate the information security and privacy risk introduced by the system and provide guidance to improve system architecture and engineering.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eThe CMS Technical Review Board (TRB) provides technical guidance to assist project teams with their IT investments and enable them to be integrated within CMS' IT environment. At the project level, the TRB has advisory support services to ensure project solutions are technically sound and on track to deliver the target capabilities. The TRB also promotes IT reuse, information sharing, and systems integration across the Agency.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.3 \u003c/em\u003eAssign information security and privacy roles for the information system.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.4\u003c/em\u003e Ensure system information security and privacy controls are assessed.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.5\u003c/em\u003e Ensure system authorization prior to entering the O\u0026amp;M phase of the SDLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCloud Computing Requirements (CMS-CLD)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS developed CMS-CLD policies to provide guidance and direction on the acceptable uses of cloud service providers (CSP) and cloud computing services in compliance with the \u003cem\u003eFederal Cloud Computing Strategy (Cloud Smart) \u003c/em\u003ewhen used as part of a CMS FISMA system\u003cem\u003e. \u003c/em\u003eThe CMS-CLD policies define directives concerning the procurement, deployment, and utilization of cloud computing services across the CMS enterprise.\u003c/p\u003e\u003cp\u003eIn accordance with \u003ca href=\"https://cloud.cio.gov/strategy/\"\u003e\u003cem\u003eCloud Smart\u003c/em\u003e\u003c/a\u003e, CMS permits cloud services within the CMS environment. CMS established the policies in this section to guide the use of cloud services and cloud computing installations.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-1\u003c/strong\u003e All cloud service implementations used must have an approved Federal Risk and Authorization Management Program (FedRAMP) Authorization and CMS-issued ATO\u003cstrong\u003e.\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-CLD-1.1\u003c/em\u003e If a Software as a Service (SaaS) product does not have a current FedRAMP authorization, a Rapid Cloud Review (RCR) and a CMS-issued Provisional Authority to Operate (P-ATO) would be needed to assess FedRAMP readiness.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-2 \u003c/strong\u003eAll FISMA systems and applications deployed on a CSP service must have a valid CMS-issued ATO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-3\u003c/strong\u003e All CSP systems must integrate with continuous monitoring and identity management systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Email Encryption Requirements (CMS-EMAIL)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS must comply with information security and privacy encryption policies defined by federal laws, executive orders, directives, regulations, policies, standards, and guidance (e.g., HIPAA, Health Information Technology for Economic and Clinical Health [HITECH], Privacy Act, and IRS Publication 1075). The CMS Email Encryption Requirements control family provides the CMS standards for implementing information security and privacy controls.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMAIL-1\u003c/strong\u003e CMS Sensitive Information must be protected and only sent to recipients with a “need to know.” Emails containing sensitive information must be protected using one of the following steps:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.1\u003c/em\u003e Ensure unencrypted emails containing sensitive information remain within the CHS email service environment (i.e., “jane.doe@cms.hhs.gov”) or trusted domain.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2 \u003c/em\u003eFor recipients outside of the CMS email service environment or trusted domain:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.1\u003c/em\u003e Encrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.2 \u003c/em\u003ePlace the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.3\u003c/em\u003e Sending passwords for an encrypted attachment via email is prohibited. Instant messaging clients that are integrated with Microsoft Outlook, such as Lync/Skype, must not be used to communicate passwords. Acceptable approaches for sharing passwords include phone conversation, text message, or a shared secret. The method chosen must protect the password from compromise.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eProgram Specific Requirements\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eEnterprise Level Control Packages\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has enterprise-level security and privacy controls for inheritance that are based on information security and privacy policies, programs or services that are provided by the offices of the CIO and CISO. These controls must be accounted for within the CMS governance, risk and compliance (GRC) tool in order for them to be leveraged as inherited controls among the FISMA systems. As part of the GRC tool, the systems are designated as FISMA systems, but they are not actual FISMA systems and are not subject to the requirements listed in section 8.1.2. Risk Management Framework (CMS-RMF).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHigh Value Assets\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS must comply with the Office of Management and Budget (OMB) Memorandum M-19-03, \u003cem\u003eStrengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/em\u003e; the Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-02, \u003cem\u003eSecuring High Value Assets; \u003c/em\u003eand the \u003cem\u003eHHS High Value Asset (HVA) Program Polic\u003c/em\u003ey (August 2019).\u003c/p\u003e\u003cp\u003eThe \u003cem\u003eHHS HVA Program Policy \u003c/em\u003edefines HVAs as:\u003c/p\u003e\u003cp\u003eAssets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe HHS policy requires CMS to establish appropriate governance of HVA activities across its organization and integrate HVA remediation activities into its planning, programming, budgeting, and execution process. These efforts will align with federal law, regulations, standards, and guidelines, as well as CMS policies, processes, and procedures. To meet the HHS policy, CMS will conduct the following activities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-1\u003c/strong\u003e The CMS CIO develops a process for creating and maintaining an HVA inventory, consistent with any format and content specified by HHS. Upon request, the Program will complete or update the inventory. HHS may require the inventory to note any or all threats, vulnerabilities, and impacts, and the likelihood of each of these occurring, associated with each system. CMS will share its HVA inventory with HHS upon request, following HHS instructions.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-2\u003c/strong\u003e When creating or updating HVA-related contracts and acquisition requirements, CMS Contracting Officers Representatives (COR) must incorporate appropriate language from the HHS Security and Privacy Language for Information and Information Technology Procurements.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-3\u003c/strong\u003e HVA-related artifacts must be handled as directed by OMB and DHS. These documents include instructions for securing and encrypting all correspondence involving HVA- related information.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-4 \u003c/strong\u003eHVAs must have a valid Authority to Operate (ATO). An ATO must reflect that appropriate safeguards have been implemented to protect the HVA, many of which will be specific to HVAs.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-5 \u003c/strong\u003eSecurity assessments must be conducted as a minimum requirement by the CISA- Led Assessment Team for Tier 1 HVAs, Third Party/Independent Assessor for \u003ca href=\"https://www.cisa.gov/hva-pmo\"\u003eTier 2 HVAs\u003c/a\u003e, and Self-Assessment for \u003ca href=\"https://www.cisa.gov/hva-pmo\"\u003eTier 3 HVAs\u003c/a\u003e at the frequency and rigor stipulated by CISA.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-6\u003c/strong\u003e The CMS CIO, Senior Official for Privacy (SOP) or designated official, must develop a Standard Operating Procedure (SOP) for reviewing CMSs HVAs to identify those HVAs that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal Taxpayer Information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSystems that collect, maintain, use, or disclose Federal Tax Information (FTI) must follow IRS requirements for protecting FTI. Business Owners of CMS systems, with direction provided by the OIT, must ensure that all applicable information security and privacy controls, whether\u0026nbsp;imposed by an organization or office internal or external to CMS, are incorporated into CMS systems.\u003c/p\u003e\u003cp\u003eThe IRS defines Federal Tax Information as federal tax returns and return information (and information derived from it) that is in the agencys possession or control which is covered by the confidentiality protections of the Internal Revenue Code (IRC) and subject to the IRC 6103(p)(4) safeguarding requirements including IRS oversight. CMS often receives, accesses, and uses FTI in conducting its business processes.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-FTI-1\u003c/strong\u003e Business Owners that collect, maintain, use, or disclose FTI must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.1\u003c/em\u003e Comply with IRS Publication 1075, \u003cem\u003eTax Information Security Guidelines for Federal, State and Local Agencies\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.2\u003c/em\u003e Document and certify the incorporated controls in their respective system security and privacy plan and identify residual risks in the corresponding risk assessment for their systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.3\u003c/em\u003e Disclose FTI to its agents solely for purposes for which there is an appropriate legal authority, and for which IRS has granted an exception permitting its disclosure.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.4\u003c/em\u003e Notify the IRS Office of Safeguards prior to re-disclosing FTI to contractors. Notify and obtain written approval from the IRS Office of Safeguards prior to re-disclosing FTI to sub-contractors.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.5\u003c/em\u003e Notify the IRS Office of Safeguards when there has been a breach of FTI. CMS-FTI-1.6 Execute a contract or other agreement with any recipient of the FTI. The contract must require the recipient to abide by IRS Publication 1075, \u003cem\u003eTax Information Security Guidelines for Federal, State and Local Agencies\u003c/em\u003e, including its requirements for providing privacy and security controls for FTI\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-FTI-2\u003c/strong\u003e Users with access to FTI must adhere to the following when working from Alternative Work Sites\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.1\u003c/em\u003e Telework Locations - FTI remains subject to the same safeguard requirements and the highest level of attainable security. All the requirements of IRS Publication 1075, Section 4.5, Physical Security of Computers, Electronic, and Removable Media, apply to telework locations.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.2\u003c/em\u003e Equipment CMS must retain ownership and control, for all hardware, software, and end-point equipment connecting to public communication networks, where these are resident at all alternate work sites. Alternatively, the use of virtual desktop infrastructure with non-CMS-owned devices (including personally-owned devices) is acceptable, where all requirements in IRS Publication 1075, Section 9.4.13 Virtual Desktop Infrastructure are met.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.3 \u003c/em\u003eData Storage - FTI may be stored on hard disks only if CMS-approved security access control devices (hardware/software) have been installed, are receiving regularly scheduled maintenance including upgrades, and are being used. Access controls must include password security, an audit trail, encryption, virus detection, and data overwriting capabilities.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.4 \u003c/em\u003eInspection Alternate work sites may be subject to periodic inspections by CMS personnel to ensure that safeguards are adequate.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and Privacy Control Families\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS ARS is central to the security and privacy framework. Through this document, CMS identifies the essential set of security and privacy controls that must be implemented for CMS Information Systems. CMS established these safeguards based on the agencys interpretation of applicability of HHS and CMS internal policies and guidance, mandates and legislative guidance specific to the CMS environment. Each control family has a specific set of “dash one” controls that requires that policies be in place while the remaining controls provide details for implementing the policy. The “dash one” controls are included in this \u003cem\u003ePolicy \u003c/em\u003ewhile the required implementation of the details for each security and privacy controls are outlined in the ARS. This section provides an overview of the policy requirements associated with each “dash one” control family and includes additional details required for these “dash one” controls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAccess Control (AC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAC-1\u003c/strong\u003e The Program must develop and document an access control policy that addresses purpose, scope, responsibility, management commitment, coordination among organizational entities, and compliance. The Access Control family of controls ensures access to information systems is limited to authorized users, processes acting on behalf of authorized users, and devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Access Control Policies and Procedures\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.2\u003c/em\u003e Develop an Access Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Access Control family of controls and following defined events in the ARS, or as defined within the SSPP.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.4\u003c/em\u003e Disseminate policies, procedures, and standards for the Access Control family of controls to all personnel who perform roles defined within this \u003cem\u003ePolicy\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.5 \u003c/em\u003eMaintain all policies, procedures, and standards associated with the Access Control family of controls to reflect applicable federal laws, executive orders, directives, regulations, policies, standards, and guidance.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.6 \u003c/em\u003eDefine access control policies and procedures to provide the foundation required to ensure privacy protections are implemented for the identified uses of PII and PHI.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAwareness and Training (AT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAT-1 \u003c/strong\u003eThe Program must develop and maintain minimum controls to ensure managers and users of information systems are made aware of the information security and privacy risks associated with their activities and of the applicable federal and agency requirements related to the information security and privacy of CMS systems. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Awareness and Training family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eAT-1.1.1 Develop topic-based training to explain privacy processes carried out within CMS and update topic-based training courses when significant changes occur to privacy processes.\u003c/p\u003e\u003cp\u003eAT-1.1.2 Develop and implement an information security and privacy education, awareness, and training program for all employees and individuals working on behalf of CMS involved in managing, using, and/or operating information systems.\u003c/p\u003e\u003cp\u003eAT-1.1.2.1 Ensure information security awareness and training is provided to all employees and contractors, and that all employees and contractors review and acknowledge an approved RoB within sixty (60) days from entry on duty (EOD) date, or commencement of work on a contract or subcontract; and ensure and acknowledge the RoB annually thereafter.\u003c/p\u003e\u003cp\u003eAT-1.1.2.2 Ensure privacy awareness and training is provided within sixty (60) days from EOD date, or commencement of work on a contract or subcontract., and annually thereafter, to all employees and contractors to explain the importance and responsibility in safeguarding PII and PHI and ensuring privacy, as established in federal legislation, regulations, and OMB guidance.\u003c/p\u003e\u003cp\u003eAT-1.1.2.3 Ensure system information security and privacy training records are documented in support of annual FISMA reporting.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-2\u003c/strong\u003e The Program must develop and maintain minimum controls to ensure those with “significant information security and privacy responsibilities” receive adequate role-based training (RBT) to carry out those responsibilities. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.1 \u003c/em\u003eEnsure initial and periodic information security and privacy RBT is provided for all individuals in roles that possess significant information security and privacy responsibilities, including those that are CMS federal employees, contractors, and subcontractors. CMS RBT must meet or exceed HHS RBT requirements, as follows:\u003c/p\u003e\u003cp\u003eAT-2.1.1 CMS must identify all personnel (employees and contractors) and their associated work roles with significant information security and privacy responsibilities, in accordance with the HHS Cybersecurity Coding Guide and the National Initiative for Cybersecurity Education (NICE) Framework. The Program will identify appropriate minimum RBT requirements for each identified role with significant information security and privacy responsibilities.\u003c/p\u003e\u003cp\u003eAT-2.1.2 All CMS employees, including managers, Senior Executive Service (SES) personnel, and contractors who have significant information security and privacy responsibilities, must complete minimum RBT requirements within sixty (60) days from EOD date, or commencement of work on a contract or subcontract. Thereafter, all personnel with significant information security and privacy responsibilities must complete RBT at least annually.\u003c/p\u003e\u003cp\u003eAT-2.1.3 Individuals who change roles within CMS such that they assume new significant information security and privacy responsibilities, or who otherwise assume such responsibilities, must complete RBT within 60 days of assuming those new responsibilities. Thereafter, they must complete RBT at least annually.\u003c/p\u003e\u003cp\u003eAT-2.1.4 All CMS employees and contractors with significant information security and privacy responsibilities who have not completed the required training within the mandated timeframes will have their user accounts disabled until they have met their RBT requirement.\u003c/p\u003e\u003cp\u003eAT-2.1.5 All companies/vendors contracting with CMS are responsible for ensuring that their personnel who have significant information security and privacy responsibilities have training commensurate with their role. Training records must be submitted to CMS upon commencement of work and annually thereafter (or upon request whichever comes first).\u003c/p\u003e\u003cp\u003eAT-2.1.6 The CMS CISO, in coordination with the CMSs Training Coordinator(s) and Contracting Officers/Representatives (CO/COR), must track and maintain RBT records for all personnel with significant information security and privacy responsibilities. All training records must be retained consistently with an appropriately selected records retention schedule.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.2\u003c/em\u003e Develop appropriate security and privacy RBT for personnel with significant information security and privacy responsibilities in accordance with all relevant federal laws, regulations, and guidelines. The Program may provide such training in the form of CMS- or HHS-approved courses or professional development training, or in other appropriate formats. Personnel may also request approval for external training, such as certificate programs or college courses, to satisfy their RBT requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.3 \u003c/em\u003eRequire personnel wishing to receive credit for any form of RBT taken from an organization external to CMS, in satisfaction of any CMS or HHS training requirement to first seek review and approval from their supervisor (or for contractors, from their employer). The Program may further require personnel to supply information concerning completion of such external programs (such as grade reports or certificates of completion) before providing personnel with credit or acknowledgment for having satisfied the relevant RBT requirement.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.4\u003c/em\u003e In addition to periodically identifying all \u003cem\u003eroles \u003c/em\u003eof personnel that have significant information security and privacy responsibilities, CMS will also periodically identify all \u003cem\u003especific individuals \u003c/em\u003ewho serve in roles with significant information security and privacy responsibilities. CMS managers are responsible for cooperating with the Program to identify individuals with significant information security and privacy responsibilities, and for ensuring that the personnel they manage are appropriately categorized in their roles. CMS managers will be required to complete this identification process as a CMS personnel needs assessment.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.5\u003c/em\u003e Personnel who assume multiple roles must complete at least one training that addresses the unique responsibilities associated with at least one role. CMS managers must also ensure the personnel they manage complete the appropriate minimum RBT requirements in the required time frames.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.6\u003c/em\u003e The Program may request verification of completion of RBT of all personnel from CMS managers. The Program may require mangers to supply adequate information, for each individual completing RBT, to verify the individuals identity, the content of the RBT, and proof of completion of RBT.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-3\u003c/strong\u003e Develop an Awareness and Training Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-4 \u003c/strong\u003eReview and update policies, procedures, and standards for the Awareness and Training Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAudit and Accountability (AU)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAU-1\u003c/strong\u003e The Program must develop and maintain (within the Audit and Accountability family of controls) minimum controls to ensure information system audit records are created, protected, and retained to the extent needed to: (i) enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure the actions of individual information system users can be uniquely traced to those users so that they can be held accountable for their actions. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Audit and Accountability family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eAU-1.1.1 Identify which events the organization audits, based on a risk assessment and mission/business needs.\u003c/p\u003e\u003cp\u003eAU-1.1.2 Identify and ensure a subset of auditable events applicable to the information system is chosen, based on threat information and risk assessment.\u003c/p\u003e\u003cp\u003eAU-1.1.3 Identify and ensure the rationale is provided for why the list of auditable events is deemed adequate to support incident investigations.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.2\u003c/em\u003e Develop an Audit and Accountability Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.3\u003c/em\u003e Ensure audit record content for all CMS system components, at a minimum, includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of the event\u003c/li\u003e\u003cli\u003eComponent of the information system (e.g., software component, hardware component) where the event occurred\u003c/li\u003e\u003cli\u003eType of event\u003c/li\u003e\u003cli\u003eUser/subject identity\u003c/li\u003e\u003cli\u003eOutcome (success or failure) of the event\u003c/li\u003e\u003cli\u003eExecution of privileged functions.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eAU-1.4 \u003c/em\u003eEnsure audited events are significant and relevant to the information security and privacy needs associated with the information system.\u003c/p\u003e\u003cp\u003eAU-1.4.1 Auditing must be compliant with the \u003ca href=\"http://www.uscourts.gov/file/rules-evidence\"\u003eFederal Rules of Evidence \u003c/a\u003eas published by US Courts.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.5 \u003c/em\u003eDefine CMS processes, procedures, and standards for the maintenance and review of audit logs for indications of inappropriate or unusual activity to ensure:\u003c/p\u003e\u003cp\u003eAU-1.5.1 Findings are reported to the designated CMS officials, including system officials with a need to know (e.g., Business Owner, Security and Privacy Officer). AU-1.5.2 The level of audit review, analysis, and reporting is adjusted when there is a change in risk.\u003c/p\u003e\u003cp\u003eAU-1.5.3 A uniform time and time protocol is implemented across CMS, based on CMS approved sources.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.6\u003c/em\u003e Ensure audit and accountability policies, processes, procedures, and standards directly support privacy audit and accountability requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.7 \u003c/em\u003eCoordinate information security- and privacy-related audit functions with other entities that require audit information to enhance mutual support and guide the selection of auditable events.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.8\u003c/em\u003e Review and update policies, procedures, and standards for the Audit and Accountability Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssessment, Authorization, and Monitoring (CA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCA-1 \u003c/strong\u003eThe Program must develop and document a security assessment and authorization control policy governing the assessment and authorization of FISMA systems within the CMS enterprise environment or any systems storing, processing, or transmitting CMS information on behalf of CMS. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Security Assessment and Authorization family of security controls in the ARS to:\u003c/p\u003e\u003cp\u003eCA-1.1.1 Perform security assessments on information systems and the environments in which those systems operate as part of (i) initial and ongoing security authorizations, (ii) FISMA annual assessments, (iii) continuous monitoring, and (iv) system development life cycle activities.\u003c/p\u003e\u003cp\u003eCA-1.1.2 Authorize connections from the information system to other information systems through the use of Interconnection Security Agreements.\u003c/p\u003e\u003cp\u003eCA-1.1.3 Develop and submit a POA\u0026amp;M for the information system as a result of any security assessment findings.\u003c/p\u003e\u003cp\u003eCA-1.1.4 Develop an ISCM strategy and implement a program compliant with HHS ISCM Strategy.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.2\u003c/em\u003e Develop a Security Assessment and Authorization Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Security Assessment and Authorization Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConfiguration Management (CM)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCM-1 \u003c/strong\u003eThe CMS Configuration Management Executive must coordinate with the CMS CISO and the Program to document the configuration management processes and procedures to define configuration items at the system and component level (e.g., hardware, software, workstation); monitor configurations; and track and approve changes prior to implementation, including but not limited to flaw remediation, security patches, and emergency changes (e.g., unscheduled changes such as mitigating newly discovered security vulnerabilities, system crashes, replacement of critical hardware components). Baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) must be established and maintained throughout the respective system life cycles, and security configuration settings for information products employed in information systems must be established and enforced. In coordination with the CMS Configuration Management Executive, the Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Configuration Management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eCM-1.1.1 Ensure configuration management procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eCM-1.1.2 Ensure scheduled changes to networks or systems are authorized prior to implementation and are not permitted outside of the configuration management process.\u003c/p\u003e\u003cp\u003eCM-1.1.3 Monitor system configurations and changes to ensure configuration management processes and procedures are followed.\u003c/p\u003e\u003cp\u003eCM-1.1.4 Evaluate the configuration management process periodically, as specified in the ARS, as part of the required FISMA reporting process to verify adequacy and effectiveness.\u003c/p\u003e\u003cp\u003eThrough the Program the CMS CISO, in coordination with the CMS Configuration Management Executive, defines and develops policies to ensure CMS Business Owner/ISOs:\u003c/p\u003e\u003cp\u003eCM-1.1.5 Implement and enforce configuration management controls for all CMS systems and networks.\u003c/p\u003e\u003cp\u003eCM-1.1.6 Develop, document, and maintain a current baseline configuration of each system and the systems constituent components.\u003c/p\u003e\u003cp\u003eCM-1.1.7 Develop, document, and maintain an inventory of the components, both hardware and software, that includes relevant ownership information.\u003c/p\u003e\u003cp\u003eCM-1.1.8 Test, validate, and document proposed changes prior to implementation to assess the impact to the information security and privacy of data.\u003c/p\u003e\u003cp\u003eCM-1.1.9 Ensure systems categorized as “Moderate” or “High” under FIPS 199:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRetain older versions of baseline configurations as deemed necessary to support rollback\u003c/li\u003e\u003cli\u003eMaintain a baseline configuration for development and test environments to ensure development and test environments are managed separately from the operational environment\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThrough the program, the CMS CISO must ensure:\u003c/p\u003e\u003cp\u003eCM-1.1.10 Current (up-to-date) anti-virus (AV)/anti-malware and host-based intrusion detection system (HIDS) applications are included, as appropriate, on systems connected to the CMS network.\u003c/p\u003e\u003cp\u003eCM-1.1.11 AV software is configured to automatically perform periodic virus scanning. CM-1.1.12 HIDS software is configured to automatically scan all inbound and outbound network traffic.\u003c/p\u003e\u003cp\u003eThe CMS Configuration Management Executive must ensure:\u003c/p\u003e\u003cp\u003eCM-1.1.13 All systems and system components adhere to \u003cem\u003eHHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eCM-1.1.14 Appropriate CCBs are created and managed for the review and approval of changes.\u003c/p\u003e\u003cp\u003eCM-1.1.15 Configuration management includes a representative from the system as a member of the CCB. Participation on the CCB is at the Security Control Assessors discretion. If the Security and Privacy Officer or Security Control Assessor acts as a voting member of the CCB, they must be a federal employee.\u003c/p\u003e\u003cp\u003eCM-1.1.16 Personnel with configuration management responsibilities are trained on CMS configuration management processes.\u003c/p\u003e\u003cp\u003eCM-1.1.17 Change documentation is maintained for no less than 12 months after a change is made.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.2\u003c/em\u003e Develop a Configuration Management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.3\u003c/em\u003e For systems categorized as “High” under FIPS 199, ensure detection of unauthorized information security and privacy relevant configuration changes is incorporated into the incident response capability to ensure events are tracked, monitored, corrected, and available for historical purposes.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.4 \u003c/em\u003eReview and update policies, procedures, and standards for the Configuration Management Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContingency Planning (CP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCP-1\u003c/strong\u003e The Program must develop and maintain the Contingency Planning family of controls to ensure contingency plans for emergency response, backup operations, and disaster recovery for organizational information systems are established, maintained, and effectively implemented. IT Contingency Plans ensure the availability of critical information resources and continuity of operations in emergency situations. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Contingency Planning family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eCP-1.1.1 Work with Business Owners/ISOs to develop and document an IT contingency plan for all information systems in accordance with NIST SP 800-34 rev 1, \u003cem\u003eContingency Planning Guide for Information Technology Systems, \u003c/em\u003eand all other relevant CP documentations defined in the ARS.\u003c/p\u003e\u003cp\u003eIT contingency plans must support:\u003c/p\u003e\u003cp\u003eCP-1.1.1.1 Applicable CMS continuity of operations plans (COOP), particularly for information systems supporting the continuity of CMSs essential business functions.\u003c/p\u003e\u003cp\u003eCP-1.1.1.2 Recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.\u003c/p\u003e\u003cp\u003eCP-1.1.1.3 Implementation of privacy-applicable requirements to reduce the risk of avoidable information security and privacy incidents and breaches while executing contingency measures.\u003c/p\u003e\u003cp\u003eIT contingency plans, as part of the required FISMA reporting process, must be:\u003c/p\u003e\u003cp\u003eCP-1.1.1.4 Reviewed and updated periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003eCP-1.1.1.5 Tested periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003eCP-1.1.2 Ensure systems categorized as “High” or “Moderate” under FIPS 199:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement a transaction recovery system for transaction-based systems\u003c/li\u003e\u003cli\u003ePerform coordinated contingency testing and/or exercises with organizational elements responsible for related plans.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCP-1.1.3 Ensure systems categorized as “High” under FIPS 199 develop an IT contingency plan in coordination with organizational elements responsible for related plans (e.g., incident response).\u003c/p\u003e\u003cp\u003eCP-1.1.3.1 Business Owners/ISOs must develop and document a comprehensive system backup strategy for each system.\u003c/p\u003e\u003cp\u003eCP-1.1.3.1.1 The system backup strategy must document processes to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSupport the information system recovery\u003c/li\u003e\u003cli\u003eStore backup copies of the operating system and other critical information system software, as well as copies of the information system inventory, ina physically separate facility or in a fire-rated container not co-located with the operational system\u003c/li\u003e\u003cli\u003eMeet business continuity needs, including the identified RTO and RPO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCP-1.1.3.1.2 Applicable alternate processing sites must be established that are compliant with FIPS 199 system categorization requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.2 \u003c/em\u003eDevelop a Contingency Planning Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.3 \u003c/em\u003eFor systems categorized as “High” (or as “Moderate” and supporting essential CMS mission or business functions) under FIPS 199, ensure the CMS Business Owner/ISO establishes and maintains appropriate alternate processing and storage site agreements that require:\u003c/p\u003e\u003cp\u003eCP-1.3.1 Alternate processing sites:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe separated from the primary storage site(s) and primary processing site(s)\u003c/li\u003e\u003cli\u003eIdentify potential accessibility problems to the alternate processing site(s) and outline explicit mitigation actions\u003c/li\u003e\u003cli\u003eEnsure information security measures equivalent to those of the primary processing site(s) are provided\u003c/li\u003e\u003cli\u003eBe configurable for use as an operational site. CP-1.3.2 Alternate storage sites:\u003c/li\u003e\u003cli\u003eBe separated from the primary storage site(s)\u003c/li\u003e\u003cli\u003eIdentify potential accessibility problems to the alternate storage site(s) and outline explicit mitigation actions\u003c/li\u003e\u003cli\u003eEnsure information security measures equivalent to those of the primary storage site(s) are provided.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eCP-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Contingency Planning Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003eI\u003cstrong\u003edentification and Authentication (IA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIA-1 \u003c/strong\u003eThe Program must develop and maintain the Identification and Authentication family of controls to ensure information system users, processes acting on behalf of users, and devices are identified, and the identities authenticated (or verified) as a prerequisite to allowing access to information systems. Through the Program, the CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials manage the development, documentation, and dissemination of the System and Information Integrity family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eIA-1.1.1 Establish policy and procedures for the effective implementation of selected security controls and control enhancements in the IA control family.\u003c/p\u003e\u003cp\u003eIA-1.1.2 Ensure policy and procedures reflect applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eIA-1.1.3 Ensure the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users) and the organizations meet all the requirements specified by HHS policy and applicable implementation standard(s).\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.2 \u003c/em\u003eDevelop an Identification and Authentication Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.3 \u003c/em\u003eEnsure all users, including federal employees, contractors, and entities with network access to systems, use multi-factor authentication. External facing applications must offer consumers multi-factor authentication as an option.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Identity and Authentication Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncident Response (IR)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIR-1 \u003c/strong\u003eThe Program must develop and maintain the Incident Response family of controls to establish an operational incident handling capability for information systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Incidents must be tracked, documented, and reported. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Incident Response family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eIR-1.1.1 Document, maintain, and communicate policies and procedures in accordance with the \u003cem\u003eHHS Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response \u003c/em\u003eand the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of PII\u003c/em\u003e, including roles and responsibilities for information security and PII incidents and violation handling.\u003c/p\u003e\u003cp\u003eIR-1.1.2 Ensure CMS employees and contractors situational awareness through:\u003c/p\u003e\u003cp\u003eIR-1.1.2.1 Receipt of information system security and privacy alerts, advisories, and directives from designated external organizations on an ongoing basis.\u003c/p\u003e\u003cp\u003eIR-1.1.2.2 Generation of internal information security and privacy alerts, advisories, and directives as deemed necessary.\u003c/p\u003e\u003cp\u003eIR-1.1.2.3 Dissemination of information security and privacy alerts, advisories, and directives to personnel (see the ARS for a complementary, CMS-defined process).\u003c/p\u003e\u003cp\u003eIR-1.1.3 Ensure CMS employees and contractors awareness of privacy-related incidents through:\u003c/p\u003e\u003cp\u003eIR-1.1.3.1 Development and implementation of privacy breach notification and response policies, processes, and standards.\u003c/p\u003e\u003cp\u003eIR-1.1.3.2 Appropriate notification of the SOP for all incidents involving PII or PHI. IR-1.1.4 Ensure CMS employees and contractors maintain incident response processes and procedures by:\u003c/p\u003e\u003cp\u003eIR-1.1.4.1 Reviewing and updating Incident Response Plans periodically as defined in the ARS.\u003c/p\u003e\u003cp\u003eIR-1.1.4.2 Testing Incident Response Plans periodically as defined in the ARS.\u003c/p\u003e\u003cp\u003eIR-1.1.4.3 Incorporating lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.\u003c/p\u003e\u003cp\u003eIR-1.1.5 Ensure CMS employees and contractors maintain familiarity with incident response processes and procedures through periodic training, as defined in the ARS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.2 \u003c/em\u003eThe CMS CISO, in coordination with the CMS Director of CCIC and Business Owners/ISOs, must establish and maintain an information security and privacy incident and breach response capability that includes preparation, identification, containment, eradication, recovery, and follow-up capabilities to ensure effective recovery from information security and privacy incidents and breaches.\u003c/p\u003e\u003cp\u003eIR-1.2.1 For systems categorized as “Moderate” or “High” under FIPS 199, incident handling activities must be coordinated with contingency planning activities.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.3 \u003c/em\u003eDevelop an Incident Response Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Incident Response Control family of controls and following defined events in ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMaintenance (MA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eMA-1\u003c/strong\u003e The Program must develop and maintain the System Maintenance family of controls to ensure (i) periodic and timely maintenance on organizational information systems is performed and (ii) effective controls are established for the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. The Program must:\u003c/p\u003e\u003cp\u003eMA-1.1 Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Maintenance family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eMA-1.1.1 Ensure privacy considerations are included in system maintenance policy and procedures, especially when the system contains information subject to the \u003cem\u003ePrivacy Act \u003c/em\u003eand/or HIPAA.\u003c/p\u003e\u003cp\u003eMA-1.1.2 Ensure routine preventative and regular maintenance (including repairs) on the components of all CMS information systems, supporting utilities, and ancillary equipment (e.g., within the data center, used for testing) are scheduled, performed, documented, and reviewed.\u003c/p\u003e\u003cp\u003eMA-1.1.2.1 Maintenance processes and procedures must be compliant with CMS processes and procedures.\u003c/p\u003e\u003cp\u003eMA-1.1.2.2 Maintenance processes and procedures may reference manufacturer or vendor specifications.\u003c/p\u003e\u003cp\u003eMA-1.1.3 Ensure information system maintenance tools are approved, controlled, maintained, and monitored as required.\u003c/p\u003e\u003cp\u003eMA-1.1.4 Ensure only authorized personnel are allowed to perform maintenance on the information system through established processes and procedures.\u003c/p\u003e\u003cp\u003eMA-1.1.4.1 Personnel authorized to perform maintenance must be compliant with requirements defined under the Awareness and Training and Personnel Security sections of this document.\u003c/p\u003e\u003cp\u003eMA-1.1.5 For non-local (e.g., remote) maintenance and diagnostic services ensure:\u003c/p\u003e\u003cp\u003eMA-1.1.5.1 Services are authorized, monitored, and controlled.\u003c/p\u003e\u003cp\u003eMA-1.1.5.2 Tools are consistent with organizational policy and documented in the security plan for the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.5.3 Strong identification and authentication techniques are employed in the establishment of sessions.\u003c/p\u003e\u003cp\u003eMA-1.1.5.4 Activity records are maintained.\u003c/p\u003e\u003cp\u003eMA-1.1.5.5 All sessions and network connections are terminated when non-local maintenance is completed.\u003c/p\u003e\u003cp\u003eMA-1.1.6 Ensure appropriate protection of information systems and/or components being removed:\u003c/p\u003e\u003cp\u003eMA-1.1.6.1 The CMS Business Owner/ISO or designated federal employee must approve the removal of information systems and/or system components for offsite maintenance/repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.6.2 The equipment/media must be sanitized in a manner compliant with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\"\u003eNIST sanitization standards\u003c/a\u003e prior to removal from organizational facilities for offsite maintenance or repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.7 For systems categorized as “Moderate” or “High” under FIPS 199, maintenance records must include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of maintenance\u003c/li\u003e\u003cli\u003eName of the individual performing the maintenance\u003c/li\u003e\u003cli\u003eName of escort, if necessary\u003c/li\u003e\u003cli\u003eDescription of the maintenance performed\u003c/li\u003e\u003cli\u003eList of equipment (including components and parts), including the removal and/or replacement of applicable identification numbers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS Business Owners/ISOs must:\u003c/p\u003e\u003cp\u003eMA-1.1.7.1 Inspect all maintenance tools carried into a facility by maintenance personnel for improper modifications.\u003c/p\u003e\u003cp\u003eMA-1.1.7.2 Check all media containing diagnostic and test applications and programs for malicious code before the media is used in the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.7.3 Ensure non-local maintenance and diagnostic sessions, including review of the maintenance records of the sessions, are audited by the Security and Privacy Officer.\u003c/p\u003e\u003cp\u003eMA-1.1.7.4 Ensure installation and use of non-local maintenance and diagnostic connections are documented in the security plan for the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.8 For systems categorized as “High” under FIPS 199, CMS Business Owners/ISOs must:\u003c/p\u003e\u003cp\u003eMA-1.1.8.1 Employ automated mechanisms to schedule, conduct, and document any required maintenance and repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.8.2 Produce and maintain up-to-date, accurate, complete, and available records of all maintenance and repair actions that are needed, in process, and completed.\u003c/p\u003e\u003cp\u003eMA-1.1.8.3 Prevent the unauthorized removal of maintenance equipment/media by performing one of the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerifying there is no CMS sensitive information contained on the equipment/media\u003c/li\u003e\u003cli\u003eSanitizing or destroying the equipment/media in a manner compliant with NIST or DoD guidance\u003c/li\u003e\u003cli\u003eRetaining the equipment/media within the facility\u003c/li\u003e\u003cli\u003eDocumenting the removal of the equipment/media from the facility with an exemption signed by the Business Owner/ISO or designated federal employee\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eMA-1.2 \u003c/em\u003eDevelop a Maintenance Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMA-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Maintenance Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMedia Protection (MP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eMP-1 \u003c/strong\u003eThe Program must develop and maintain the Media Protection family of controls to ensure information system media containing sensitive information, both digital and non-digital, is protected by (i) limiting access to authorized users and (ii) sanitizing or destroying information system media before disposal or release for reuse. The program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Media Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eMP-1.1.1 Inform all employees and contractors with potential access to sensitive information, such as PII or PHI, about all policies and procedures to protect any sensitive information residing on the various media types used by CMS.\u003c/p\u003e\u003cp\u003eMP-1.1.2 Ensure procedures exist for protecting information system media during transport, specifically through the use of cryptography and restricting the transport of such media to authorized personnel commensurate with the sensitivity level of the data.\u003c/p\u003e\u003cp\u003eMP-1.1.3 Develop and maintain processes, procedures, and standards to ensure information system media, both digital and non-digital, are properly sanitized and/or disposed of.\u003c/p\u003e\u003cp\u003eMP-1.1.3.1 Ensure sanitization and disposal techniques (i.e., clear, purge, destroy) for digital and non-digital media are in compliance with NIST SP 800-88 Revision 1, \u003cem\u003eGuidelines for Media Sanitization, \u003c/em\u003eincluding the media sanitization decision matrix, prior to disposal, release, and transfer of custody for re-use.\u003c/p\u003e\u003cp\u003eMP-1.1.4 Ensure all confidential or classified information is sanitized and disposed of in accordance with policy, procedures, and standards established by the National Security Agency (NSA) and DoD.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.2 \u003c/em\u003eDevelop a Media Protection Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Media Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePhysical and Environmental Protection (PE)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePhysical controls are important for protecting FTI, PII and PHI against unauthorized access, use, and disclosure. Environmental controls can be critical when FTI and PII have high availability requirements (e.g., core mission capabilities of an organization rely on consistent and frequent access to PII/FTI)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePE-1\u003c/strong\u003e The Program must develop and maintain the Physical and Environmental Protection family of controls to ensure physical access to information systems, equipment, and the respective operating environments is limited to authorized individuals. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Physical and Environmental Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePE-1.1.1 Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals.\u003c/p\u003e\u003cp\u003ePE-1.1.2 Protect the physical plant and support infrastructure for information systems.\u003c/p\u003e\u003cp\u003ePE-1.1.3 Provide supporting utilities for information systems.\u003c/p\u003e\u003cp\u003ePE-1.1.4 Protect against environmental hazards.\u003c/p\u003e\u003cp\u003ePE-1.1.5 Consider the data sensitivity when defining physical and environmental controls for systems.\u003c/p\u003e\u003cp\u003ePE-1.1.6 Maintain an understanding that the sensitivity of information impacts the necessary physical and environmental controls.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.2 \u003c/em\u003eDevelop a Physical and Environmental Protection Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Physical and Environmental Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePlanning (PL)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePL-1\u003c/strong\u003e The Program must develop and maintain the Planning family of controls to ensure information security and privacy planning for FISMA systems are performed within the CMS enterprise environment and on any systems storing, processing, or transmitting CMS information on behalf of CMS. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.1 \u003c/em\u003eDesignate CMS Enterprise-level defined officials to manage the development, documentation, and dissemination of the Planning family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePL-1.1.1 Develop, document, and maintain information security and privacy plans for each CMS system and network:\u003c/p\u003e\u003cp\u003ePL-1.1.1.1 Security plans must be in accordance with NIST SP 800-18 Revision 1,\u003c/p\u003e\u003cp\u003e\u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e.\u003c/p\u003e\u003cp\u003ePL-1.1.1.2 Privacy plans must address the privacy requirements for confidentiality, availability, and integrity for the organization and individual information system(s). PL-1.1.1.3 Business Owners/ISOs must review and update the information security and privacy plans periodically as defined in the ARS, and following defined events in the ARS and \u003cstrong\u003ea\u003c/strong\u003epplicable control implementation statements of the associated PL controls.\u003c/p\u003e\u003cp\u003ePL-1.1.2 Develop, document, and maintain an Information Security Architecture to: PL-1.1.2.1 Document the information security segments of the CMS enterprise architecture in accordance with OMB Circular A-130.\u003c/p\u003e\u003cp\u003ePL-1.1.2.2 Fully integrate information security and privacy into the CMS architecture framework.\u003c/p\u003e\u003cp\u003ePL-1.1.3 Review and update the security segments of the CMS enterprise architecture periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003ePL-1.1.4 Develop, document, and maintain the CMS Acceptable Use standards within the \u003cem\u003eHHS Rules of Behavior For Use of HHS Information and IT Resources Policy.\u003c/em\u003e\u003c/p\u003e\u003cp\u003ePL-1.1.4.1 Privacy requirements must be identified in contracts and acquisition- related documents.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2 CMS employees and contractors (users) must:\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.1 Be informed that the use of CMS IT resources, other than for authorized purposes, is a violation of the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resource Policy \u003c/em\u003eand is grounds for disciplinary action, up to and including removal from federal service, monetary fines, and/or criminal charges, which could result in imprisonment.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.2 Be prohibited from transmitting sensitive CMS information using any non-CMS approved Internet-based mechanism, including but not limited to personal email, file-sharing, file transfer, and backup services.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.3 Read and sign the HHS RoB periodically, as defined in the ARS. PL-1.1.4.3 Personal use of CMS IT resources must comply with \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resource Policy\u003c/em\u003e, which governs the appropriate use of CMS IT resources to ensure personal use of those resources does not put CMS data at risk of unauthorized disclosure or dissemination.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.2\u003c/em\u003e Develop a Planning Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Planning Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProgram Management (PM)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePM-1 \u003c/strong\u003eThe Program must develop and maintain the Program Management family of controls to ensure CMS develops an organization-wide information security and privacy program. The Program Management (PM) controls are typically implemented at the organization level and not specifically directed at individual information systems. Through the PM implementation of the controls, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePM-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Program Management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePM-1.1.1 Periodic review and update of the Program Plan following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003ePM-1.1.2 CMS develops, maintains and reviews:\u003c/p\u003e\u003cp\u003ePM-1.1.2.1 Information security and privacy policy as an overview of the information security and privacy management controls and common controls.\u003c/p\u003e\u003cp\u003ePM-1.1.2.2 Policy and procedures to ensure requirements for protecting controlled unclassified information processed, stored, or transmitted on external systems are implemented.\u003c/p\u003e\u003cp\u003ePM-1.1.2.3 An accurate accounting of disclosures of personally identifiable information as specified in the ARS.\u003c/p\u003e\u003cp\u003ePM-1.1.2.4 Policies and procedures for reviewing the accuracy, relevance, timeliness, and completeness of PII across the information life cycle as specified in the ARS. PM-1.1.2.5 The process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices.\u003c/p\u003e\u003cp\u003ePM-1.1.2.6 A privacy program structured to inform the information security program of all privacy-related requirements.\u003c/p\u003e\u003cp\u003ePM-1.1.3 CMS identifies roles, responsibilities, and compliance requirements.\u003c/p\u003e\u003cp\u003ePM-1.1.3.1 CMS must appoint the CISO as the Senior Information Security Officer. PM-1.1.3.2 CMS must appoint individuals with specific roles and responsibilities.\u003c/p\u003e\u003cp\u003ePM-1.1.4 CMS holds the approved AO accountable for the risk to the operations within CMS, organizational assets, individuals, and the nation.\u003c/p\u003e\u003cp\u003ePM-1.1.5 CMS develops, implements, and maintains a Risk Management Strategy to: PM-1.1.5.1 Document remediation actions responding to identified risk.\u003c/p\u003e\u003cp\u003ePM-1.1.5.2 Develop and implement a POA\u0026amp;M process to address information security and privacy risks identified in its information systems.\u003c/p\u003e\u003cp\u003ePM-1.1.5.3 Develop and maintain inventory listings of its information systems.\u003c/p\u003e\u003cp\u003ePM-1.1.5.4 Measure the effectiveness of the Program, information security controls, and privacy controls.\u003c/p\u003e\u003cp\u003ePM-1.1.6 CMS develops, implements, and maintains a testing, training, and monitoring program.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePM-1.2 \u003c/em\u003eDevelop a Program Management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel Security (PS)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePS-1 \u003c/strong\u003eThe Program must develop and maintain the Personnel Security family of controls to ensure (i) CMS information systems employ personnel security controls consistent with applicable laws, executive orders, policies, directives, regulations, standards, and guidelines and (ii) procedures are developed to guide the implementation of personnel security controls. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Personnel Security family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePS-1.1.1 CMS information systems employ personnel security controls consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003ePS-1.1.2 Processes and procedures are developed to guide the implementation of personnel security controls.\u003c/p\u003e\u003cp\u003ePS-1.1.2.1 Where appropriate, roles that require access to sensitive information (such as PII and PHI) must apply additional personnel security measures.\u003c/p\u003e\u003cp\u003ePS-1.1.3 Individuals occupying positions of responsibility within organizations (i.e., including third-party service providers) are trustworthy and meet established security criteria for the positions of responsibility.\u003c/p\u003e\u003cp\u003ePS-1.1.4 Information and information systems are adequately protected when personnel actions occur such as initial employment, terminations, and transfers.\u003c/p\u003e\u003cp\u003ePS-1.1.5 Formal sanctions for personnel failing to comply with organizational security policies and procedures are employed.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.2\u003c/em\u003e Develop a Personnel Security Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Personnel Security Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePII Processing and Transparency (PT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePT-1\u003c/strong\u003e The Program must develop and maintain the Processing and Transparency family of controls to ensure the confidentiality of Personally Identifiable Information being processed and maintained by CMS organizational information systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Personally Identifiable Information Processing and Transparency family of controls in the ARS to. The Program Must:\u003c/p\u003e\u003cp\u003ePT-1-1-1 Coordinate with the SOP and the CISO in establishing the organizational authority for the use of Personally Identifiable Information being processed and developing processes to restrict the use of PII.\u003c/p\u003e\u003cp\u003ePT-1-1-2 Ensure public notices and policies are developed to describe the purpose for processing PII and monitoring changes.\u003c/p\u003e\u003cp\u003ePT-1-1-3 Ensure procedures are in place for individuals to consent to the processing of their personally identifiable information prior to its collection to allow for them to make informed decisions regarding the use of their personal information.\u003c/p\u003e\u003cp\u003ePT-1-1.4 Establish privacy risk assessments associated with the processing of personally identifiable information to help determine the appropriate elements to include in privacy notices.\u003c/p\u003e\u003cp\u003ePT-1-1-5 Develop, publish and maintain system of records notices in accordance with OMB guidance when systems are used to maintain a group of any record under the control of CMS from which information is retrieved by the name of an individual or some type of identifying number, symbol, or other identifier.\u003c/p\u003e\u003cp\u003ePT-1-1-5 Obtain approval from the Data Integrity Board when systems or organizations conduct computer matching programs.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-2 \u003c/em\u003eDevelop a Personally Identifiable Information Processing and Transparency Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-2\u003c/em\u003e Review and update policies, procedures, and standards for the Personally Identifiable Information Processing and Transparency Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Assessment (RA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRA-1 Designate CMS Enterprise-level defined officials to manage the development, documentation, and dissemination of the Risk Assessment family of controls to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the risk to organizational operations (e.g., mission, functions, image, reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information, is assessed.\u003c/li\u003e\u003cli\u003eDevelop, document, implement, and update a risk assessment at least every three years or whenever a significant change occurs to the information system, a change in the threat environment occurs, a significant data breach occurs, or the ATO has expired.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.1 \u003c/em\u003eDevelop and maintain effective implementation of selected information security and privacy controls and control enhancements in the Risk Assessment family of controls as described in the ARS to ensure formal risk assessment processes and policies provide the foundation for protecting sensitive information.\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.2 \u003c/em\u003eDevelop a Risk Assessment Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Risk Assessment Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Services Acquisition (SA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSA-1 \u003c/strong\u003eThe Program must develop and maintain the System and Services Acquisition family of controls to ensure contracts, especially the Statement of Work (SOW) within the contract, are reviewed for appropriate information security and privacy contracting language specific to the technology or service being acquired. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Services Acquisition family of controls defined in the ARS to ensure:\u003c/p\u003e\u003cp\u003eSA-1.1.1 Appropriate information security and privacy documentation (i.e., information security and privacy functional requirements/specifications, information security-related and privacy-related documentation requirements, and developmental and evaluation- related assurance requirements) are contractually required for the development or acquisition of new systems.\u003c/p\u003e\u003cp\u003eSA-1.1.2 Appropriate information security and privacy language to protect sensitive information, such as PII and PHI, is contractually required for the development, acquisition, or operation of systems, when applicable.\u003c/p\u003e\u003cp\u003eSA-1.1.3 Documented processes and procedures are developed and implemented effectively to facilitate the acquisition of information security and privacy controls in all system and services acquisitions.\u003c/p\u003e\u003cp\u003eSA-1.1.4 Processes and procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eSA-1.1.5 Sufficient resources to adequately protect organizational information systems are allocated by the responsible organization.\u003c/p\u003e\u003cp\u003eSA-1.1.6 System development life cycle processes, as defined under the SDLC, incorporate required information security and privacy considerations.\u003c/p\u003e\u003cp\u003eSA-1.1.7 Software usage and installation restrictions are employed and compliant with CMS policy.\u003c/p\u003e\u003cp\u003eSA-1.1.8 Security specifications, either explicitly or by reference, are included in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal requirements and industry best practices.\u003c/p\u003e\u003cp\u003eSA-1.1.9 Security measures consistent with applicable federal requirements and industry best practices to protect information, applications, and/or services outsourced from the organization are required of third-party vendors and are verified as specified in the ARS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.2 \u003c/em\u003eDevelop a System and Services Acquisition Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Services Acquisition Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Communications Protection (SC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSC-1\u003c/strong\u003e The Program must develop and maintain the System and Communications Protection family of controls to ensure the organization develops, documents, and maintains system and communications protection policy, processes, and procedures. Through the Program the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Communications Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eSC-1.1.1 Review and update the System and Communications Protection Policies and Procedures periodically and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003eSC-1.1.2 Protect the systems assets and information while in transmission or at rest with technical controls based on:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe confidentiality, integrity, and availability of the system\u003c/li\u003e\u003cli\u003eThe sensitivity of information (e.g., PII and PHI) processed or stored by the system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.3 Ensure the information system separates user functionality, including user interface services, from system management functionality. By applying the systems security engineering design principles within the TRA to:\u003c/p\u003e\u003cp\u003eSC-1.1.3.1 Isolate access and information flow control from non-security functions and from other security functions.\u003c/p\u003e\u003cp\u003eSC-1.1.3.2 Determine if the information system uses underlying hardware separation mechanisms to implement security function isolation.\u003c/p\u003e\u003cp\u003eSC-1.1.3.3 Minimize the number of non-security functions included within the isolation boundary containing security functions by implementing security and privacy functions as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLargely independent modules to maximize internal cohesiveness within modules and minimize coupling between modules\u003c/li\u003e\u003cli\u003eA layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.4 Implement information security and privacy controls throughout the SDLC of each system by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplementing usage restrictions based on the potential risk of harm to an information system\u003c/li\u003e\u003cli\u003eAuthorizing, monitoring, and controlling the use of such components within the information system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.5 Operate websites that are within the restrictions stated in federal policies and directives.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.2\u003c/em\u003e Develop a System and Communications Protection Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Communications Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Information Integrity (SI)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSI-1 \u003c/strong\u003eThe Program must develop and maintain the System and Information Integrity family of controls to establish and maintain policy and procedures for the effective implementation of selected information security controls and control enhancements. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Information Integrity family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eSI-1.1.1 Policy, processes, and procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eSI-1.1.2 Policy, processes, and procedures are implemented to protect the integrity of systems and information and to meet the \u003cem\u003ePrivacy Act \u003c/em\u003erequirements for protection against any anticipated threats or hazards to the security or integrity of records.\u003c/p\u003e\u003cp\u003eSI-1.1.3 Information and information system flaws are identified, reported, and corrected in a timely manner, as defined within the ARS.\u003c/p\u003e\u003cp\u003eSI-1.1.4 Protection from malicious code is provided at appropriate locations within organizational information systems.\u003c/p\u003e\u003cp\u003eSI-1.1.5 Information system security and privacy alerts and advisories issued are monitored and appropriate action taken in response.\u003c/p\u003e\u003cp\u003eSI-1.1.6 Minimum information security and privacy controls are supplemented, as warranted, based on an assessment of risk and local conditions, including organization- specific security requirements, specific threat information, cost-benefit analysis, and special circumstances.\u003c/p\u003e\u003cp\u003eSI-1.1.7 A monitoring strategy is developed to implement an ISCM program that is compliant with Federal Rules of Evidence Section 803(6).\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.2 \u003c/em\u003eDevelop a System and Information Integrity Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Information Integrity Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSupply Chain Risk Management (SR)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSR-1\u003c/strong\u003e The Program must develop and maintain the Supply Chain Risk Management (SR) family of controls to establish and maintain policy and procedures for the effective implementation of the selected information security controls and control enhancements. In coordination with the CISO, the program, the organization must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Supply chain risk management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.2\u003c/em\u003e Develop a Supply chain risk management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.3\u003c/em\u003e Coordinate with the CMS CISO to establish a process to identify and address weaknesses or deficiencies in the supply chain elements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.4 \u003c/em\u003eEstablish procedures and agreements with entities involved in the supply chain for systems, system components or system services to ensure notification of supply chain compromises that can potentially adversely affect organizational systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.5\u003c/em\u003e Review and update policies, procedures, and standards for the Supply chain risk management Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eNon-Compliance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe HHS Rules of Behavior (RoB) for Use of Information IT Resources Policy cannot account for every possible situation. Therefore, where this \u003cem\u003ePolicy \u003c/em\u003edoes not provide explicit guidance, personnel shall use their best judgment to apply the principles set forth in the \u003ca href=\"https://cmsintranet.share.cms.gov/ER/Pages/EthicsManagementOffice.aspx\"\u003estandards\u003c/a\u003e for \u003ca href=\"https://www.ecfr.gov/current/title-5/chapter-XVI/subchapter-B/part-2635\"\u003eethical conduct\u003c/a\u003e to guide their actions and seek guidance when appropriate from the Chief Information Officer (CIO) or his/her designee.\u003c/p\u003e\u003cp\u003eNon-compliance with the requirements in this Policy may be cause for disciplinary and non- disciplinary actions. Depending on the severity of the violation and management discretion, consequences may include one or more of the following actions:\u003c/p\u003e\u003col\u003e\u003cli\u003eSuspension of access privileges;\u003c/li\u003e\u003cli\u003eRevocation of access to federal information, information systems, and/or facilities;\u003c/li\u003e\u003cli\u003eReprimand;\u003c/li\u003e\u003cli\u003eTermination of employment;\u003c/li\u003e\u003cli\u003eSuspension without pay;\u003c/li\u003e\u003cli\u003eRemoval or disbarment from work on federal contracts or projects;\u003c/li\u003e\u003cli\u003eMonetary fines;\u003c/li\u003e\u003cli\u003eCriminal charges that may result in imprisonment;\u003c/li\u003e\u003cli\u003eDeactivate the accounts.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eInformation and Assistance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS ISPG is responsible for the development and management of this policy. Questions, comments, suggestions, and requests for information about this \u003cem\u003ePolicy \u003c/em\u003eshould be directed to: \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eEffective Date and Implementation\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe effective date of this policy is the date on which the policy is approved. This policy must be reviewed, at a minimum, every three (3) years from the approval date.\u003c/p\u003e\u003cp\u003eThe CMS CIO has the authority to grant a one (1) year extension of the policy. To archive this policy, approval must be granted, in writing, by the CMS CIO.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eApproval\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eGeorge Hoffmann\u003c/p\u003e\u003cp\u003eCMS Chief Information Officer\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConcurrence\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis document will be reviewed in accordance with the established review schedule located on the CMS website.\u003c/p\u003e\u003cp\u003eKeith Busby\u003c/p\u003e\u003cp\u003eCMS Chief Information Security Officer\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAuthoritative References, Statutes, Orders, Directives, Policies, and Guidance\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eFederal Directives and Policies\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eFederal Continuity Directive 1 (FCD 1): Federal Executive Branch National Continuity Program and Requirements, February 2008\u003c/li\u003e\u003cli\u003eHSPD-12, \u003cem\u003ePolicy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e, August 27, 2004\u003c/li\u003e\u003cli\u003eHSPD-7, \u003cem\u003eCritical Infrastructure Identification, Prioritization, and Protection\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOffice of Assistant Secretary for Administration and Management and Office of the Assistant Secretary for Resources and Technology: Statement of Organization, Functions, and Delegations of Authority, 74 Fed. Reg. 57679-57682 (2009)\u003c/li\u003e\u003cli\u003eOffice for Civil Rights: Delegation of Authority, 74 Fed. Reg. 38630 (2009) Office of Resources and Technology: Statement of Organization, Functions and Delegations of Authority, 73 Fed. Reg. 31486-31487 (2008)\u003c/li\u003e\u003cli\u003eOffice of the Secretary: Statement of Organization, Functions, and Delegations of Authority, 72 Fed. Reg. 19000-19001 (2007)\u003c/li\u003e\u003cli\u003eOffice of Personnel Management (OPM) Regulation 5 Code of Federal Regulations (CFR) 930.301\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eStatutes\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eThe Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009\u003c/li\u003e\u003cli\u003e\u003cem\u003ePublic Welfare\u003c/em\u003e, Title 45 Code of Federal Regulations, Pt. 160. 2009 ed.\u003c/li\u003e\u003cli\u003eFederal Acquisition Regulation (as amended)\u003c/li\u003e\u003cli\u003eE-Government Act of 2002\u003c/li\u003e\u003cli\u003eThe Federal Information Security Management Act (Pub. L. No. 107-347)\u003c/li\u003e\u003cli\u003eClinger-Cohen Act of 1996\u003c/li\u003e\u003cli\u003eThe Health Insurance Portability and Accountability Act of 1996\u003c/li\u003e\u003cli\u003ePaperwork Reduction Act of 1995\u003c/li\u003e\u003cli\u003eChildrens Online Privacy Protection Act of 1988\u003c/li\u003e\u003cli\u003eThe Computer Matching and Privacy Protection Act of 1988\u003c/li\u003e\u003cli\u003eThe Privacy Act of 1974 (as amended)\u003c/li\u003e\u003cli\u003eOffice of Federal Procurement Policy Act of 1974\u003c/li\u003e\u003cli\u003eFreedom of Information Act of 1966 (Public Law 89-554, 80 Stat. 383; Amended 1996,2002, 2007)\u003c/li\u003e\u003cli\u003eFederal Records Act of 1950\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eN.3. HHS Policy\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eHHS-OCIO-OIS-2021-11-006, \u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2021-03-001, \u003cem\u003eHHS Policy for Information Technology Procurements - Security and Privacy Language\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2020-01-001, \u003cem\u003eHHS Policy for Securing Wireless Local Area Networks\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-PIM-2020-05-003, \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-PIM-2020-06-004, \u003cem\u003eHHS Policy for Records Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2019-05-004, \u003cem\u003eHHS Rules of Behavior for the Use of HHS Information and IT Resources Policy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2018-0001.002S, \u003cem\u003eHHS System Inventory Management Standard\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2017-0001.001S\u003cem\u003e, HHS OCIO Minimum Security Configuration Standards Guidance\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2016-0005\u003cem\u003e, HHS Standard for Encryption of Computing Devices and Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2013-0004\u003cem\u003e, Policy for Personal Use of Information Technology Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2012-0001.001S, \u003cem\u003eStandard for Plans of Action and Milestones (POA\u0026amp;M) Management and Reporting\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2010-0002, \u003cem\u003eHHS-OCIO Policy for Capital Planning and Investment Control\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2008-0004.001, \u003cem\u003eHHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2008-0001.003, \u003cem\u003eHHS Policy for Responding to Breaches of Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS CSIRC Concept of Operations\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Minimum Security Configuration Standards\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eContinued Implementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eResolving Security Audit Finding Disputes\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eSecurity of Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eOffice of Inspector General Management Implication Report Need for Departmental Security Enhancements for Information Technology Assets\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eUpdated Departmental Standard for the Definition of Sensitive Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eRole-Based Training (RBT) of Personnel with Significant Security Responsibilities\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eSecurity Related to Hosting Foreign Visitors and Foreign Travel by HHS Personnel\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS \u003cem\u003ePolicy for Information Technology (IT): Security and Privacy Incident Reporting and Response\u003c/em\u003e\u003c/li\u003e\u003cli\u003e48 CFR Chapter 3 \u003cem\u003eHealth and Human Services Acquisition Regulation (HHSAR)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFAC-2005-46, Federal Acquisition Regulation (FAR), amendments\u003c/li\u003e\u003cli\u003e\u003cem\u003eDepartment Information Security Policy/Standard Waiver\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Information Security Program \u003cem\u003ePrivacy in the System Development Life Cycle\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eFederal Information Processing Standards (FIPS) 200 Implementation\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS National Security Information Manual\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Personnel Security/Suitability Handbook\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOMB Policy and Memoranda\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eOMB Circular A-108,\u003cem\u003e Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-127, \u003cem\u003eFinancial Management Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-130, \u003cem\u003eManagement of Federal Information Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-123, \u003cem\u003eManagement Accountability and Control\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-14-03, \u003cem\u003eEnhancing the Security of Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-13-13, \u003cem\u003eOpen Data Policy Managing Information as an Asset\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-12-20, \u003cem\u003eFY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-33, \u003cem\u003eFY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-29, \u003cem\u003eChief Information Officer Authorities\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-16, \u003cem\u003e2011 Issuance of Revised Parts I and II to Appendix C of OMB Circular A- 123\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-11, \u003cem\u003eContinued Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-02, \u003cem\u003eSharing Data While Protecting Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-22, \u003cem\u003eGuidance for Online Use of Web Measurement and Customization Technologies\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-23, \u003cem\u003eGuidance for Agency Use of Third-Party Websites and Applications\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-15, \u003cem\u003eFY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-06, \u003cem\u003eOpen Government Directive\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-09-29, \u003cem\u003eFY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-21, \u003cem\u003eFY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-23, \u003cem\u003eSecuring the Federal Governments Domain Name System Infrastructure\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-09, \u003cem\u003eNew FISMA Privacy Reporting Requirements for FY 2008\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-10, \u003cem\u003eUse of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-20, \u003cem\u003eFY 2007 E-Government Act Reporting Instructions\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-19, \u003cem\u003eFY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-16, \u003cem\u003eSafeguarding Against and Responding to the Breach of Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-20, \u003cem\u003eFY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-19, \u003cem\u003eReporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-16, \u003cem\u003eProtection of Sensitive Agency Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-15, \u003cem\u003eSafeguarding Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-24, \u003cem\u003eImplementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-15, \u003cem\u003eFY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-08, \u003cem\u003eDesignation of Senior Agency Officials for Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-04, \u003cem\u003ePolicies for Federal Agency Public Websites\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-04-26, \u003cem\u003ePersonal Use Policies and File Sharing Technology\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-03-22, \u003cem\u003eOMB Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002 (as amended)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-04-04, \u003cem\u003eE-Authentication Guidance for Federal Agencies\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-01-24, \u003cem\u003eReporting Instructions for the Government Information Security Reform Act\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-01-05, \u003cem\u003eGuidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-99-20, \u003cem\u003eSecurity of Federal Automated Information Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-99-05, \u003cem\u003eInstructions on Complying with President's Memorandum of May 14, 1998, \"Privacy and Personal Information in Federal Records\"\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-96-20, \u003cem\u003eImplementation of the Information Technology Management Reform Act of 1996\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eNIST Guidance\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eNIST SP 800-122, \u003cem\u003eGuide to Protecting Confidentiality of PII\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-81, \u003cem\u003eSecure Domain Name System (DNS) Deployment Guide\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-65, \u003cem\u003eIntegrating IT Security into the Capital Planning and Investment Control Process\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-64, \u003cem\u003eSecurity Considerations in the System Development Lifecycle\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-63, \u003cem\u003eElectronic Authentication Guideline\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-61, \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-60, \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-58, \u003cem\u003eSecurity Considerations for Voice Over IP Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-53A, \u003cem\u003eGuide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-53, \u003cem\u003eRecommended Security Controls for Federal Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-37, \u003cem\u003eGuide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-34, \u003cem\u003eContingency Planning Guide for Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-30, \u003cem\u003eRisk Management Guide for Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-18, \u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-16, \u003cem\u003eInformation Technology Security Training Requirements: A Role- and Performance-Based Model\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST \u003cem\u003eUnited States Government Configuration Baseline for Windows XP \u0026amp; Vista\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 200, \u003cem\u003eMinimum Security Requirements for Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 199, \u003cem\u003eStandards for Security Categorization of Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 140-3, \u003cem\u003eSecurity Requirements for Cryptographic Modules\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST United States Government Configuration Baseline (USGCB)\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Policy and Directives\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eCMS Information Security Acceptable Risk Safeguards, CMS ARS Version 5.0\u003c/li\u003e\u003cli\u003eCMS Vulnerability Disclosure Policy Program\u003c/li\u003e\u003cli\u003eCMS Supply Chain Risk Management Policy\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAssociated CMS Resources\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISPG Library is available at: \u003ca href=\"https://security.cms.gov/\"\u003ehttps://security.cms.gov.\u003c/a\u003e It contains up-to-date policies, procedures, and directives, including those approved after release of this Policy.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"18f:T34350,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs required under the Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35), and in compliance with the updated requirements of the National Institute of Standards and Technology's (NIST) Special Publications (SP) 800-53, Revision 5, and other federal requirements, this \u003cem\u003ePolicy \u003c/em\u003edefines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems. It also provides direction for all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information. As the federal agency responsible for administering the Medicare, Medicaid, Childrens Health Insurance Program (CHIP), and Health Insurance Exchange (HIX), CMS collects, creates, uses, discloses, maintains, and stores personal, healthcare, and other sensitive information subject to federal law, regulation, or guidance. All NIST Special Publication (SP) 800 series are applicable to CMS policy including the \u003cem\u003eIS2P2\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003erequires all CMS stakeholders, including Business Owners and System Security and Privacy Officer (previously known as ISSO) to implement adequate information security and privacy safeguards to protect all CMS-sensitive information. The Chief Information Officer (CIO), Chief Information Security Officer (CISO), and the Senior Official for Privacy (SOP) jointly develop and maintain this document. All references contained in this \u003cem\u003ePolicy \u003c/em\u003eare subject to periodic revision, update, and reissuance.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eBackground\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS Information Security and Privacy Group (ISPG), under the direction of the CMS Chief Information Security Officer (CISO) and the Senior Official for Privacy (SOP), is tasked with overseeing the Cybersecurity and Privacy Programs for the agency. Following the Federal and HHS requirements, CMS ISPG identifies cybersecurity and privacy risks, implements mitigation strategies and ensures the confidentiality, integrity and availability of CMS-sensitive information and information systems. These activities are aimed at safeguarding and preventing unauthorized disclosure of Personally Identifiable Information (PII) and Protected Health Information (PHI) entrusted to CMS.\u003c/p\u003e\u003cp\u003eISPG recognized the need to develop a policy that references and incorporates the security and privacy requirements from authoritative sources while tailoring it to suit the CMS physical and information technology environments. This \u003cem\u003ePolicy \u003c/em\u003eexplains the scope and applicability of security and privacy requirements as it pertains to CMS information systems. This \u003cem\u003ePolicy \u003c/em\u003ealso defines the security and privacy control baselines as well as the supplemental controls available for selection and should be used in conjunction with the \u003cem\u003eAcceptable Risk Safeguards (ARS)\u003c/em\u003e, CMS process guidelines and other supporting CMS-established policies, procedures, and standards. The format of these requirements is scalable to accommodate modifications or the addition of new requirements over time as a result of the ever-changing cybersecurity landscape.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eScope\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003esupersedes the \u003cem\u003eCMS Information System Security and Privacy Policy (IS2P2) v 3.3\u003c/em\u003e, and supplements the HHS-OCIO-OIS-2021-11-006, \u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P) v 1.1\u003c/em\u003e, and it applies to all CMS personnel or entities:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConducting business for CMS\u003c/li\u003e\u003cli\u003eCollecting or maintaining information for CMS\u003c/li\u003e\u003cli\u003eUsing or operating information systems on behalf of CMS whether directly or through contractual relationships.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe below list of CMS personnel or entities include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOrganizational components, centers, or offices\u003c/li\u003e\u003cli\u003eFederal employees, contractor personnel, interns, or other non-government employees operating on behalf of CMS.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003edoes not supersede any other applicable laws, higher-level agency directives, or the existing labor-management agreement in place.\u003c/p\u003e\u003cp\u003eThe contents of and the compliance with this \u003cem\u003ePolicy \u003c/em\u003emust be incorporated into the applicable contract language, as appropriate. Any contract, agreement, or other arrangement that collects, creates, uses, discloses, or maintains sensitive information, including but not limited to Personally Identifiable Information (PII) and Protected Health Information (PHI), must comply with this \u003cem\u003ePolicy\u003c/em\u003e. In some cases, other external agency policies may also apply (e.g., if a system processes, stores, or transmits Federal Tax Information [FTI]).\u003c/p\u003e\u003cp\u003eThis \u003cem\u003ePolicy \u003c/em\u003edoes not apply to any network or system that processes, stores, or transmits foreign intelligence or national security information under the cognizance of the Special Assistant to the Secretary (National Security) pursuant to Executive Order (E.O.) 12333, \u003cem\u003eUnited States Intelligence Activities, \u003c/em\u003eor subsequent orders. The Special Assistant to the Secretary (National Security) is the point of contact (POC) for issuing IT security and privacy policy and guidance for these systems. Privacy Act questions should be directed to the CMS Privacy Act Officer.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAuthorities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Office of Management and Budget (OMB) designated the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) as authorities to provide guidance to federal agencies for implementing information security and privacy laws and regulations, including FISMA, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Privacy Act of 1974 (“Privacy Act”). This \u003cem\u003ePolicy \u003c/em\u003eaddresses CMS applicable information security and privacy requirements arising from federal legislation, mandates, directives, executive orders, and the Department of Health and Human Services (HHS) policies by integrating NIST Special Publication (SP) 800-53 Revision 5, \u003cem\u003eSecurity and Privacy Controls for Federal Information Systems and Organizations \u003c/em\u003ewith the \u003cem\u003eDepartment of Health and Human Services Policy for Information Systems Security and Privacy Protection (HHS IS2P) \u003c/em\u003eand other specific programmatic legislations and CMS regulations. The authoritative references include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBuy American Act, 41 U.S.C §§ 8301-8305\u003c/li\u003e\u003cli\u003eDHS Binding Operational Directive 18-02, Securing High-Value Assets May 7, 2018\u003c/li\u003e\u003cli\u003eExecutive Order 13556, the Controlled Unclassified Information (CUI) program\u003c/li\u003e\u003cli\u003eE-Government Act of 2002 (44 U.S.C. Chapters 35 and 36)\u003c/li\u003e\u003cli\u003eFamily Educational Rights and Privacy Act (FERPA) 20 U.S.C. § 1232g\u003c/li\u003e\u003cli\u003eFederal Acquisition Supply Chain Security Act of 2018\u003c/li\u003e\u003cli\u003eFederal Information Processing Standards: FIPS 140-2, FIPS 199, FIPS 200, FIPS 201-1\u003c/li\u003e\u003cli\u003eFederal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C § 3551\u003c/li\u003e\u003cli\u003eFinancial Audit Manual (FAM), GAO-18-G01G: Published June 14, 2018\u003c/li\u003e\u003cli\u003eHealth Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub.L. 104191, 110 Stat. 1936, enacted August 21, 1996)\u003c/li\u003e\u003cli\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/li\u003e\u003cli\u003eHomeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004\u003c/li\u003e\u003cli\u003eHSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004\u003c/li\u003e\u003cli\u003eH.R. 1232 Federal Information Technology Acquisition Reform\u003c/li\u003e\u003cli\u003eNational Archives and Records Administration, CUI Registry\u003c/li\u003e\u003cli\u003eNIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u003c/li\u003e\u003cli\u003eNIST SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security\u003c/li\u003e\u003cli\u003eNIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations\u003c/li\u003e\u003cli\u003eNIST SP 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)\u003c/li\u003e\u003cli\u003eNIST SP 800-88 Revision 1, Guidelines for Media Sanitization\u003c/li\u003e\u003cli\u003eNIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices\u003c/li\u003e\u003cli\u003eNIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)\u003c/li\u003e\u003cli\u003eNIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing\u003c/li\u003e\u003cli\u003eNIST SP 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)\u003c/li\u003e\u003cli\u003eNIST SP 800-171, Rev. 2, Protecting CUI in Nonfederal Systems\u003c/li\u003e\u003cli\u003eNIST SP 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies\u003c/li\u003e\u003cli\u003eNIST SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-130, Managing Information as a Strategic Resource\u003c/li\u003e\u003cli\u003eOMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information\u003c/li\u003e\u003cli\u003eOMB memorandums M-02-01, M-03-22, M-10-22, M-10-23, M-16-17. M-14-03, M-17-12\u003c/li\u003e\u003cli\u003eOPM Information systems security awareness training program, 5 CFR § 930.301\u003c/li\u003e\u003cli\u003ePublic Law 113-291, Title VIII, Subtitle D of the National Defense Authorization Act (NDAA) for Fiscal Year 2015\u003c/li\u003e\u003cli\u003ePublic Law 115-232 § 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, August 13, 2018\u003c/li\u003e\u003cli\u003eSection 508 of the Rehabilitation Act of 1973, as amended in 1998 (29 U.S.C 794d)\u003c/li\u003e\u003cli\u003eThe Privacy Act of 1974 as amended (5 U.S.C. 552a).\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eDocument Organization\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS CIO, CISO, and SOP designed this \u003cem\u003ePolicy \u003c/em\u003eto comply with the NIST 800-53, Revision 5, Program Management (PM) control family. This \u003cem\u003ePolicy \u003c/em\u003eintegrates information security and privacy roles, responsibilities, and controls into the CMS Information Security and Privacy Program. The key contents of this \u003cem\u003ePolicy \u003c/em\u003einclude:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAn overall description of the Information Security and Privacy Program (Section 6)\u003c/li\u003e\u003cli\u003eDescriptions of specific roles and responsibilities of key CMS security and privacy Stakeholders (Section 7)\u003c/li\u003e\u003cli\u003eDefining HHS and CMS-specific tailored policies, policies associated with the security and privacy control families, and the consequences for non-compliance (Sections 8, 9, \u0026amp; 10)\u003c/li\u003e\u003cli\u003eSupporting Appendices provide references, a glossary of terms, and acronyms:\u003cul\u003e\u003cli\u003eAppendix A: References\u003c/li\u003e\u003cli\u003eAppendix B: Glossary of Terms and Acronyms.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIn accordance with HHS policy, CMS must update this \u003cem\u003ePolicy \u003c/em\u003eat least every three years (36 months). In cases where existing policy is insufficient to address changes in governance (e.g., legislation, directives, mandates, executive orders, or HHS policy) or emerging technology, the CMS CIO may publish ad hoc or specialized interim directives or memorandums to address the area of concern. As appropriate, the interim directive or memorandum may be integrated into future releases of or incorporated as an appendix to this \u003cem\u003ePolicy\u003c/em\u003e. The CMS CISO and SOP may develop \u003cem\u003ememorandums \u003c/em\u003ethat provide actionable guidance that supports best practices and procedures in support of the implementation of CIO policies and directives, along with legislation, mandates, executive orders and other federal mandates.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eInformation Security and Privacy Program Summary\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS CISO and SOP are responsible for managing the Information Security and Privacy Program (henceforth “Program”). This section describes how specific functional areas of the Program help CMS stakeholders apply this \u003cem\u003ePolicy \u003c/em\u003ein protecting CMS information and information systems.\u003c/p\u003e\u003cp\u003eCMS security and privacy disciplines are now integrated into a single Program. However, there are requirements unique to each discipline. Privacy as well as security policies apply to CMS programs and activities at their inception, even before information systems are identified or defined. Business Owners must identify the security and privacy requirements, compliance documentation, and contract requirements prior to system development.\u003c/p\u003e\u003cp\u003ePrivacy policies apply to the collection, creation, use, disclosure, and retention of information that identifies an individual (i.e., PII, including PHI) in electronic or physical form. CMSs responsibility for protecting the privacy interests of individuals applies to all types of information, regardless of its form. All CMS standards, regulations, directives, practices, and procedures must clearly state that all forms of information must be protected.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePolicy and Governance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe policy and governance functional area establishes and implements the information security and privacy program which develops organizational security and privacy policies, standards, directives, practices, and procedures within the CMS environment. The responsibilities include developing, implementing, and disseminating this \u003cem\u003ePolicy \u003c/em\u003eto align with and supplement HHS policies, federal legislation, and best practices. The \u003cem\u003eCMS Acceptable Risk Safeguards (ARS) \u003c/em\u003eis the HHS Operating Division (OpDiv) of CMSs implementation of the National Institute of Standards and Technologys (NIST) Special Publications (SP) 800-53, Revision 5, and it contains detailed minimum control standards that are traceable to the policies contained herein. Each security and privacy control description provides CMS-specified implementation details for all the security and privacy controls allocated as a baseline to an identified CMS FISMA system based on the FIPS 199 Security Category. Additional CMS-established policies and procedures can serve as further guidance for administering CMS standards, requirements, directives, practices, and procedures for protecting CMS information and information systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Management and Compliance\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe risk management and compliance functional area provides a multi-level approach to managing information system-related security and privacy risks at the \u003cem\u003eenterprise level\u003c/em\u003e, the \u003cem\u003emission/business process \u003c/em\u003elevel, and the \u003cem\u003einformation system \u003c/em\u003elevel to protect CMS information system assets and individuals accessing these assets. CMS provides a risk-based approach for managing information system-related security and privacy risk which is based on NIST SP 800- 37, Revision 2, \u003cem\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. \u003c/em\u003eThis framework includes developing and updating risk management and compliance processes and procedures to align with HHS policies, federal legislation, and federal cybersecurity and privacy frameworks. The CMS security and privacy program, under the direction of the Chief Information Security Officer (CISO) and the Senior Official for Privacy (SOP) oversees the agency-wide implementation of this framework which includes Security Assessment and Authorization (SA\u0026amp;A), Continuous Diagnostics and Mitigation (CDM), FISMA reporting, internal assessments/audits, and other external assessments/audits.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe awareness and training functional area provides organizational security and privacy awareness training and specific role-based training (RBT) for all CMS stakeholders with Significant Security Responsibilities (SSR). The responsibilities include developing curriculum and content, delivering training, ensuring training policies and procedures are current, tracking training status, and reporting on completed security awareness and RBT courses.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCyber Threat and Incident Handling\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe cyber threat and incident handling functional area support CMSs cyber threat intelligence, information sharing, and incident handling, including breach response. The responsibilities include developing, updating, and disseminating processes and procedures to coordinate information sharing and investigating incidents across CMS, following established CMS incident Response (IR) procedures.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContinuity of Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe continuity of operations functional area provides plans and procedures to ensure continuity of operations for information systems that support CMS operations and assets. The responsibilities include developing processes and procedures for system contingency planning, disaster recovery, and participation in federal continuity exercises.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRoles and Responsibilities\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis section details significant information security and privacy roles and responsibilities for CMS stakeholders. The responsibilities, defined by role rather than position, are derived from the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, RBT requirements, and CMS-specific responsibilities. This section also enhances the responsibilities defined within the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, to address CMSs needs. Therefore, CMS stakeholders must also refer to the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003efor additional detail.\u003c/p\u003e\u003cp\u003eA current version of the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003emay be requested via the HHS Office of Information Security (OIS) mailbox at \u003ca href=\"mailto:HHSCybersecurityPolicy@hhs.gov\"\u003eHHSCybersecurityPolicy@hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eMost of the roles described in this section are restricted to federal employees based on the specific position and role they fulfill within the CMS organization, while others may be filled by either a federal employee or a contractor.\u003c/p\u003e\u003cp\u003eFor additional information, please check CMS Organizational Charts.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGeneral Roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAll CMS personnel, whether federal employees, contractors (including subcontractors), or entities operating on behalf of CMS, must adhere to the information security and privacy responsibilities defined within this section. This subsection describes CMS-specific responsibilities for the roles “All Users” and “Supervisors.”\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eFederal Employees and Contractors (All Users)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAll CMS federal employees and contractors (including subcontractors) must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, Section 7.36, \u003cem\u003eAll Users\u003c/em\u003e. All users have the responsibility to protect CMSs information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction by complying with the information security and privacy requirements maintained in this Policy.\u003c/p\u003e\u003cp\u003eIn addition to the HHS IS2P the responsibilities of the CMS federal employees and contractors must include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConsider all \u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf\"\u003ebrowsing activities sensitive\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNotify the CMS CISO and SOP of actual or suspected information security and privacy incidents and breaches, including CMS sensitive data, using CMS specified procedures established in the CMS Incident Response (IR) procedures and applicable Rules of Behavior (RoB).\u003c/li\u003e\u003cli\u003eComplete mandatory security and privacy awareness training before accessing CMS information systems and annually thereafter.\u003c/li\u003e\u003cli\u003eFor all newly hired personnel and staff, and those who transfer into a new position with significant security and/or privacy responsibilities, complete specialized security or privacy RBT as appropriate for their assigned roles within 60 days of entry on duty or upon assuming new responsibilities. Thereafter, they must complete RBT at least annually.\u003c/li\u003e\u003cli\u003eFor contractors with significant security and/or privacy responsibilities, complete specialized RBT within 60 days of beginning work on a contract. They must complete RBT at least annually thereafter.\u003c/li\u003e\u003cli\u003eReport anomalies when CMS programs, systems, or applications are collecting, creating, using, disclosing, or retaining more than the minimum data necessary.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSupervisors\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eSupervisors may be federal employees or contractors2 and must fulfill all responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.37, \u003cem\u003eSupervisors\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eIn addition to the HHS IS2P, the responsibilities of Supervisors include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eNotify the appropriate System Security and Privacy Officer (Previously known as ISSO) (or the CMS CISO or designee, if the System Security and Privacy Officer (Previously known as the ISSO) \u0026nbsp;is not available) within one hour of any unexpected departure or separation of a CMS employee or contractor.\u003c/li\u003e\u003cli\u003eEnsure personnel under their direct report complete all required information security training, including privacy and RBT, within the mandated time frames established in the CMS Incident Response (IR) procedures.\u003c/li\u003e\u003cli\u003eEnsure background checks are conducted on all individuals identified by system owners with access to CMS information systems in accordance with \u003ca href=\"https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/\"\u003eposition sensitivity\u003c/a\u003e\u0026nbsp;designation as derived by the use of the \u003ca href=\"https://nbib.opm.gov/e-qip-background-investigations/\"\u003eappropriate CMS tool\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eHuman Resource Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eHuman Resource Officer must be an agency official (federal government employee) and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinating with appropriate CMS CIO POCs and Office of Security, Facilities and Logistics Operations (OSFLO) POCs to ensure background checks are conducted for individuals with significant security responsibilities.\u003c/li\u003e\u003cli\u003eNotifying the appropriate CMS POC (Manager, Supervisor, COR or CIO designated official) within one business day when CMS personnel are separated from the Department.\u003c/li\u003e\u003cli\u003eEnsuring relevant paperwork, interviews, and notifications are sent to the appropriate CMS POC (Manager, Supervisor, COR or CIO designated official) when personnel join, transfer within, or leave the organization, either permanently or on detail.\u003c/li\u003e\u003cli\u003eParticipating at the request of the CMS CCIC in the investigation of \u003cstrong\u003eFederal employees \u003c/strong\u003ewith regard to security incidents.\u003c/li\u003e\u003cli\u003eParticipating at the request of the CMS CCIC in the investigation of \u003cstrong\u003eFederal employees\u003c/strong\u003e\u0026nbsp;relative to PII breaches and violations.\u003c/li\u003e\u003cli\u003eEnsuring all HR systems and records/data are maintained, used and shared in compliance with the Privacy Act of 1974, as amended (5 U.S.C. 552a) and the HHS implementing regulations and applicable Systems of Records Notices (SORNs), and, all other applicable laws, policies and procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCMS Federal Executives\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of CMS Federal Executives, including the Administrator, Chief Financial Officer (CFO), Personnel and Physical Security Officers (PPSO), and Operations Executive (OE). Only agency officials (federal government employees) are authorized to fill these roles.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAdministrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Administrator must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.2, \u003cem\u003eOpDiv Heads, \u003c/em\u003eincluding “Delegating responsibility and authority for management of HHS Operating Division (OpDiv) IT security and privacy programs to the OpDiv CIOs,” and those identified in the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII). \u003c/em\u003eThese responsibilities include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDelegating responsibility and authority for making final decisions regarding external breach notification and issuing written notification to individuals affected by a privacy breach.\u003c/li\u003e\u003cli\u003eReceiving inquiries, investigations, or audits from enforcement authorities, such as any initiated by the HHS Office for Civil Rights related to compliance with HIPAA or the HIPAA Privacy and Security Rules and coordinating responses with the Chief Information Officer and other appropriate staff.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eHHSs Continuity of Operations Program Policy also requires that the Administrator must:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIncorporate continuity of operations requirements into all CMS activities and operations\u003c/li\u003e\u003cli\u003eDesignate in writing an accountable official as the Agency Continuity Point of Contact, who is directly responsible to the Administrator for management oversight of the CMS continuity program and who is the single point of contact for coordination within CMS for continuity matters.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Financial Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CFO must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.3, \u003cem\u003eOffice of Finance (OF)/Assistant Secretary for Financial Resources (ASFR)/Chief Financial Officer (CFO).\u003c/em\u003e\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003ePersonnel and Physical Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe PPSO must fulfill the shared responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e, Section 7.6, \u003cem\u003eOffice of National Security (ONS). \u003c/em\u003eIn addition to the HHS IS2P, the general and incident response responsibilities of the PPSO must include, but are not limited to:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eProtect employees, visitors, and CMS-owned and CMS-occupied critical infrastructure\u003c/li\u003e\u003cli\u003eCoordinate national security information services to all components within the Office of the Administrator (OA).\u003c/li\u003e\u003cli\u003eCoordinate with appropriate CMS CIO POCs and HHS POCs to ensure background checks are conducted on all individuals identified by system owners with access to CMS information systems in accordance with \u003ca href=\"https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/\"\u003eposition sensitivity designation\u003c/a\u003e\u0026nbsp;as derived by the use of the \u003ca href=\"https://nbib.opm.gov/e-qip-background-investigations/\"\u003eappropriate CMS tool\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eParticipate at the request of law enforcement, the HHS Computer Security Incident Response Center (CSIRC), the HHS Office of the Inspector General (OIG), and/or the CMS Cybersecurity Integration Center (CCIC) in investigating security and privacy incidents and breaches involving federal employees and/or CMS contractor personnel.\u003c/li\u003e\u003cli\u003eParticipate at the request of the HHS Privacy Incident Response Team (PIRT) and/or the CMS Breach Analysis Team (BAT) in investigating incidents and/or violations involving federal employees, PII, PHI, and/or Federal Tax Information (FTI).\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOperations Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Operations Executive must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eOversee day-to-day information security and privacy operations for CMS employees.\u003cul\u003e\u003cli\u003eDevelop and maintain, in coordination with the CISO and SOP, the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resources Policy\u003c/em\u003e, to address, at a minimum, the following Acceptable Use standards:\u003cul\u003e\u003cli\u003ePrivacy requirements must be identified in contracts and acquisition-related documents.\u003c/li\u003e\u003cli\u003ePersonal use of CMS IT resources must comply with \u003cem\u003eHHS Policy for Personal Use of Information Technology Resources\u003c/em\u003e, such that personal use of CMS IT resources does not put CMS data at risk of unauthorized disclosure or dissemination.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure all CMS system users annually read and sign the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information Resources\u003c/em\u003e, which governs the appropriate use of CMS IT resources.\u003c/li\u003e\u003cli\u003eInform CMS employees and contractors that use of CMS information resources, other than for authorized purposes, is a violation of the HHS RoB and Article 35 of the Master Labor Agreement and is grounds for disciplinary action, up to and including removal from federal service, monetary fines, and/or criminal charges that could result in imprisonment. CMS bargaining unit employees must also adhere to Article 35 of the Master Labor Agreement.\u003c/li\u003e\u003cli\u003eEnsure CMS employees and contractors encrypt CMS sensitive information transmitted to a non-CMS controlled environment,7 including but not limited to email, using Federal Information Processing Standard (FIPS) 140-3 compliant encryption solutions/modules.\u003c/li\u003e\u003cli\u003eEnsure CMS employees and contractors are prohibited from transmitting sensitive CMS information using any non-CMS approved, Internet-based mechanism, including but not limited to, personal email, file-sharing, file transfer, or backup services.\u003c/li\u003e\u003cli\u003eEnsure that any CMS contractor, other person, or organization that performs functions or activities that involve the use or disclosure of PHI on behalf of CMS have Business Associate Agreement provisions in their contracts or agreements per OAGM standard contract language requirements.\u003c/li\u003e\u003cli\u003eEnsure CMS uses PII internally only for the purpose(s) that are authorized by statute, regulation, or Executive Order; and when the PII is also considered PHI for treatment, payment, healthcare operations, or as permitted under HIPAA (e.g., for research as permitted under 45 CFR §164.512).\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOffice Director, Office of Enterprise Data and Analytics and Chief Data Officer\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eThe Office Director of the Office of Enterprise Data and Analytics (OEDA) also serves as the CMS Chief Data Officer (CDO). The CDO must be an agency official (federal government employee). The CDO must establish and implement policies, practices, and standards for maximizing the value and impact of CMS data for internal and external stakeholders.\u003c/p\u003e\u003cp\u003eOEDA develops and implements a data services strategy to maximize use of data on all CMS programs, including issue papers, chart books, dashboards, interactive reports, data enclave services, public use files, and research identifiable files. OEDA oversees the creation of data sets that de-identify individuals and makes these data sets publicly available when there is legal authority permitting their creation. Methods for creating these data sets may include:\u003c/p\u003e\u003c/li\u003e\u003cli\u003eThe methodology set out at 45 CFR §164.514(b)(2) (the “Safe Harbor Rule”).\u003c/li\u003e\u003cli\u003eThe methodology set out at 45 CFR §164.514(b)(1) (the “Expert Determination Rule”)\u003c/li\u003e\u003cli\u003e\u003cp\u003eOEDA also oversees the creation of “limited data sets” (LDS), which are data sets to be used or disclosed for purposes of research, public health, or healthcare operations, using the methodology set out at 45 CFR §164.514(e).\u003c/p\u003e\u003cp\u003eThe Administrator may designate other specific responsibilities to the CDO as necessary.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eOffice Director, Office of Acquisition and Grants Management and Head of Contracting Activity\u003c/h4\u003e\u003cp\u003eThe Office Director of the Office of Acquisition and Grants Management (OAGM) and Head of Contracting Activity (HCA) also serve as the CMS Chief Acquisition Officer (CAO). The CAO must be an agency official (federal government employee) designated to advise and assist the head of the agency and other agency officials to ensure that the mission of CMS is achieved through the management of the agencys acquisition activities. The responsibilities of the Chief Acquisition Officer include, but are not limited to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAdvise and assist the administrator and other agency officials to ensure that the mission of CMS is achieved through the management of the agency's acquisition activities.\u003c/li\u003e\u003cli\u003eCoordinate with the authorizing official, business owners, system owners, common control providers, chief information security officer, senior official for privacy, and risk executive (function) to ensure that security and privacy requirements are defined in organizational procurements and acquisitions.\u003c/li\u003e\u003cli\u003eMonitor the performance of the acquisition activities and programs.\u003c/li\u003e\u003cli\u003eEstablish clear lines of authority, accountability, and responsibility for acquisition decision-making within CMS.\u003c/li\u003e\u003cli\u003eManage the direction and implementation of the acquisition policy.\u003c/li\u003e\u003cli\u003eEstablish policies, procedures, and practices that promote full and open competition from responsible sources to fulfill best value requirements considering the nature of the property or service procured.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCenter and Office Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eEach CMS Center and Office Executive must nominate an appropriately qualified staff member as a Data Guardian to the Senior Official for Privacy (SOP) for approval. The executive must ensure the Data Guardian meets the following qualifications:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe a proficient consumer advocate\u003c/li\u003e\u003cli\u003eHave experience in identifying information security and privacy requirements\u003c/li\u003e\u003cli\u003eBe trained in using the CMS Risk Management Framework (RMF)\u003c/li\u003e\u003cli\u003eUnderstand the CMS Center/Office business processes and operations\u003c/li\u003e\u003cli\u003eHave respect for the role and impact PII and PHI play within the Center/Office and across the CMS enterprise.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation Security and Privacy Officers\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of those federal employees with roles related to establishing this \u003cem\u003ePolicy \u003c/em\u003eand the associated Program designed to protect CMS information and information systems, including the CIO, CISO, SOP, Privacy Act Officer, Chief Technology Officer (CTO), Configuration Management Executive, Cyber Risk Advisor (CRA), Privacy Advisor, and Marketplace Senior Information Security Officer.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eChief Information Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CIO must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.11, \u003cem\u003eOpDiv CIOs, \u003c/em\u003eincluding serving as the Chief Risk Officer and Authorizing Official (AO) for all CMS FISMA systems. There is only one AO for all CMS FISMA systems.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CIO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDesignate the CISO as the authority for managing CMS incident response activities identified in the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eDefine recommended minimum System Security and Privacy Officer (previously known as ISSO) qualifications commensurate with the System Security and Privacy Officer (previously known as ISSO) role within CMS for both federal employees and contractors defined with NIST Significant Information Security and Privacy Responsibilities (SISPRs)\u003c/li\u003e\u003cli\u003eDefine mandatory information security and privacy training, education, and awareness activities undertaken by all personnel, including contractors, commensurate with identified roles and responsibilities\u003c/li\u003e\u003cli\u003eShare threat information as mandated by the Cybersecurity Enhancement Act of 2014\u003c/li\u003e\u003cli\u003eCoordinate with the CISO to establish configuration management processes and procedures\u003c/li\u003e\u003cli\u003eCreate and manage the review and approval of changes through the appropriate IT governance; change control bodies/boards\u003c/li\u003e\u003cli\u003eCoordinate with the CISO, SOP, Data Guardian, System Security and Privacy Officer (previously know as ISSO), and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications\u003c/li\u003e\u003cli\u003eRespond to any inquiries, investigations, or audits received from enforcement authorities, such as any initiated by the HHS Office for Civil Rights related to compliance with HIPAA or the HIPAA Privacy and Security Rules\u003c/li\u003e\u003cli\u003eEnsure that all CMS key stakeholders, including the Chief Financial Officer (CFO); Office Director, Office of Acquisition and Grants Management (OAGM) and Head of Contracting Activity (HCA); Senior Official for Privacy (SOP); mission, business, and policy owners; as well as the CISO organizations, are aware of risks associated with High Value Assets (HVAs)\u003c/li\u003e\u003cli\u003eEnsure the establishment and implementation of an HHS-specific or CMS-specific HVA Policy and HVA Management Program.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Information Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CISO must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.12, \u003cem\u003eOpDiv CISOs. \u003c/em\u003eThe CISO carries out the CIOs information security responsibilities under federal requirements in conjunction with the SOP.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CISO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy control requirements through the \u003cem\u003eCMS ARS\u003c/em\u003e.\u003c/li\u003e\u003cli\u003ePublish CISO Directives as required to augment existing policy.\u003c/li\u003e\u003cli\u003eReview any requested waivers and deviations from this Policy and provide recommendations to the AO for risk acceptance.\u003c/li\u003e\u003cli\u003eServe as the security official who is responsible for the development and implementation of the policies and procedures that are required by the HIPAA Security Rule (please refer to 45 CFR §164.308(a)(2)).\u003c/li\u003e\u003cli\u003eDelegate the authority to approve system configuration deviations to the CRA and System Security and Privacy Officer (previously known as the ISSO), where appropriate.\u003c/li\u003e\u003cli\u003eEnsure CMS-wide implementation of HHS and CMS information security and privacy capabilities, policies, and procedures consistent with the NIST Risk Management Framework (RMF).\u003c/li\u003e\u003cli\u003eLead the investigation and resolution of information security and privacy incidents and breaches across CMS.\u003c/li\u003e\u003cli\u003eDefine and oversee the goals and requirements of Agency Security Operations.\u003c/li\u003e\u003cli\u003eCoordinate incident response and threat information sharing with the HHS CSIRC and/or HHS PIRT, as appropriate.\u003c/li\u003e\u003cli\u003eEnsure the information security continuous monitoring (ISCM) capabilities accomplish the goals identified in the ISCM strategy.\u003c/li\u003e\u003cli\u003ePublish an Ongoing Authorization process as part of the Program\u003c/li\u003e\u003cli\u003eApprove the appointment of the System Security and Privacy Officer (previously know as ISSO) by the Program Executive\u003c/li\u003e\u003cli\u003eApprove the independent security control assessment deliverables\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, SOP, Data Guardian, System Security and Privacy Officer (previously known as ISSO), and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of any interconnection by coordinating with the SOP and the CCIC Director to (1) disconnect or suspend interconnections and (2) ensure interconnections remain disconnected or suspended until the AO orders reconnection.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eRisk Executive (Function)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Risk Executive must be an agency official (federal government employee). The Risk Executive must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.13. \u003cem\u003eRisk Executive (Function)\u003c/em\u003e. The Administrator may designate specific responsibilities to the RE as necessary.\u003c/p\u003e\u003cp\u003eThe Risk Executive must also fulfill the responsibilities for agency-wide risk management strategies that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinate with the CCIC to:\u003c/li\u003e\u003cli\u003eManage risk(s) identified in the threat landscape via; cyber threat intelligence, vulnerability assessment, penetration testing, forensics, malware, insider threat, etc., and security and privacy risk(s) identified via; risk assessments, security control assessments, internal/external audits, etc. (including supply chain risk[s] via the Division of Strategic Information [DSI]) information for organizational systems and the environments in which the systems operate.\u003c/li\u003e\u003cli\u003eUse the CDM program to identify and report on the risk posture of the portfolio of FISMA reported systems in near real time\u003c/li\u003e\u003cli\u003eUtilize the CFACTS system to report on the risk posture of the FISMA reported systems.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSenior Official for Privacy\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe SOP must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.18, \u003cem\u003eOpDiv SOP \u003c/em\u003ealso include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLead CMS privacy programs and promote proper information security and privacy practices.\u003c/li\u003e\u003cli\u003eLead the development and implementation of privacy policies and procedures, including the following actions:\u003cul\u003e\u003cli\u003eEvaluate any new legislation that obligates the Program to create any regulations, policies, procedures, or other documents concerning collecting, creating, using, disclosing, or retaining PII/PHI.\u003c/li\u003e\u003cli\u003eEnsure an appropriate party will develop all such required policies or other documents.\u003c/li\u003e\u003cli\u003eEnsure policies exist to impose criminal penalties and/or other sanctions on CMS employees (consistent with the CMS Master Labor Agreement) and non-employees, including contractors and researchers, for violations of law and policy.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure privacy controls are implemented and enforced.\u003c/li\u003e\u003cli\u003eServe as the privacy official responsible for developing and implementing policies and procedures, receiving complaints, and providing further information related to the Notice of Privacy Practices, as required by the HIPAA Privacy Rule (please refer to 45 CFR §164.530(a)).\u003c/li\u003e\u003cli\u003eEnsure individuals are able to exercise their rights to access, inspect, request additions or amendments, and obtain copies of their PII/PHI in a designated record set or in a Privacy Act system of records (SOR).\u003c/li\u003e\u003cli\u003eEnsure individuals are able to exercise their right to an accounting of disclosures of their PII/PHI by CMS or its business associates.\u003c/li\u003e\u003cli\u003eEnsure any use or disclosure of PII/PHI that is not for treatment, payment, health operations, or otherwise permitted or required by the HIPAA Privacy Rule or Privacy Act is disclosed only with the individuals authorization.\u003c/li\u003e\u003cli\u003eEnsure the Program develops and documents a Notice of Privacy Practices for all Medicare Fee-for-Service beneficiaries, as required by the HIPAA Privacy Rule, that defines the uses and disclosures of PHI.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, Data Guardian, System Security and Privacy Officer (previously known as ISSO), and Website Owner / Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eCoordinate as the lead and collaborate with the CISO to:\u003cul\u003e\u003cli\u003eDocument privacy requirements and manage privacy implementation as CMS information systems are designed, built, operated, or updated\u003c/li\u003e\u003cli\u003eProvide recommendations to the CIO regarding the privacy posture of FISMA systems and the use/disclosure of CMS information\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCo-chair the CMS Data Governance Board.\u003c/li\u003e\u003cli\u003eApprove the appointment of Data Guardians by the Center or Office Executive.\u003c/li\u003e\u003cli\u003eProvide overall direction for incident handling, which includes all incidents involving PII/PHI.\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of any interconnection\u003cul\u003e\u003cli\u003eCoordinate with the CISO and the CCIC Director to disconnect or suspend interconnections\u003c/li\u003e\u003cli\u003eCoordinate with the CISO and the CCIC Director to ensure interconnections remain disconnected or suspended until the AO orders reconnection\u003c/li\u003e\u003cli\u003eReview HVAs and identify those that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII/PHI\u003c/li\u003e\u003cli\u003eEnsure that all required privacy documentation and materials are complete, accurate, and up to date.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Act Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Privacy Act Officer must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.20, \u003cem\u003eOpDiv Privacy Act Contact\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Privacy Act Officer must also include, but not be limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop, implement, and maintain policies and procedures related to the Privacy Act.\u003c/li\u003e\u003cli\u003eProcess Privacy Act requests, including requests requiring exceptions to the Privacy Act.\u003c/li\u003e\u003cli\u003eProvide guidance and advice on federal Privacy Act policies and procedures.\u003c/li\u003e\u003cli\u003eEvaluate the impact of the Privacy Act and regulations on the organizations activities.\u003c/li\u003e\u003cli\u003eCoordinate with CMS Offices and staff as needed.\u003c/li\u003e\u003cli\u003eRepresent CMS on issues related to the Privacy Act.\u003c/li\u003e\u003cli\u003eAssess Privacy Act-related risks associated with programs, operations, and technology.\u003c/li\u003e\u003cli\u003eSupport efforts across CMS to comply with the Privacy Act.\u003c/li\u003e\u003cli\u003ePlan and conduct training sessions on Privacy Act requirements.\u003c/li\u003e\u003cli\u003eEnsure procedures exist to:\u003cul\u003e\u003cli\u003eAuthenticate the identity of a person requesting PII/PHI and, as appropriate, the authority of any such person permitted access to PII/PHI\u003c/li\u003e\u003cli\u003eObtain any documentation, statements, or representations, as appropriate, whether oral or written, from the authorized person requesting the PII/PHI\u003c/li\u003e\u003cli\u003eIn responses to requests for disclosures, limit the PII/PHI disclosed to that which is the minimum amount reasonably necessary to achieve the intended purpose of the disclosure or request, relying (if such reliance is reasonable under the circumstances) on the precise scope of the requested disclosure to determine the minimum necessary information to be included in the disclosure\u003c/li\u003e\u003cli\u003eIn structuring all CMS processes, ensuring that to the greatest degree practicable each person receives only the PII/PHI data elements and records that the person needs (e.g., the data elements the person needs to perform all tasks within the scope of their assigned responsibilities); When CMS requests PII/PHI from third parties, ensure the PII/PHI requested is limited to the amount reasonably necessary to accomplish the purpose for which the request is made.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eChief Technology Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Chief Technology Officer (CTO) must be an agency official (federal government employee). The CIO may designate specific responsibilities to a CTO as necessary.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eConfiguration Management Executive\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Configuration Management Executive must be an agency official (federal government employee) and must provide executive-level oversight for configuration management and contingency planning.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eCyber Risk Advisor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Cyber Risk Advisor (CRA) may be federal employees or contractors. The CISO may designate the authority to approve system configuration deviations to the CRA where appropriate.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CRA must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAct as the subject matter expert in all areas of the \u003cem\u003eCMS RMF.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEvaluate, maintain, and communicate the risk posture of each FISMA system to executive leadership and make risk-based recommendations to the AO.\u003c/li\u003e\u003cli\u003eSupport the CMS stakeholders in ensuring that all requirements specified by the \u003cem\u003eCMS ARS \u003c/em\u003eare implemented and enforced; serve as an active participant in the system development life cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs considering security, functionality, and cost.\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, Information System Owner (ISO), Business Owner, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eDetermine the privacy impacts and manage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure information security and privacy testing is performed throughout the SDLC as appropriate and results are considered during the development phase of the SDLC.\u003c/li\u003e\u003cli\u003eMonitor system security posture by reviewing all proposed information security and privacy artifacts to provide recommendations to the System Security and Privacy Officer (previously known as ISSO).\u003c/li\u003e\u003cli\u003eProvide guidance to CMS stakeholders on required actions, potential strategies, and best practices for closure of identified weaknesses.\u003c/li\u003e\u003cli\u003eUpload findings spreadsheets to the CMS FISMA Controls Tracking System (CFACTS).\u003c/li\u003e\u003cli\u003eEnsure AO-issued authorization is updated in CFACTS.\u003c/li\u003e\u003cli\u003eServe as the authority to approve selected system configuration deviations from the required baseline.\u003c/li\u003e\u003cli\u003eRemind System Security and Privacy Officer (previously known as ISSO) with expiring or expired letters to resubmit their appointment letters using a new letter.\u003c/li\u003e\u003cli\u003eUpload signed System Security and Privacy Officer (previously known as ISSO) appointment letter(s) to CFACTS.\u003c/li\u003e\u003cli\u003eCoordinate with the BO, ISO, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact the organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrivacy Advisor\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePrivacy Advisors may be federal employees or contractors and work under the direction of the SOP. The Privacy Advisor must fulfill responsibilities that include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify opportunities to integrate Fair Information Practice Principles (FIPP) into CMS business processes and information systems.\u003c/li\u003e\u003cli\u003eEvaluate legislation, regulations, and policies that may affect how CMS collects, uses, stores, discloses, or retires PII; identify their potential impacts on CMS; and recommend responsive actions to the CMS management or others that request guidance.\u003c/li\u003e\u003cli\u003eFor IT systems, coordinate with the Business Owner, CRA, Data Guardian, ISO, and System Security and Privacy Officer (previously known as ISSO) to identify the types of information processed, assign the appropriate security categorizations to the information systems, determine the privacy impacts, and manage information security and privacy risk, including:\u003cul\u003e\u003cli\u003eReview the Privacy Impact Assessment (PIA) and existing CFACTS documentation to verify that the PIA follows HHS/CMS guidance and verify that privacy risks have been appropriately documented\u003c/li\u003e\u003cli\u003eEvaluate privacy-related agreements (e.g., Computer Matching Agreements [CMA], Information Exchange Agreements [IEAs], and Memoranda of Agreement / Understanding [MOA/MOU]) to verify that privacy requirements are satisfied and privacy risks are adequately addressed, both initially and when periodically reviewed, and provide guidance and advice on these agreements to Business Owners, ISOs, and other CMS staff as needed\u003c/li\u003e\u003cli\u003eContinuously monitor all findings of privacy risk or deficiency, including by monitoring progress against privacy-related POA\u0026amp;Ms\u003c/li\u003e\u003cli\u003eTrack the progress of enterprise privacy risk mitigation activities across portfolios\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eProvide ISPG perspective during TRB reviews to assess the impact of changes to IT systems on privacy issues and work to mitigate those impacts.\u003c/li\u003e\u003cli\u003eWork with System Security and Privacy Officer (previously known as ISSO) to evaluate system changes to determine whether privacy risks are sufficiently significant to require updates to Authority To Operate (ATO) documents.\u003c/li\u003e\u003cli\u003eWork with BO, ISO, CRA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003cli\u003eWorks with CRAs to verify that decommission and disposition plans for IT systems do not create significant privacy risks.\u003c/li\u003e\u003cli\u003eAssist in developing reports on any aspect of privacy requested by CMS senior management, HHS, external auditors, or any other party authorized to request and receive such information.\u003c/li\u003e\u003cli\u003eProvide recommendations concerning the privacy risks and practices relevant to IT systems.\u003c/li\u003e\u003cli\u003eProvide incident handling support for incidents involving PII.\u003c/li\u003e\u003cli\u003eAdvise CMS healthcare programs on compliance with privacy and related cybersecurity requirements.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAffordable Care Act (ACA) Senior Information Security Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe ACA Senior Information Security Officer must be an agency official (federal government employee).\u003c/p\u003e\u003cp\u003eThe responsibilities of the ACA Senior Information Security Officer must include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the overall information security and privacy of the Health Insurance Marketplace (HIM) by driving integration, collaboration, and innovation across disparate groups under the HIM program.\u003c/li\u003e\u003cli\u003eRepresent the interests of the CCIIO, as well as the CIO, CISO, and SOP by integrating the work of the managers and staff of multiple units to ensure an acceptable information security and privacy posture through visibility, compatibility, and situational awareness.\u003c/li\u003e\u003cli\u003eProvide technical and policy guidance during all phases of the SDLC to balance risk-based tradeoffs among information security, privacy, functionality, and cost.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Records Officer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Records Officer must be an agency official (federal government employee), and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsuring compliance with the Federal Records Act of 1950, National Archives and Records Administration (NARA) regulations and/or guidance, OMB directives, and Government Accountability Office (GAO) audit requirements.\u003c/li\u003e\u003cli\u003eServing as Chairperson of the CMS Records Management Office.\u003c/li\u003e\u003cli\u003eDevelop CMS records management policies and procedures.\u003c/li\u003e\u003cli\u003eProviding agency-wide guidance, training, and assistance for compliance with laws and regulations\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSupply Chain Risk Management (SCRM) Manager\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe SCRM Manager must be an agency official (federal government employee), and must fulfill the responsibilities that include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eManaging the development, documentation, and dissemination of the supply chain risk management policy and procedures.\u003c/li\u003e\u003cli\u003eAnalyze and assess the effects and impacts of existing and proposed federal legislation on CMS policies as it relates to supply chain risk management.\u003c/li\u003e\u003cli\u003eFacilitate or attend SCRM-related working group meetings to promote supply chain risk management program and share policy updates and supply chain risk challenges and solutions to relevant CMS stakeholders.\u003c/li\u003e\u003cli\u003eResearch, identify, analyze and recommend countermeasures and mitigations for supply chain risks that promote supply chain resilience.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eProgram and Information System Roles\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes the information security and privacy responsibilities of those with roles related to CMS programs and the associated information systems. Program Executives oversee CMS programs and may also serve as ISOs and/or Business Owners. ISOs, referred to as “System Owners” in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e(IS2P)\u003c/em\u003e, take responsibility for the operation of information systems required by the CMS program. Business Owners, referred to in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eas “Data Owners/Business Owners,” take primary responsibility for the information and data processed by the CMS program.\u003c/p\u003e\u003cp\u003eThis subsection also identifies specific information security and privacy responsibilities of the ISOs, Data Guardians, Business Owners, Contracting Officers (CO), Contracting Officers Representatives (COR), and Program/Project Managers. This subsection also describes the responsibilities of the System Security and Privacy Officer (previously known as ISSO), including auxiliary responsibilities of the Security Control Assessor and Contingency Planning Coordinator (CPC) that may be filled by the System Security and Privacy Officer (previously known as ISSO). The final subsection describes specific responsibilities of the Security Operations Center/Incident Response Team (SOC/IRT).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eInformation System Owner\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISO must be an agency official (federal government employee) and must fulfill all of the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.23 IS2P, \u003cem\u003eSystem Owner\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS ISO must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIn coordination with the Data Guardian and Business Owner\u003cul\u003e\u003cli\u003eNominate appropriately qualified System Security and Privacy Officer (previously known as ISSO) appointees, as defined under FISMA, to the CISO for approval.\u003c/li\u003e\u003cli\u003eEnsure that information security and privacy for each information system are planned, documented, and integrated from project inception through all phases of the CMS SDLC.\u003c/li\u003e\u003cli\u003eConsult and coordinate with the CIO and SOP to identify, negotiate, and execute appropriate governing artifacts and agreements before sharing CMS information.\u003c/li\u003e\u003cli\u003eIdentify program or system roles that have NIST Significant Information Security or Privacy Responsibilities (SISPRs) within their purview and oversee the system-specific Rules of Behavior (RoB) training applicable to system(s) in their portfolio.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, Business Owner, CRA, Privacy Steward, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS or the component of CMS conducting the collection of PII/PHI has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, sharing, and disclosure of PII/PHI and subsequent appropriate disposal after disposition and retirement\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure each systems Change Control Board (CCB):\u003c/li\u003e\u003cli\u003eIs an integral part of the information system change management process.\u003c/li\u003e\u003cli\u003eImplements applicable governing standards as defined in the \u003cem\u003eARS.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eSupports the creation of baseline configuration documentation to reflect ongoing implementation of the operational configuration baseline updates.\u003c/li\u003e\u003cli\u003eSupports the change management processes to address change requests (CRs) for each system so that an appropriate Security Impact Analysis is performed by the System Security and Privacy Officer (previously known as ISSO) or designated staff\u003c/li\u003e\u003cli\u003eApproves System Security and Privacy Officer (previously known as ISSO) information security configuration recommendations to address weaknesses and system deficiencies.\u003c/li\u003e\u003cli\u003eEnsure employees and contractors receive the appropriate training and education regarding relevant information security and privacy laws, regulations, and policies governing the information assets they are responsible for protecting.\u003c/li\u003e\u003cli\u003eServe as the attestation official for approving the common controls provided by the system.\u003c/li\u003e\u003cli\u003eInclude the Security Control Assessor or representative from the system as a member of the CCB in all configuration management processes that include the system. If the System Security and Privacy Officer (previously known as ISSO) or Security Control Assessor acts as a voting member of the CCB, they must be federal employees.\u003c/li\u003e\u003cli\u003eMaintain change documentation in accordance with the CMS Records Retention Policy\u003c/li\u003e\u003cli\u003eCoordinate with BO, CRA, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eData Guardian\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Data Guardian must be an agency official (federal government employee) and must fulfill shared responsibilities with the CMS Business Owner identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.27, \u003cem\u003eData Owner/Business Owner\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Data Guardian must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eRepresent the Center or Office on the Data Guardian Committee under the auspices of the CMS Data Governance Board to ensure a coordinated and consistent approach to protecting PII across the CMS enterprise.\u003c/li\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the ISO, Business Owner, CRA, and ISSO (Now referred to as Security and Privacy Officer) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eIdentify and pursue opportunities to proactively enhance information security and privacy controls and increase awareness of the evolving information security and privacy threats to the information assets of the Center or Office.\u003c/li\u003e\u003cli\u003eAttend quarterly Data Guardian Meetings.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSafeguard PII by creating an information security and privacy awareness culture that adheres to information security and privacy standards and requirements designed to protect CMS data assets as directed by the CISO and SOP.\u003c/li\u003e\u003cli\u003eGather lessons learned and communicate best practices for protecting PII to their Center or Office.\u003c/li\u003e\u003cli\u003eParticipate in incident response activities affecting the Center or Office information security and privacy posture.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eBusiness Owner\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Business Owner must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.27, \u003cem\u003eData Owner/Business Owner \u003c/em\u003ein coordination with the Data Guardian. CMS Business Owners are the Group Directors or Deputy Group Directors who have the primary business needs that are or will be addressed by CMS IT investments/projects. The responsibilities of the CMS Business Owner must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eComply with the requirements of the CMS Policy for IT Investment Management \u0026amp; Governance or its successor policy.\u003c/li\u003e\u003cli\u003eFor each FISMA system and collection of PII/PHI, coordinate with the Data Guardian, ISO, CRA, and System Security and Privacy Officer (previously known as ISSO) to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the information security and privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eWork with the COs and CORs to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized.\u003c/li\u003e\u003cli\u003eCoordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the SOP to ensure appropriate information security and privacy contracting language from relevant sources is incorporated into each IT contract. Relevant sources must include, but are not limited to, the following:\u003cul\u003e\u003cli\u003eHHS ASFR\u003c/li\u003e\u003cli\u003eHHS Office of Grants and Acquisition Policy and Accountability (OGAPA)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCMS Office of Acquisition and Grants Management (OAGM).\u003c/li\u003e\u003cli\u003eFor each FISMA system and collection of PII/PHI, coordinate with the Data Guardian, ISO, CRA, and System Security and Privacy Officer (previously known as ISSO) to ensure compliance with the \u003cem\u003eCMS ARS\u003c/em\u003e, and when collecting or using FTI, with Internal Revenue Service (IRS) \u003cem\u003ePublication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies10.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eCoordinate with ISO, CRA, PA, and the System Security and Privacy Officer (previously known as ISSO) in documenting Risk-based Decisions which impact their organizational FISMA system in accordance with CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDocument data that are collected and maintained and certify that the data are authorized, relevant, and necessary to CMSs mission.\u003c/li\u003e\u003cli\u003eOwn the information stored, processed, or transmitted in CMSs information systems and limit access to the data/information.\u003c/li\u003e\u003cli\u003eManage and approve all use and disclosure of data from CMS programs or systems that are permitted by routine use under CMS System of Records Notices (SORN) through appropriate vehicles to authorize or deny the release of PII.\u003c/li\u003e\u003cli\u003eVerify that CMSs programs or systems only disclose the minimum data necessary.\u003c/li\u003e\u003cli\u003eDetermine and certify that the information security and privacy controls that protect CMSs systems are commensurate with the sensitivity of the data being protected.\u003c/li\u003e\u003cli\u003eEstablish and revise, in coordination with the Privacy Act Officer, SORNs and computer matching agreements in accordance with the established procedures.\u003c/li\u003e\u003cli\u003ePrepare PIAs for programs or systems in accordance with the direction provided by the CRA.\u003c/li\u003e\u003cli\u003eSupport the analysis of incidents involving PII and the determination of the appropriate action to be taken regarding external notification of privacy breaches as well as the reporting, monitoring, tracking, and closure of PII incidents.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eContracting Officer and Contracting Officer's Representative\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS CO and COR must be agency officials (federal government employees) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.34, \u003cem\u003eCO and COR.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS CO and COR must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the CISO, SOP, Privacy Act Officer, and Data Guardian are consulted during contract development and that the latest information security and privacy contract language is included in all contracts, as applicable.\u003c/li\u003e\u003cli\u003eWork with the Business Owner to determine the minimum necessary PII/PHI required to conduct each activity for which the agency is authorized.\u003c/li\u003e\u003cli\u003e\u003cp\u003eCollect training records demonstrating that all CMS contractors with significant security and/or privacy responsibilities complete specialized RBT commensurate with their roles\u0026nbsp;\u003c/p\u003e\u003cp\u003ewithin 60 days of beginning work on a contract, upon commencement of the contractors work, annually thereafter, and upon request.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eProgram/Project Manager\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Program/Project Manager must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.35, \u003cem\u003eProject/Program Manager \u003c/em\u003ein coordination with the Data Guardian.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Program/Project Manager must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure information security and privacy-related actions identified by the CMS SDLC meet all identified information security and privacy requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure contractors follow all required information security and privacy policies, standards, and procedures\u003c/li\u003e\u003cli\u003eEnsure contractors follow all required procedures and provide all required documentation when requesting/gaining access to PII\u003c/li\u003e\u003cli\u003eEnsure contractors use the minimum data required to perform approved tasks\u003c/li\u003e\u003cli\u003eEnsure contractors return data covered by approved information sharing agreements at the end of the contract or task to the COR for proper destruction\u003c/li\u003e\u003cli\u003eEnsure appropriate notification and corrective actions, as described in the CMS Incident Handling procedure, are taken when a privacy breach is declared and involves a contractor or a public-private partnership operating a SOR on behalf of CMS.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003ePrimary System Security and Privacy Officer (previously known as P-ISSO)\u0026nbsp;\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Primary System Security and Privacy Officer (previously known as P-ISSO) may be either a federal government employee or a contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.24, \u003cem\u003eSystem Security and System Privacy Officers (previously referred to as ISSO)\u003c/em\u003e. The System Security and Privacy Officer (previously known as ISSO) must ensure the duties of the Security Control Assessor and Contingency Planning Coordinator are completed as described in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSections 7.26 and 7.30, and further elaborated in this subsection.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Primary System Security and Privacy Officer (previously known as P-ISSO)) must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor each FISMA system or collection of PII/PHI, coordinate with the Data Guardian, ISO, Business Owner, PA, and CRA to:\u003cul\u003e\u003cli\u003eIdentify the types of information processed\u003c/li\u003e\u003cli\u003eEnsure that CMS has the legal authority, either under a statute or an executive order, to conduct activities involving the collection, use, and disclosure of PII/PHI\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information systems\u003c/li\u003e\u003cli\u003eDetermine the information security and privacy impacts\u003c/li\u003e\u003cli\u003eManage information security and privacy risk\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eReport compliance on secure protocol use in websites periodically as defined within the \u003cem\u003eCMS ARS\u003c/em\u003e.\u003c/li\u003e\u003cli\u003eSubmit System Security and Privacy Officer (previously known as ISSO) appointment letter for assigned system when nominated for approval and resubmit every two (2) years for review.\u003c/li\u003e\u003cli\u003eSubmit recommendations to the CRA for system configuration deviations from the required baseline.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, SOP, Data Guardian, and Website Owner/Administrator to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and application.\u003c/li\u003e\u003cli\u003eCoordinate with the System Developer and Maintainer in identifying the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems.\u003c/li\u003e\u003cli\u003eDocument the controls in the information security and privacy plan (or equivalent document) to ensure implemented controls meet or exceed the minimal controls defined by CISO guidance.\u003c/li\u003e\u003cli\u003eCoordinate with BO, CRA, and the PA in documenting Risk-based Decisions which impact their organizational FISMA system in accordance to CMS Acceptable Risk Safeguards.\u003c/li\u003e\u003cli\u003eAct as one of the attestation officials for any authorization request for certification for an Authority-To-Operate (ATO) from the CMS Authorization Official (AO).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003ePrivacy\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eCoordinate with the Data Guardian, ISO, Business Owner, PA, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for PII, PHI, and FTI in accordance with the \u003cem\u003ePrivacy Act\u003c/em\u003e, \u003cem\u003eE-Government Act\u003c/em\u003e, the HIPAA Privacy and Security Rules, and all applicable guidance.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAssessment and Authorization\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain current system information in CFACTS (such as POCs and artifacts) to support organizational requirements and processes (e.g., communication, contingency planning, training, and data calls).\u003c/li\u003e\u003cli\u003eCoordinate with the Business Owner, ISO, and CISO to ensure that all requirements specified by the \u003cem\u003eCMS ARS \u003c/em\u003eare implemented and enforced for applicable information and information systems.\u003c/li\u003e\u003cli\u003e• Ensure anomalies identified under the CMS Continuous Diagnostics and Mitigation (CDM) program and ISCM activities are addressed and remediated in a manner that is commensurate with the risks posed to the system from the anomalies.\u003c/li\u003e\u003cli\u003eEvaluate the impact of network and system changes using standard processes.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eSystem Development Life Cycle\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eInitiation\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview and confirm that contracts include appropriate information security and privacy language.\u003cul\u003e\u003cli\u003eCoordinate with Enterprise Architecture.\u003c/li\u003e\u003cli\u003eEnsure the system appears in CFACTS.\u003c/li\u003e\u003cli\u003eGenerate a draft PIA in coordination with the Business Owner.\u003c/li\u003e\u003cli\u003eEvaluate whether other privacy artifacts are required.\u003c/li\u003e\u003cli\u003eComplete System Security Categorization.\u003c/li\u003e\u003cli\u003eIdentify system-specific, information security and privacy training needs.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eConcept\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify and discuss risk with the Program Manager and Business Owner.\u003c/li\u003e\u003cli\u003eIdentify any investment needs to ensure each FISMA system meets security and privacy requirements.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003ePlanning\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop a System Security and Privacy Plan (SSPP).\u003c/li\u003e\u003cli\u003eEnsure Security Control Assessment is scheduled.\u003c/li\u003e\u003cli\u003eIdentify training needs.\u003c/li\u003e\u003cli\u003eReview or develop a corresponding security architecture diagram.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eRequirements Analysis\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eConduct formal information security risk assessment (ISRA)\u003cem\u003e.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eComplete documentation activities, including the privacy documents.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDesign\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure that security architecture ingress/egress points are reviewed to meet CMS security requirements.\u003c/li\u003e\u003cli\u003eEnsure data is transmitted, processed, and stored securely.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDevelopment\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify software code is developed in accordance with the \u003cem\u003eCMS Technical Reference Architecture (TRA) \u003c/em\u003eand SDLC information security and privacy guidelines.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eTest\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eSchedule internal tests such as penetration testing.\u003c/li\u003e\u003cli\u003eCoordinate with the CCIC to ensure assets are identified within monitoring tools.\u003c/li\u003e\u003cli\u003eEnsure use case security testing is incorporated into system functional testing.\u003c/li\u003e\u003cli\u003eEnsure change control processes are followed in accordance with the system security and privacy plan (SSPP).\u003c/li\u003e\u003cli\u003eEnsure auditing logs are appropriately capturing required information.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eImplementation\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure third-party testing begins and weaknesses are resolved quickly.\u003c/li\u003e\u003cli\u003eEnsure each FISMA system is authorized for operation before the go-live date.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eOperation and Maintenance\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAddress weaknesses and POA\u0026amp;Ms.\u003c/li\u003e\u003cli\u003eReview available reports.\u003c/li\u003e\u003cli\u003eRoutinely evaluate risk posture based on change requests.\u003c/li\u003e\u003cli\u003eConduct Security Impact Analysis (SIA) at the direction of the Business Owner.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDisposition\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify the proper disposition of hardware and software.\u003c/li\u003e\u003cli\u003eVerify data are archived securely in accordance with the National Archives and Records Administration (NARA) requirements and in coordination with the Data Guardian.\u003c/li\u003e\u003cli\u003eInitiate the request to close out the project file in CFACTS.\u003c/li\u003e\u003cli\u003eParticipate in governance and project reviews identified in the SDLC.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSecondary System Security and Privacy Officer (previously known as S-ISSO) and System Security and Privacy Officer Contractor Support (previously known as ISSOCS)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Secondary System Security and Privacy Officer (previously known as S-ISSO) may be either a federal government employee or a contractor identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.25, \u003cem\u003eSystem Security and Privacy Officer (previously referred to as ISSO) Designated Representative / Security Steward \u003c/em\u003eand must assist the Primary System Security and Privacy Officer (previously known as P-ISSO). The System Security and Privacy Officer Contractor Support (previously known as ISSOCS) is a contractor only role that assists and supports the Primary System Security and Privacy Officer (previously known as P-ISSO) and Secondary Systems Security and Privacy Officer (previously known as S-ISSO) roles in fulfillment of their CMS cybersecurity duties.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSecurity or Privacy Control Assessor\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Security or Privacy Control Assessor (also referred to as Certification Agent) role may be performed by a System Security and Privacy Officer (previously known as ISSO). The CMS Security or Privacy Control Assessor must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eInformation Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.23, \u003cem\u003eSecurity or Privacy Control Assessor\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eContingency Planning Coordinator\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe CMS Contingency Planning Coordinator may either be a federal government employee or a contractor. The role may also be performed by a System Security and Privacy Officer (previously known as ISSO). The CMS Contingency Planning Coordinator must fulfill all the responsibilities identified in the HHS \u003cem\u003ePolicy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.30, \u003cem\u003eContingency Planning Coordinator.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Contingency Planning Coordinator must also include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eWork as part of an integrated project team to ensure contingency plans and related operational procedures accommodate all business resumption priorities and the defined applicable Maximum Tolerable Downtimes (MTD)\u003c/li\u003e\u003cli\u003eEnsure procedures exist that achieve continuity of operations of business objectives within appropriately targeted systems with any applicable Recovery Time Objective (RTO) and Recovery Point Objective (RPO) identified in the Business Impact Assessment\u003c/li\u003e\u003cli\u003eEnsure that the contingency plan is activated if any computer security incident disrupts the system; if the disruption is not resolved within the systems RTO, implement the systems disaster recovery procedures.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSecurity Operations Center/Incident Response Team\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe FISMA system SOC/IRT may consist of federal employees or contractors and must fulfill all the FISMA system-level responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.16, \u003cem\u003eOpDiv CSIRT, \u003c/em\u003eand the applicable responsibilities under the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.17, \u003cem\u003eHHS PIRT\u003c/em\u003e. The FISMA system SOC/IRT reports to the Agency Security Operations, which is responsible for CMS-wide incident management.\u003c/p\u003e\u003cp\u003eThe Data Guardian, Business Owner, and ISO, in coordination with the CISO, have ownership of and responsibility for incident response and reporting for the FISMA system. The execution of this function begins at the data center/contractor site housing the FISMA system. Once an incident is declared, the CCIC coordinates with FISMA system SOC/IRT and Agency Security Operations personnel for all incident management activities.\u003c/p\u003e\u003cp\u003eThe FISMA system SOC/IRT operates under the direction and authority of the System Security and Privacy Officer (previously known as ISSO) and the Business Owner/ISO. The FISMA system SOC/IRT monitors for, detects, and responds to information security and privacy incidents within the FISMA system environment. The FISMA system SOC/IRT also provides timely, accurate, and meaningful reporting to the FISMA system stakeholders.\u003c/p\u003e\u003cp\u003eFISMA systems may perform the SOC/IRT capability by using a separate CMS CISO-approved SOC/IRT service provider. Any FISMA system SOC/IRT that is unable to deploy the required capabilities may establish an agreement with the CCIC to provide SOC/IRT services.\u003c/p\u003e\u003cp\u003eThe responsibilities of the FISMA system SOC/IRT must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFor the FISMA system, perform:\u003cul\u003e\u003cli\u003eReal-time network and system security monitoring and triage\u003c/li\u003e\u003cli\u003eAnalysis, coordination, and response to information security and privacy incidents and breaches\u003c/li\u003e\u003cli\u003eSecurity sensor tuning and management and infrastructure operations and maintenance (O\u0026amp;M).\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEnsure flaw remediation (e.g., patching and installation of compensating controls), planning, ongoing scanning (e.g., ISCM), help desk, asset management, and ticketing are performed for the FISMA system in a manner that meets or exceeds CMS requirements.\u003c/li\u003e\u003cli\u003eEnsure the SOC/IRT-specific tools are implemented and deployed according to the CCIC and vendor technical guidance.\u003c/li\u003e\u003cli\u003eEnsure SOC/IRT-specific tools/equipment are isolated, as appropriate, from operational networks and systems.\u003c/li\u003e\u003cli\u003eServe as the FISMA systems information security and privacy lead on behalf of CCIC and HHS CSIRC.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReport FISMA system information security and privacy incidents and breaches to CCIC and HHS CSIRC as required by federal law, regulations, mandates, and directives, and as reflected in the CMS established procedures.\u003c/li\u003e\u003cli\u003eReport cyber threat/intelligence/information to CCIC as required by federal law, regulations, mandates, and directives.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003ePrivileged Users\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis subsection describes specific information security and privacy responsibilities of users with privileged access to CMS information systems. For example, a privileged user11 is any user that has sufficient access rights to modify, including disabling, controls that are in place to protect the system. The responsibilities for all privileged users must include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLimit the use of privileged access to those administrative functions requiring elevated privileges\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSystem/Network Administrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS System/Network Administrator may be a federal employee or a contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.33, \u003cem\u003eSystem Administrator\u003c/em\u003e. Per the HHS IS2P, the system administrator role includes, and are not limited to, other types of system administrators (e.g., database administrators, network administrators, web administrators, and application administrators).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWebsite Owner/Administrator\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Website Owner/Administrator may be a federal employee or contractor and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.28, \u003cem\u003eWebsite Owner/Administrator\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CMS Website Owner/Administrator must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement proper system backups and patch management processes.\u003c/li\u003e\u003cli\u003eAssess the performance of security and privacy controls associated with the web service to ensure the residual risk is maintained within an acceptable range.\u003c/li\u003e\u003cli\u003eCoordinate with the CIO, CISO, SOP, Data Guardian, and System Security and Privacy Officer (previously known as ISSO) to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and applications.\u003c/li\u003e\u003cli\u003eLimit connections to publicly accessible federal websites and web services to approved secure protocols.\u003c/li\u003e\u003cli\u003eEnsure federal websites and web services adhere to Hypertext Transfer Protocol (HTTP) Strict Transport Security (HSTS)12 practices.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eSystem Developer and Maintainer\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS System Developer and Maintainer must be an agency official (federal government employee) and must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.31, \u003cem\u003eSystem Developer and Maintainer\u003c/em\u003e. The responsibilities of the CMS System Developer and Maintainer must also include, but are not limited to, the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eIdentify, tailor, document, and implement information security- and privacy-related functional requirements necessary to protect CMS information, information systems, missions, and business processes, including:\u003cul\u003e\u003cli\u003eEnsure the requirements are effectively integrated into IT component products and information systems through purposeful security architecting, design, development, and configuration in accordance with the CMS SDLC and change management processes\u003c/li\u003e\u003cli\u003eEnsure the requirements are adequately planned and addressed in all aspects of system architecture, including reference models, segment and solution architectures, and information systems that support the missions and business processes\u003c/li\u003e\u003cli\u003eEnsure automated information security and privacy capabilities are integrated and deployed as required.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the System Security and Privacy Officer (previously known as ISSO) to identify the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems.\u003c/li\u003e\u003cli\u003eFollow the CMS SDLC in developing and maintaining a CMS system, including:\u003cul\u003e\u003cli\u003eUnderstand the relationships among planned and implemented information security and privacy safeguards and the features installed on the system\u003c/li\u003e\u003cli\u003eEnsure all development practices comply with the \u003cem\u003eCMS TRA.\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eExecute the RMF tasks listed in NIST SP 800-37 Revision 2\u003cem\u003e.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEnsure CMS systems or applications that currently disseminate data for any purpose are capable of extracting data by pre-approved categories.\u003c/li\u003e\u003cli\u003eShare only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eEnterprise Architect (Function)\u003c/h3\u003e\u003cp\u003eThe Enterprise Architect must be an agency official (federal government employee). The Enterprise Architect must fulfill all the responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P)\u003c/em\u003e Section 7.32. \u003cem\u003eEnterprise Architect\u003c/em\u003e. The CIO may designate specific responsibilities to the Enterprise Architect as necessary.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Enterprise Architect must also include, but are not limited to the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevelop and disseminate strategies, policies, and standards to implement the Enterprise Architecture program.\u003c/li\u003e\u003cli\u003eManage the agency's Enterprise Architecture resources.\u003c/li\u003e\u003cli\u003eProvide leadership in developing, maintaining, and implementing a sound and integrated Enterprise Architecture for the agency and its sub-organizations.\u003c/li\u003e\u003cli\u003eOrganize and chair the agency's Enterprise Architecture advisory group to provide cross-organization business and technical input to Enterprise Architecture-related matters, ensuring CMS programmatic and technical participation in Enterprise Architecture-related activities.\u003c/li\u003e\u003cli\u003eDefine, document, and align the agency's Enterprise Architecture with HHS Enterprise Architecture.\u003c/li\u003e\u003cli\u003eEnsure implementation of the Enterprise Architecture alignment reviews, verification of Enterprise Architecture approvals, and granting of waivers within the agency's Capital Planning and Investment Control (CCIC) investment planning and reviews, acquisition procedures, and SDLC project phase reviews.\u003c/li\u003e\u003cli\u003eMonitor program and project artifacts for alignment with Enterprise Architecture requirements, identifying and reporting non-conforming projects for resolution.\u003c/li\u003e\u003cli\u003eAdvise and inform all contractors and developers of Enterprise Architecture standards and compliance requirements.\u003c/li\u003e\u003cli\u003eEnsure that CMS adopts data stewardship mechanisms necessary for Enterprise Architecture data of acceptable quality to be created, captured, entered, and maintained promptly in the HHS Enterprise Architecture Repository.\u003c/li\u003e\u003cli\u003eRecommend technical standards to the agency Technical Review Board, ensuring submission to the HHS Chief Enterprise Architect of proposed modifications to HHS Enterprise Architecture and technology standards to meet CMS business requirements.\u003c/li\u003e\u003cli\u003eEnsure that CMS Enterprise Architecture-related training requirements are identified, planned for, and implemented.\u003c/li\u003e\u003cli\u003eAdvise or ensure that Enterprise Architecture advice is available to all CMS IT project teams.\u003c/li\u003e\u003cli\u003eRepresent CMS on the HHS Enterprise Architecture Review Board (EARB), and all agency, departmental, and intergovernmental Enterprise Architecture-related advisory bodies or working groups.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAgency Security Operations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAgency Security Operations must fulfill all OpDiv responsibilities identified in the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.16, \u003cem\u003eOpDiv Computer Security Incident Response Team (CSIRT), \u003c/em\u003eand applicable responsibilities under the \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003eSection 7.17, \u003cem\u003eHHS Privacy Incident Response Team (PIRT)\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eSecurity operations are a shared responsibility between CMS Agency Security Operations and the ISOs SOC/IRT. For each FISMA system, System Developers and Maintainers are expected to establish, maintain, and operate a SOC/IRT to provide FISMA system situational awareness and incident response. For the CMS enterprise, Agency Security Operations maintains visibility and incident management across all FISMA systems, providing management, information sharing and coordination, unified response (including containment and mitigation approaches), and required reporting across the enterprise to CMS Management.\u003c/p\u003e\u003cp\u003eThe responsibilities for Agency Security Operations, both within the CCIC and across all SOC/IRTs, must also include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure all personnel with responsibilities for incident response complete annual RBT.\u003c/li\u003e\u003cli\u003eEnsure non-federal technical personnel (SOC/IRT and CCIC) obtain and maintain appropriate commercial information assurance certification credentials that have been accredited by the American National Standards Institute (ANSI) or an equivalent authorized body under the ANSI/International Standards Organization (ISO)/ International Electrotechnical Commission (IEC) 17024 Standard.\u003cul\u003e\u003cli\u003ePersonnel who do not hold a commercial information assurance certification credential must obtain an appropriate credential within six months of the individuals start date or the release date of this document, whichever is later.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eEncourage federal oversight personnel (SOC/IRT and CCIC) to obtain and maintain a commercial information assurance certification credential that has been accredited by ANSI or an equivalent authorized body under the ANSI/ISO/IEC 17024 Standard.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eDirector for the CMS Cybersecurity Integration Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CCIC operates under the direction and authority of the CMS CISO, who appoints the Director for the CCIC.\u003c/p\u003e\u003cp\u003eThe responsibilities of the Director for the CCIC must include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the operational execution of the CCIC function enables the CMS CISOs strategic vision.\u003c/li\u003e\u003cli\u003eOversee the operation of the CCIC.\u003c/li\u003e\u003cli\u003eEnable CCIC capabilities (penetration testing, security engineering, etc.) to efficiently and effectively enhance the CMS enterprise security posture by performing their roles across the enterprise in coordination with CMS groups, partners, and contractors.\u003c/li\u003e\u003cli\u003eSupport the CISO and SOP when immediate disconnection or suspension of any interconnection is required.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAwareness and Training\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy RBT requirements for CCIC and FISMA system SOC/IRT personnel.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Cybersecurity Integration Center\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CCIC monitors, detects, and isolates information security and privacy incidents and breaches across the CMS enterprise IT environment. The CCIC provides continual situational awareness of the risks associated with CMS data and information systems throughout CMS. The CCIC also provides timely, accurate, and meaningful reporting across the technical, operational, and executive spectrum.\u003c/p\u003e\u003cp\u003eThe responsibilities of the CCIC must include, but are not limited to, the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eServe as the primary entity in CMS responsible for maintaining CMS-wide operational cyber security situational awareness, based on coordinated enterprise ISCM activities and the overall information security and privacy risk posture of CMS.\u003c/li\u003e\u003cli\u003eServe as the information security and privacy lead organization for coordinating within CMS and identified external organizations for Cyber Threat Intelligence (CTI) sharing, analysis, and response activities, including:\u003cul\u003e\u003cli\u003eIdentify enterprise threats and disseminate advisories and guidance\u003c/li\u003e\u003cli\u003eIdentify and coordinate response with SOC/IRT to ongoing threats to CMS\u003c/li\u003e\u003cli\u003eDevelop and share Indicators of Compromise (IOC)\u003c/li\u003e\u003cli\u003eDevelop and disseminate unified containment and mitigation approaches\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDefine minimum interoperable defensive technology requirements for CMS systems.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eIncident Response\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eServe as CMSs primary POC with HHS CSIRC.\u003c/li\u003e\u003cli\u003eReport CMS information security and privacy incidents and breaches to HHS CSIRC.\u003c/li\u003e\u003cli\u003ePerform malware analysis and advanced analytics in support of unified incident response.\u003c/li\u003e\u003cli\u003eCoordinate with the Data Guardian when PII is involved.\u003c/li\u003e\u003cli\u003eCoordinate with the CMS Counterintelligence and Insider Threat Program Office, as appropriate.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAssessment and Authorization\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDefine enterprise-wide information security and privacy requirements for all phases of the SDLC.\u003c/li\u003e\u003cli\u003eDefine an enterprise-wide, continual assessment process that:\u003cul\u003e\u003cli\u003eValidates incident response processes and procedures\u003c/li\u003e\u003cli\u003eMeets federal law, regulations, mandates, and directives for continual assessment\u003c/li\u003e\u003cli\u003eDefines security data monitored by all SOCs/IRTs and is made available to the CCIC\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDefine reporting metrics that are compliant with federal law, regulations, mandates, and directives for:\u003cul\u003e\u003cli\u003ePenetration testing\u003c/li\u003e\u003cli\u003eInformation security continuous monitoring\u003c/li\u003e\u003cli\u003eInformation security and privacy incident and breach response\u003c/li\u003e\u003cli\u003eCyber threat intelligence\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eDetermine risk and impact on the CMS enterprise based on:\u003cul\u003e\u003cli\u003eReal-time monitoring and triage\u003c/li\u003e\u003cli\u003eAnalysis, coordination, and response to incidents\u003c/li\u003e\u003cli\u003eCollection, sharing, and analysis of CTI (i.e., knowing the adversary)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e• Develop, in coordination with the CCIC Director, information security and privacy RBT requirements for CCIC and FISMA system SOC/IRT personnel.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eAgency Continuity Point of Contact\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Agency Continuity Point of Contact must be an agency official (federal government employee) and is the individual the Administrator designates as the accountable official who will:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePerform the duties and responsibilities of the Agency Continuity Point of Contact, as set out in HHSs Continuity of Operations Program Policy.\u003c/li\u003e\u003cli\u003eBe directly responsible to the Administrator for management oversight of the CMS continuity program.\u003c/li\u003e\u003cli\u003eServe as the single POC for coordination within CMS for continuity matters.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eIT Advisory Organizations\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS Executive Management established IT advisory and decision-making bodies. These organizations ensure proper project planning; proper use of CMS information; and provide technical guidance ensuring IT projects properly integrate within the CMS environment. These organizations promote CMS strategic objectives and enforce federal requirements, including information security and privacy.\u003c/p\u003e\u003cp\u003eThe primary IT Advisory Organizations relevant to information system security and privacy policy are:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe \u003cstrong\u003eStrategic Planning Management Council (SPMC)\u003c/strong\u003e, co-chaired by the Chief Operating Officer (COO) and CIO, manages oversight of all CMS investment-related governance boards.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eGovernance Review Board (GRB) \u003c/strong\u003eChaired by the CIO, CFO, and Head of Contracting Activity. Members are the Budget Development Group Chairs. The Agencies IT Investment Review Boards and serves as the decision or approval authority for IT expenditure. Capital Planning and Investment Control.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eGovernance Review Team (GRT) \u003c/strong\u003e- Support staff which gathers information to assist the GRB in making decisions.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eTechnical Review Board (TRB) \u003c/strong\u003eChaired by the CTO and supported by IT Governance serves as a key member of the Target Life Cycle Governance Program. They advise and guide IT Projects Teams that are moving through the Target Life Cycle to ensure it conforms to the CMS Technical Reference Architecture.\u003c/li\u003e\u003cli\u003eThe \u003cstrong\u003eData Governance Board (DGB) \u003c/strong\u003esupports overall agency data governance. Led by OEDA CMS Chief Data Officer. works with the national data sets supplied by CMS to different programs.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eStrategic Planning Management Council (SPMC)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Strategic Planning Management Council (SPMC) provides leadership and support for executing CMS strategic objectives across all CMS investments. The SPMC provides a forum for ongoing collaboration among teams and overall management of the CMS Strategy.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGovernance Review Board (GRB)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Governance Review Board (GRB) is established as part of the CMS IT Governance process to enforce the implementation of CMS enterprise standards and strategy. The GRB consists of CMS Senior Leadership which reviews the recommendations for project alternatives. The GRB does not make funding decisions, however, they review proposed options and potential solutions to ensure the best solution is implemented by the project team to address the business needs.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eGovernance Review Team (GRT)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Governance Review Team (GRT) is a project planning body that supports project teams in determining the steps needed to ensure projects are in alignment with CMS Security and Privacy Policy. The GRT will:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMake recommendations to the GRB on proposed business cases and alternative analysis ensuring the project:\u003cul\u003e\u003cli\u003eFulfills a need,\u003c/li\u003e\u003cli\u003eDoes not duplicate current processes or functions; and\u003c/li\u003e\u003cli\u003eIs in alignment with current IT Portfolio Goals\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eAdvise Project Teams on the IT Governance Process.\u003c/li\u003e\u003cli\u003eConsist of Subject Matter Experts which support CMS stakeholders in the development of their projects and business cases.\u003c/li\u003e\u003cli\u003eReview Business Cases and support the GRB by providing ongoing review of proposed and operational systems for adherence to CMS policies.\u003c/li\u003e\u003cli\u003eCoordinate with other governance boards when necessary to ensure further reviews are implemented when necessary.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eTechnical Review Board\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe Technical Review Board (TRB) is an advisory board established to ensure IT investments are consistent with CMSs IT strategy. The board manages updates to the \u003cem\u003eCMS TRA \u003c/em\u003eto promote the CMS IT strategy and assists projects by ensuring solutions are technically sound and are on track to deliver promised capabilities on time and on budget. The TRB:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvides technology leadership to deliver business value and anticipate change to meet the current and long-term needs of CMS programs.\u003c/li\u003e\u003cli\u003eImplements and communicates CMSs IT strategy to ensure projects solutions are cost- effective, sustainable, and support the agencys business.\u003c/li\u003e\u003cli\u003eProvides technical guidance to ensure CMSs IT Investments are properly integrated into the CMS environment.\u003c/li\u003e\u003cli\u003eSupports teams in building IT features.\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eData Governance Board\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS Data Governance Board (DGB) provides executive leadership and stewardship of the agencys data assets, including oversight for the development and implementation of the policies and processes which govern the collection or creation, management, use, and disclosure of CMS data.\u003c/p\u003e\u003cp\u003eThe DGB ensures intra-agency transparency and data stewardship to promote efficient and appropriate use of, and investment into, agency data resources. Transparency and data stewardship include:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cem\u003eOpenness: \u003c/em\u003ePromoting and facilitating the open sharing of knowledge about CMS data, including an understanding of how and where agency data are collected or created, stored, managed, and made available for analysis.\u003c/li\u003e\u003cli\u003e\u003cem\u003eCommunication: \u003c/em\u003ePromoting partnerships across the CMS enterprise to eliminate duplication of effort, stove-piping, and one-off solution designs.\u003c/li\u003e\u003cli\u003e\u003cem\u003eAccountability: \u003c/em\u003eEnsuring agency-wide compliance with approved data management principles and policies. Understanding the objectives of current and future strategic or programmatic initiatives and how they impact, or are impacted by, existing data management principles and policies as well as current privacy and security protocols.\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eIntegrated Information Security and Privacy Policies\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eCMS Tailored Policies\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cem\u003eHHS Policy for Information Systems Security and Privacy Protection (IS2P) \u003c/em\u003edelineates information security and privacy policies, including both mandated security controls and a provision for CMS to develop its own controls over CMS information and information systems as long as the HHS baseline requirements are met. CMS tailored specific security controls to ensure they meet the mission and vision of the organization. This section lists the tailored controls which include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eControls explicitly mandated for CMS by an authoritative agent (e.g., HHS or other federal agency requirements).\u003c/li\u003e\u003cli\u003eControls modified to address the CMS implementation (e.g., CMS architecture, risk framework, and life cycle management).\u003c/li\u003e\u003cli\u003eControls that address specialized topics that extend beyond NIST 800-53, Revision 5 (e.g., the Federal Risk and Authorization Management Program [FedRAMP], and FISCAM).\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEmployee Monitoring / Insider Threat (CMS-EMP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-1 \u003c/strong\u003eThe use of warning banners is mandatory on all CMS information systems in accordance with federal and HHS policy and the ARS control requirements. A warning banner\u003c/p\u003e\u003cp\u003estates that by accessing a CMS information system, (e.g., logging onto a CMS computer or network), the employee consents to having no reasonable expectation of privacy regarding any communication or data transiting or stored on that system, and the employee understands that, at any time, CMS may monitor the use of CMS IT resources for lawful government purposes. \u003cem\u003e(For the purposes of this policy requirement, the term “employee” includes all individuals who have been provided and currently have access to CMS IT resources and who are current employees, contractors, guest researchers, visiting scientists, and fellows. The term excludes individuals who are not or are no longer CMS employees, contractors, guest researchers, visiting scientists, or fellows.)\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-2 \u003c/strong\u003eIn accordance with HHS policy the CMS CIO must carry out monitoring in a fashion that protects employee interests and ensures the need for monitoring has been thoroughly vetted and documented.\u003c/p\u003e\u003cp\u003eComputer monitoring of an employee at CMS may be requested by HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program Office, or an outside law enforcement authority.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cem\u003e(For the purposes of this policy, the term “computer monitoring” covers monitoring of CMS IT resources, including real-time or contemporaneous observation, prospective monitoring, (e.g., using monitoring software), and retrospective review and analyses (e.g., of email sent or received, of computer hard-drive contents) focusing on an individual employee. This section of policy does not apply to passive monitoring (computer incident response monitoring) of systems relating to national security or FISMA that perform general system and network monitoring or examinations of computers for malware. Additionally, computer monitoring excludes any review and analysis requested by or approved by the employee(s) being covered. This does not apply to retrospective searches for documents in response to valid information requests in the context of litigation, Congressional oversight, Freedom of Information Act (FOIA) requests, and investigations by the Government Accountability Office (GAO) and the Office of Special Counsel. Such retrospective searches may be conducted with the consent of the employee or the authorization of the CMS CIO.)\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-3 \u003c/strong\u003eAll requests from outside law enforcement agencies must be coordinated through the HHS/OIG, except for requests relating to national security or non-criminal insider threat matters. The latter must be coordinated via the Counterintelligence and Insider Threat Program of the Division of Strategic Information (DSI), which in turn coordinates with the HHS/ONS on all requests. Such external computer monitoring requests may be subject to different standards, partly because they are covered by the internal controls of the requesting agency or judicial process.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-4 \u003c/strong\u003eNo CMS official may initiate computer monitoring without advance written authorization by the CMS Administrator or the CMS CIO. By HHS policy, this authority to authorize monitoring may not be delegated below the CMS CIO. Prior to submission of a monitoring request, the CMS CIO or HHS/ONS consults with the HHS Office of the General Counsel (OGC). The requesting organization documents the basis for approving any request for computer monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-5\u003c/strong\u003e Computer monitoring may only be authorized for the following reasons:\u003c/p\u003e\u003col\u003e\u003cli\u003eMonitoring has been requested by the HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program Office, or an outside law enforcement authority in accordance with CMS Administrative Services Group, DSI and federally recognized jurisdiction.\u003c/li\u003e\u003cli\u003eReasonable grounds exist to conclude that the individual to be monitored may be responsible for an unauthorized disclosure of legally protected information (e.g., confidential commercial information or \u003cem\u003ePrivacy Act \u003c/em\u003eprotected information).\u003c/li\u003e\u003cli\u003eReasonable grounds exist to believe that the individual to be monitored may have violated an applicable law, regulation, or written HHS or CMS policy.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eRoutine IT equipment examinations are permissible when malware searches are involved. Any unintended discoveries of problematic content and resulting follow-up actions are not subject to this policy except for follow-up actions that involve computer monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-6 \u003c/strong\u003eIn circumstances in which HHS/OIG requests computer monitoring for purposes of an HHS/OIG investigation or where HHS/OIG requires assistance in the conduct of computer monitoring, HHS/OIG will provide such information or notification as is consistent with its responsibilities, duties, and obligations under the \u003cem\u003eInspector General Act of 1978, \u003c/em\u003eas amended.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.1\u003c/em\u003e In concert with the HHS/OGC, the CMS CIO must develop a memorandum of understanding (MOU) or similar written agreement with outside law enforcement agencies as a precondition for approving monitoring requests from these organizations. The MOU must include the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eTitle and organizational component of the person(s) authorized to make monitoring requests on behalf of the law enforcement agency.\u003c/li\u003e\u003cli\u003eDocumentation of the source of the official request demonstrating approval by an official of the governmental entity that has the authority to request the initiation of such monitoring (e.g., a subpoena [administrative or grand jury], warrant, national security letter [NSL], or other acceptable documented request [e.g., a written law enforcement administrative request that meets applicable requirements of the \u003cem\u003ePrivacy Act \u003c/em\u003eand/or HIPAA requirements for certain disclosures to law enforcement agencies]).\u003c/li\u003e\u003cli\u003eAny restrictions applicable to the handling and disclosure of confidential information that may be produced by monitoring.\u003c/li\u003e\u003cli\u003eOther items consistent with this memorandum, including handling sensitive communications, as described in the following bullet (Documentation).\u003c/li\u003e\u003cli\u003eDocumentation the written authorization for computer monitoring describes the reason for the monitoring. If the monitoring is initiated at the request of outside law enforcement authorities, the authorization documents that the request was approved, consistent with the applicable MOU with that organization by an official of the governmental entity that has the authority to request the initiation of such monitoring.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.2\u003c/em\u003e Except for monitoring initiated at the request of an outside law enforcement authority or the HHS/OIG, the party requesting the monitoring must document the factual basis justifying the request for monitoring and the proposed scope of the request. Requests for such monitoring must include an explanation of how monitoring will be conducted, how the information collected during monitoring will be controlled and protected, and a list of individuals who will have access to the resulting monitoring information.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMP-6.3\u003c/em\u003e A record of all requests for monitoring must be maintained by the CMS CIO along with any other summary results or documentation produced during the period of monitoring. The record must also reflect the scope of the monitoring by documenting search terms and techniques. All information collected from monitoring must be controlled and protected with distribution limited to the individuals identified in the request for monitoring and other individuals specifically designated by the CMS Administrator or CMS CIO as having a specific need to know such information.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-7 \u003c/strong\u003eThe CMS Administrator or CMS CIO must ensure authorized computer monitoring is appropriately narrow in scope and time-limited and takes the least invasive approach to accomplish monitoring objectives. The CMS Administrator or CMS CIO, in reviewing requests for monitoring, must consider whether there are alternative information gathering methods that CMS can utilize to address the concern in lieu of monitoring. When the monitoring request originates from HHS/OIG or outside law enforcement, CMS will grant appropriate deference to a request made in accordance with this policy.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-8\u003c/strong\u003e No monitoring authorized or conducted may target communications with law enforcement entities, the Office of Special Counsel, members of Congress or their staff, employee union officials, or private attorneys. Employee union officials of CMS will be treated, for non-targeted monitoring purposes, as all other employees of CMS when monitoring is necessary. If such protected communications are inadvertently collected or identified from more general searches, they may not be shared with a non-law enforcement party who requested the monitoring or anyone else without express written authorization from the HHS/OGC and other appropriate HHS official(s).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-9 \u003c/strong\u003eWhen a request for computer monitoring is made by a party other than an outside law enforcement authority or the HHS/ONS, HHS/OIG, CMS Counterintelligence and Insider Threat Program, CMS must consult with the OGC as to whether the monitoring is consistent with all applicable legal requirements, including the \u003cem\u003eWhistleblower Protection Act \u003c/em\u003eand \u003cem\u003eHIPAA, \u003c/em\u003eand consider whether there are any additional limits. In addition, except for monitoring initiated at the request of outside law enforcement or the HHS/OIG, parties that receive information derived from monitoring must consult with the OGC as to potential restrictions on the use of such information under applicable law.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-10 \u003c/strong\u003eThe CMS CIO must review all employee monitoring every month and, in consultation with the party who requested the monitoring, assess whether it remains justified or is to be discontinued. The CMS CIO must consider whether or not the decision for ongoing monitoring must be reviewed by the OGC. A decision to continue monitoring must be explained and documented in writing by the CMS CIO, who must report at least monthly to the CMS Administrator regarding the status of any ongoing monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMP-11\u003c/strong\u003e The CMS CIO and the OGC may make recommendations to the CMS Administrator for additional procedures, if necessary, to address specific circumstances not addressed in this policy. Insider threat policies and procedures that deviate from the elements of this policy, however, must not be implemented without the written concurrence of the HHS CIO in consultation with the OGC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Management Framework (CMS-RMF)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCMS-RMF-1\u003c/strong\u003e The CMS CISO must develop and maintain within the ARS \u003cem\u003eAssessment, Authorization, and Monitoring \u003c/em\u003efamily of controls minimum controls to ensure information systems: (i) are assessed at least every three years or whenever a significant change occurs (as defined in the CMS established procedures; NIST SP 800-37, revision 2, describes examples of significant changes to an information system that should be reviewed for possible re-authorization) to the information system to determine if security and privacy controls are effective in their application; (ii) have POA\u0026amp;Ms designed to correct\u0026nbsp;deficiencies and reduce or eliminate vulnerabilities; (iii) are authorized for processing (including any associated information system connections) by the CMS CIO; and (iv) are monitored on an ongoing basis to ensure the continued effectiveness of the controls. In addition, the CMS CISO, where necessary to add clarity, provides methods in the form of \u003cem\u003eChapters, Procedures, \u003c/em\u003eand/or \u003cem\u003eStandards \u003c/em\u003ewithin the CMS established procedures to facilitate implementation, assurance, and tracking effectiveness of those controls. Minimally, these processes and procedures must address the following:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.1 \u003c/em\u003eEnsure all systems and networks receive a system categorization in accordance with the frameworks set forth in FIPS 199, NIST SP 800-60, \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories\u003c/em\u003e, as amended, and please refer to the CMS established procedures.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.2 \u003c/em\u003eEnsure CMS Business Owners/ISOs conduct risk assessments on systems and networks and document the result in accordance with NIST SP 800-30, \u003cem\u003eGuide for Conducting Risk Assessments\u003c/em\u003e, as amended\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.3\u003c/em\u003e Ensure the CMS Business Owners/ISOs review and update risks, as necessary, no less than annually or when significant changes occur to the system/network.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.4\u003c/em\u003e Ensure CMS Business Owners/ISOs implement appropriate information security and privacy controls as documented in an information system security and privacy plan for each CMS system and network in accordance with NIST SP 800-18, \u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e, and that CMS Business Owners/ISOs review and update plans as needed but no less than annually or when significant changes occur to the system/network.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.5\u003c/em\u003e Ensure CMS Business Owners/ISOs implement and document information security and privacy controls outlined in NIST SP 800-53, Revision 5.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.6 \u003c/em\u003eAssess the controls using the procedures outlined in NIST SP 800-53A, as amended, \u003cem\u003eAssessing Security and Privacy Controls in Information Systems and Organizations.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.7\u003c/em\u003e Develop, disseminate, and review/update: (i) formal, documented security assessment and authorization standards that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.8\u003c/em\u003e Determine (i) the required level of Security Control Assessor independence based on the security categorization of the information system and/or the ultimate risk to organizational operations and assets and to individuals; and (ii) if the level of Security Control Assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.9\u003c/em\u003e Ensure all CMS systems and networks are formally assessed and authorized using the methodology outlined in NIST SP 800-37 Revision 2, and in accordance with the minimum content requirements for the creation of security authorization packages, as stated in the ARS and the CMS established procedures.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.10 \u003c/em\u003eEnsure the \u003ca href=\"https://csrc.nist.gov/glossary/term/security_control_assessor\"\u003eSecurity Control Assessor(s)\u003c/a\u003e\u0026nbsp;is identified and assigned prior to applying the RMF tasks to the information system. The AO for the information system (i) is the CMS CIO, (ii) authorizes the information system for processing before commencing operations, and (iii) uses the results of the ISCM process to the maximum extent possible as the basis for rendering a re-authorization decision.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.11\u003c/em\u003e Require SIA and PIA review when any significant change occurs to a CMS system, network, physical environment, etc., to assess the impact of the change on the information security and privacy of the information processed.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.12 \u003c/em\u003eEnsure CMS Business Owners/ISOs request to re-authorize all systems at least every three years or when a significant change occurs to the system.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-RMF-1.13\u003c/em\u003e Develop a ISCM strategy and implement a ISCM program that includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003e(i) a configuration management process for the information system and its constituent components;\u003c/li\u003e\u003cli\u003e(ii) determination of the security impact of changes to the information system and environment of operation;\u003c/li\u003e\u003cli\u003e(iii) ongoing information security and privacy control assessments in accordance with the organizational ISCM strategy; and\u003c/li\u003e\u003cli\u003e(iv) reporting on the security state of the information system to appropriate organizational officials.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe organization assesses the information security and privacy controls in an information system, at a minimum, as part of (i) security authorization or re-authorization, (ii) meeting the FISMA requirement for annual assessments, (iii) ISCM, and (iv) testing/evaluation of the information system as part of the SDLC process. Those controls that are the most volatile (e.g., controls mostly affected by ongoing changes to the information system or its environment of operation) or deemed essential to protecting CMS operations and assets, individuals, other organizations, and the nation are assessed more frequently in accordance with the CMS CISOs assessment of risk as defined in the CMS established procedures. All other controls are assessed at least once during the information systems three-year authorization cycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Systems Development Life Cycle (CMS-SDLC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSecurity Architecture and Engineering (SA\u0026amp;E) activities help CMS Components align with enterprise information security and privacy capabilities, reporting processes, and requirements. SA\u0026amp;E ensures that the information security environment continues to meet business needs and address new and emerging threats by identifying risks and providing adequate information security and privacy protections through testing, implementation, and improvement of new and existing technologies and processes. To help guide a unified enterprise approach to implementing information security and privacy architecture, the risk management and compliance functional area publishes and updates information security and privacy technical guidance and provides input into the development of TRA security-related supplements.17 Security Assessment and Authorization (SA\u0026amp;A) processes help CMS Business Owners/ISOs comply with Capital Planning and Investment Control (CPIC) processes and CMSs SDLC processes to incorporate the security requirements of the ARS and the CMS TRA to obtain system authorization, also referred to as Authority to Operate (ATO), prior to operation. The CMS CISO and SOP follow the procedures outlined in the RMF for SA\u0026amp;A in accordance with FISMA and the direction of the CMS CIO.\u003c/p\u003e\u003cp\u003eThe SA\u0026amp;A processes help CMS stakeholders identify information security and privacy risks, assess the adequacy of information security and privacy controls, and ensure information security and privacy responsibilities are assigned prior to authorizing systems for operation. These processes incorporate ISCM and periodic manual assessment techniques to appropriately test the ongoing effectiveness of all controls.\u003c/p\u003e\u003cp\u003eBy following CPIC, SDLC, and RMF, System Developers and Maintainers include information security and privacy requirements from project initiation throughout the life cycle and implement the appropriate controls to manage information security and privacy risk.\u003c/p\u003e\u003cp\u003eThe ARS provides specific standards for completing the RMF process and include descriptions of the artifacts required to document information and information system controls. The SA\u0026amp;A processes result in identification of information security and privacy risks that must be managed by the POA\u0026amp;M processes.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-1\u003c/strong\u003e The CISO must integrate information security and privacy into the CMS life cycle processes. The SDLC provides the processes and practices of the CMS system development life cycle in accordance with the \u003cem\u003eCMS Policy for Information Technology (IT) Investment Management \u0026amp; Governance\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-2\u003c/strong\u003e Program Executives must engage the System Security and Privacy Officer (previously known as ISSO), CRA, and privacy team early and throughout the SDLC.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-SDLC-3\u003c/strong\u003e The SDLC processes and procedures must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.1\u003c/em\u003e Integrate information security and privacy requirements into all CMS SDLC activities (i.e., The four distinct phases of the CMS TLC include Initiate, Develop, Operate, and Retire).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.2\u003c/em\u003e Ensure critical SDLC stage gate reviews are conducted to govern the information security and privacy posture of the system being developed. The TRB must evaluate the information security and privacy risk introduced by the system and provide guidance to improve system architecture and engineering.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eThe CMS Technical Review Board (TRB) provides technical guidance to assist project teams with their IT investments and enable them to be integrated within CMS' IT environment. At the project level, the TRB has advisory support services to ensure project solutions are technically sound and on track to deliver the target capabilities. The TRB also promotes IT reuse, information sharing, and systems integration across the Agency.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.3 \u003c/em\u003eAssign information security and privacy roles for the information system.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.4\u003c/em\u003e Ensure system information security and privacy controls are assessed.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-SDLC-3.5\u003c/em\u003e Ensure system authorization prior to entering the O\u0026amp;M phase of the SDLC.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCloud Computing Requirements (CMS-CLD)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS developed CMS-CLD policies to provide guidance and direction on the acceptable uses of cloud service providers (CSP) and cloud computing services in compliance with the \u003cem\u003eFederal Cloud Computing Strategy (Cloud Smart) \u003c/em\u003ewhen used as part of a CMS FISMA system\u003cem\u003e. \u003c/em\u003eThe CMS-CLD policies define directives concerning the procurement, deployment, and utilization of cloud computing services across the CMS enterprise.\u003c/p\u003e\u003cp\u003eIn accordance with \u003ca href=\"https://cloud.cio.gov/strategy/\"\u003e\u003cem\u003eCloud Smart\u003c/em\u003e\u003c/a\u003e, CMS permits cloud services within the CMS environment. CMS established the policies in this section to guide the use of cloud services and cloud computing installations.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-1\u003c/strong\u003e All cloud service implementations used must have an approved Federal Risk and Authorization Management Program (FedRAMP) Authorization and CMS-issued ATO\u003cstrong\u003e.\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-CLD-1.1\u003c/em\u003e If a Software as a Service (SaaS) product does not have a current FedRAMP authorization, a Rapid Cloud Review (RCR) and a CMS-issued Provisional Authority to Operate (P-ATO) would be needed to assess FedRAMP readiness.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-2 \u003c/strong\u003eAll FISMA systems and applications deployed on a CSP service must have a valid CMS-issued ATO.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-CLD-3\u003c/strong\u003e All CSP systems must integrate with continuous monitoring and identity management systems.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Email Encryption Requirements (CMS-EMAIL)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS must comply with information security and privacy encryption policies defined by federal laws, executive orders, directives, regulations, policies, standards, and guidance (e.g., HIPAA, Health Information Technology for Economic and Clinical Health [HITECH], Privacy Act, and IRS Publication 1075). The CMS Email Encryption Requirements control family provides the CMS standards for implementing information security and privacy controls.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-EMAIL-1\u003c/strong\u003e CMS Sensitive Information must be protected and only sent to recipients with a “need to know.” Emails containing sensitive information must be protected using one of the following steps:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.1\u003c/em\u003e Ensure unencrypted emails containing sensitive information remain within the CHS email service environment (i.e., “jane.doe@cms.hhs.gov”) or trusted domain.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2 \u003c/em\u003eFor recipients outside of the CMS email service environment or trusted domain:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.1\u003c/em\u003e Encrypt sensitive email and email attachments using the certificates contained on federally issued Personal Identity Verification (PIV) cards.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.2 \u003c/em\u003ePlace the CMS sensitive information in a password-protected, encrypted email attachment using software that meets FIPS 140-2 for encryption software, (e.g., SecureZip).\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-EMAIL-1.2.3\u003c/em\u003e Sending passwords for an encrypted attachment via email is prohibited. Instant messaging clients that are integrated with Microsoft Outlook, such as Lync/Skype, must not be used to communicate passwords. Acceptable approaches for sharing passwords include phone conversation, text message, or a shared secret. The method chosen must protect the password from compromise.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eProgram Specific Requirements\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eEnterprise Level Control Packages\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS has enterprise-level security and privacy controls for inheritance that are based on information security and privacy policies, programs or services that are provided by the offices of the CIO and CISO. These controls must be accounted for within the CMS governance, risk and compliance (GRC) tool in order for them to be leveraged as inherited controls among the FISMA systems. As part of the GRC tool, the systems are designated as FISMA systems, but they are not actual FISMA systems and are not subject to the requirements listed in section 8.1.2. Risk Management Framework (CMS-RMF).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eHigh Value Assets\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCMS must comply with the Office of Management and Budget (OMB) Memorandum M-19-03, \u003cem\u003eStrengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program\u003c/em\u003e; the Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-02, \u003cem\u003eSecuring High Value Assets; \u003c/em\u003eand the \u003cem\u003eHHS High Value Asset (HVA) Program Polic\u003c/em\u003ey (August 2019).\u003c/p\u003e\u003cp\u003eThe \u003cem\u003eHHS HVA Program Policy \u003c/em\u003edefines HVAs as:\u003c/p\u003e\u003cp\u003eAssets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eThe HHS policy requires CMS to establish appropriate governance of HVA activities across its organization and integrate HVA remediation activities into its planning, programming, budgeting, and execution process. These efforts will align with federal law, regulations, standards, and guidelines, as well as CMS policies, processes, and procedures. To meet the HHS policy, CMS will conduct the following activities:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-1\u003c/strong\u003e The CMS CIO develops a process for creating and maintaining an HVA inventory, consistent with any format and content specified by HHS. Upon request, the Program will complete or update the inventory. HHS may require the inventory to note any or all threats, vulnerabilities, and impacts, and the likelihood of each of these occurring, associated with each system. CMS will share its HVA inventory with HHS upon request, following HHS instructions.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-2\u003c/strong\u003e When creating or updating HVA-related contracts and acquisition requirements, CMS Contracting Officers Representatives (COR) must incorporate appropriate language from the HHS Security and Privacy Language for Information and Information Technology Procurements.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-3\u003c/strong\u003e HVA-related artifacts must be handled as directed by OMB and DHS. These documents include instructions for securing and encrypting all correspondence involving HVA- related information.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-4 \u003c/strong\u003eHVAs must have a valid Authority to Operate (ATO). An ATO must reflect that appropriate safeguards have been implemented to protect the HVA, many of which will be specific to HVAs.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-5 \u003c/strong\u003eSecurity assessments must be conducted as a minimum requirement by the CISA- Led Assessment Team for Tier 1 HVAs, Third Party/Independent Assessor for \u003ca href=\"https://www.cisa.gov/hva-pmo\"\u003eTier 2 HVAs\u003c/a\u003e, and Self-Assessment for \u003ca href=\"https://www.cisa.gov/hva-pmo\"\u003eTier 3 HVAs\u003c/a\u003e at the frequency and rigor stipulated by CISA.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-HVA-6\u003c/strong\u003e The CMS CIO, Senior Official for Privacy (SOP) or designated official, must develop a Standard Operating Procedure (SOP) for reviewing CMSs HVAs to identify those HVAs that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFederal Taxpayer Information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSystems that collect, maintain, use, or disclose Federal Tax Information (FTI) must follow IRS requirements for protecting FTI. Business Owners of CMS systems, with direction provided by the OIT, must ensure that all applicable information security and privacy controls, whether\u0026nbsp;imposed by an organization or office internal or external to CMS, are incorporated into CMS systems.\u003c/p\u003e\u003cp\u003eThe IRS defines Federal Tax Information as federal tax returns and return information (and information derived from it) that is in the agencys possession or control which is covered by the confidentiality protections of the Internal Revenue Code (IRC) and subject to the IRC 6103(p)(4) safeguarding requirements including IRS oversight. CMS often receives, accesses, and uses FTI in conducting its business processes.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-FTI-1\u003c/strong\u003e Business Owners that collect, maintain, use, or disclose FTI must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.1\u003c/em\u003e Comply with IRS Publication 1075, \u003cem\u003eTax Information Security Guidelines for Federal, State and Local Agencies\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.2\u003c/em\u003e Document and certify the incorporated controls in their respective system security and privacy plan and identify residual risks in the corresponding risk assessment for their systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.3\u003c/em\u003e Disclose FTI to its agents solely for purposes for which there is an appropriate legal authority, and for which IRS has granted an exception permitting its disclosure.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.4\u003c/em\u003e Notify the IRS Office of Safeguards prior to re-disclosing FTI to contractors. Notify and obtain written approval from the IRS Office of Safeguards prior to re-disclosing FTI to sub-contractors.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-1.5\u003c/em\u003e Notify the IRS Office of Safeguards when there has been a breach of FTI. CMS-FTI-1.6 Execute a contract or other agreement with any recipient of the FTI. The contract must require the recipient to abide by IRS Publication 1075, \u003cem\u003eTax Information Security Guidelines for Federal, State and Local Agencies\u003c/em\u003e, including its requirements for providing privacy and security controls for FTI\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS-FTI-2\u003c/strong\u003e Users with access to FTI must adhere to the following when working from Alternative Work Sites\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.1\u003c/em\u003e Telework Locations - FTI remains subject to the same safeguard requirements and the highest level of attainable security. All the requirements of IRS Publication 1075, Section 4.5, Physical Security of Computers, Electronic, and Removable Media, apply to telework locations.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.2\u003c/em\u003e Equipment CMS must retain ownership and control, for all hardware, software, and end-point equipment connecting to public communication networks, where these are resident at all alternate work sites. Alternatively, the use of virtual desktop infrastructure with non-CMS-owned devices (including personally-owned devices) is acceptable, where all requirements in IRS Publication 1075, Section 9.4.13 Virtual Desktop Infrastructure are met.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.3 \u003c/em\u003eData Storage - FTI may be stored on hard disks only if CMS-approved security access control devices (hardware/software) have been installed, are receiving regularly scheduled maintenance including upgrades, and are being used. Access controls must include password security, an audit trail, encryption, virus detection, and data overwriting capabilities.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCMS-FTI-2.4 \u003c/em\u003eInspection Alternate work sites may be subject to periodic inspections by CMS personnel to ensure that safeguards are adequate.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSecurity and Privacy Control Families\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe CMS ARS is central to the security and privacy framework. Through this document, CMS identifies the essential set of security and privacy controls that must be implemented for CMS Information Systems. CMS established these safeguards based on the agencys interpretation of applicability of HHS and CMS internal policies and guidance, mandates and legislative guidance specific to the CMS environment. Each control family has a specific set of “dash one” controls that requires that policies be in place while the remaining controls provide details for implementing the policy. The “dash one” controls are included in this \u003cem\u003ePolicy \u003c/em\u003ewhile the required implementation of the details for each security and privacy controls are outlined in the ARS. This section provides an overview of the policy requirements associated with each “dash one” control family and includes additional details required for these “dash one” controls.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAccess Control (AC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAC-1\u003c/strong\u003e The Program must develop and document an access control policy that addresses purpose, scope, responsibility, management commitment, coordination among organizational entities, and compliance. The Access Control family of controls ensures access to information systems is limited to authorized users, processes acting on behalf of authorized users, and devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Access Control Policies and Procedures\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.2\u003c/em\u003e Develop an Access Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Access Control family of controls and following defined events in the ARS, or as defined within the SSPP.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.4\u003c/em\u003e Disseminate policies, procedures, and standards for the Access Control family of controls to all personnel who perform roles defined within this \u003cem\u003ePolicy\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.5 \u003c/em\u003eMaintain all policies, procedures, and standards associated with the Access Control family of controls to reflect applicable federal laws, executive orders, directives, regulations, policies, standards, and guidance.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAC-1.6 \u003c/em\u003eDefine access control policies and procedures to provide the foundation required to ensure privacy protections are implemented for the identified uses of PII and PHI.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAwareness and Training (AT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAT-1 \u003c/strong\u003eThe Program must develop and maintain minimum controls to ensure managers and users of information systems are made aware of the information security and privacy risks associated with their activities and of the applicable federal and agency requirements related to the information security and privacy of CMS systems. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Awareness and Training family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eAT-1.1.1 Develop topic-based training to explain privacy processes carried out within CMS and update topic-based training courses when significant changes occur to privacy processes.\u003c/p\u003e\u003cp\u003eAT-1.1.2 Develop and implement an information security and privacy education, awareness, and training program for all employees and individuals working on behalf of CMS involved in managing, using, and/or operating information systems.\u003c/p\u003e\u003cp\u003eAT-1.1.2.1 Ensure information security awareness and training is provided to all employees and contractors, and that all employees and contractors review and acknowledge an approved RoB within sixty (60) days from entry on duty (EOD) date, or commencement of work on a contract or subcontract; and ensure and acknowledge the RoB annually thereafter.\u003c/p\u003e\u003cp\u003eAT-1.1.2.2 Ensure privacy awareness and training is provided within sixty (60) days from EOD date, or commencement of work on a contract or subcontract., and annually thereafter, to all employees and contractors to explain the importance and responsibility in safeguarding PII and PHI and ensuring privacy, as established in federal legislation, regulations, and OMB guidance.\u003c/p\u003e\u003cp\u003eAT-1.1.2.3 Ensure system information security and privacy training records are documented in support of annual FISMA reporting.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-2\u003c/strong\u003e The Program must develop and maintain minimum controls to ensure those with “significant information security and privacy responsibilities” receive adequate role-based training (RBT) to carry out those responsibilities. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.1 \u003c/em\u003eEnsure initial and periodic information security and privacy RBT is provided for all individuals in roles that possess significant information security and privacy responsibilities, including those that are CMS federal employees, contractors, and subcontractors. CMS RBT must meet or exceed HHS RBT requirements, as follows:\u003c/p\u003e\u003cp\u003eAT-2.1.1 CMS must identify all personnel (employees and contractors) and their associated work roles with significant information security and privacy responsibilities, in accordance with the HHS Cybersecurity Coding Guide and the National Initiative for Cybersecurity Education (NICE) Framework. The Program will identify appropriate minimum RBT requirements for each identified role with significant information security and privacy responsibilities.\u003c/p\u003e\u003cp\u003eAT-2.1.2 All CMS employees, including managers, Senior Executive Service (SES) personnel, and contractors who have significant information security and privacy responsibilities, must complete minimum RBT requirements within sixty (60) days from EOD date, or commencement of work on a contract or subcontract. Thereafter, all personnel with significant information security and privacy responsibilities must complete RBT at least annually.\u003c/p\u003e\u003cp\u003eAT-2.1.3 Individuals who change roles within CMS such that they assume new significant information security and privacy responsibilities, or who otherwise assume such responsibilities, must complete RBT within 60 days of assuming those new responsibilities. Thereafter, they must complete RBT at least annually.\u003c/p\u003e\u003cp\u003eAT-2.1.4 All CMS employees and contractors with significant information security and privacy responsibilities who have not completed the required training within the mandated timeframes will have their user accounts disabled until they have met their RBT requirement.\u003c/p\u003e\u003cp\u003eAT-2.1.5 All companies/vendors contracting with CMS are responsible for ensuring that their personnel who have significant information security and privacy responsibilities have training commensurate with their role. Training records must be submitted to CMS upon commencement of work and annually thereafter (or upon request whichever comes first).\u003c/p\u003e\u003cp\u003eAT-2.1.6 The CMS CISO, in coordination with the CMSs Training Coordinator(s) and Contracting Officers/Representatives (CO/COR), must track and maintain RBT records for all personnel with significant information security and privacy responsibilities. All training records must be retained consistently with an appropriately selected records retention schedule.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.2\u003c/em\u003e Develop appropriate security and privacy RBT for personnel with significant information security and privacy responsibilities in accordance with all relevant federal laws, regulations, and guidelines. The Program may provide such training in the form of CMS- or HHS-approved courses or professional development training, or in other appropriate formats. Personnel may also request approval for external training, such as certificate programs or college courses, to satisfy their RBT requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.3 \u003c/em\u003eRequire personnel wishing to receive credit for any form of RBT taken from an organization external to CMS, in satisfaction of any CMS or HHS training requirement to first seek review and approval from their supervisor (or for contractors, from their employer). The Program may further require personnel to supply information concerning completion of such external programs (such as grade reports or certificates of completion) before providing personnel with credit or acknowledgment for having satisfied the relevant RBT requirement.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.4\u003c/em\u003e In addition to periodically identifying all \u003cem\u003eroles \u003c/em\u003eof personnel that have significant information security and privacy responsibilities, CMS will also periodically identify all \u003cem\u003especific individuals \u003c/em\u003ewho serve in roles with significant information security and privacy responsibilities. CMS managers are responsible for cooperating with the Program to identify individuals with significant information security and privacy responsibilities, and for ensuring that the personnel they manage are appropriately categorized in their roles. CMS managers will be required to complete this identification process as a CMS personnel needs assessment.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.5\u003c/em\u003e Personnel who assume multiple roles must complete at least one training that addresses the unique responsibilities associated with at least one role. CMS managers must also ensure the personnel they manage complete the appropriate minimum RBT requirements in the required time frames.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAT-2.6\u003c/em\u003e The Program may request verification of completion of RBT of all personnel from CMS managers. The Program may require mangers to supply adequate information, for each individual completing RBT, to verify the individuals identity, the content of the RBT, and proof of completion of RBT.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-3\u003c/strong\u003e Develop an Awareness and Training Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAT-4 \u003c/strong\u003eReview and update policies, procedures, and standards for the Awareness and Training Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAudit and Accountability (AU)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eAU-1\u003c/strong\u003e The Program must develop and maintain (within the Audit and Accountability family of controls) minimum controls to ensure information system audit records are created, protected, and retained to the extent needed to: (i) enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure the actions of individual information system users can be uniquely traced to those users so that they can be held accountable for their actions. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Audit and Accountability family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eAU-1.1.1 Identify which events the organization audits, based on a risk assessment and mission/business needs.\u003c/p\u003e\u003cp\u003eAU-1.1.2 Identify and ensure a subset of auditable events applicable to the information system is chosen, based on threat information and risk assessment.\u003c/p\u003e\u003cp\u003eAU-1.1.3 Identify and ensure the rationale is provided for why the list of auditable events is deemed adequate to support incident investigations.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.2\u003c/em\u003e Develop an Audit and Accountability Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.3\u003c/em\u003e Ensure audit record content for all CMS system components, at a minimum, includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of the event\u003c/li\u003e\u003cli\u003eComponent of the information system (e.g., software component, hardware component) where the event occurred\u003c/li\u003e\u003cli\u003eType of event\u003c/li\u003e\u003cli\u003eUser/subject identity\u003c/li\u003e\u003cli\u003eOutcome (success or failure) of the event\u003c/li\u003e\u003cli\u003eExecution of privileged functions.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eAU-1.4 \u003c/em\u003eEnsure audited events are significant and relevant to the information security and privacy needs associated with the information system.\u003c/p\u003e\u003cp\u003eAU-1.4.1 Auditing must be compliant with the \u003ca href=\"http://www.uscourts.gov/file/rules-evidence\"\u003eFederal Rules of Evidence \u003c/a\u003eas published by US Courts.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.5 \u003c/em\u003eDefine CMS processes, procedures, and standards for the maintenance and review of audit logs for indications of inappropriate or unusual activity to ensure:\u003c/p\u003e\u003cp\u003eAU-1.5.1 Findings are reported to the designated CMS officials, including system officials with a need to know (e.g., Business Owner, Security and Privacy Officer). AU-1.5.2 The level of audit review, analysis, and reporting is adjusted when there is a change in risk.\u003c/p\u003e\u003cp\u003eAU-1.5.3 A uniform time and time protocol is implemented across CMS, based on CMS approved sources.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.6\u003c/em\u003e Ensure audit and accountability policies, processes, procedures, and standards directly support privacy audit and accountability requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.7 \u003c/em\u003eCoordinate information security- and privacy-related audit functions with other entities that require audit information to enhance mutual support and guide the selection of auditable events.\u003c/p\u003e\u003cp\u003e\u003cem\u003eAU-1.8\u003c/em\u003e Review and update policies, procedures, and standards for the Audit and Accountability Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssessment, Authorization, and Monitoring (CA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCA-1 \u003c/strong\u003eThe Program must develop and document a security assessment and authorization control policy governing the assessment and authorization of FISMA systems within the CMS enterprise environment or any systems storing, processing, or transmitting CMS information on behalf of CMS. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Security Assessment and Authorization family of security controls in the ARS to:\u003c/p\u003e\u003cp\u003eCA-1.1.1 Perform security assessments on information systems and the environments in which those systems operate as part of (i) initial and ongoing security authorizations, (ii) FISMA annual assessments, (iii) continuous monitoring, and (iv) system development life cycle activities.\u003c/p\u003e\u003cp\u003eCA-1.1.2 Authorize connections from the information system to other information systems through the use of Interconnection Security Agreements.\u003c/p\u003e\u003cp\u003eCA-1.1.3 Develop and submit a POA\u0026amp;M for the information system as a result of any security assessment findings.\u003c/p\u003e\u003cp\u003eCA-1.1.4 Develop an ISCM strategy and implement a program compliant with HHS ISCM Strategy.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.2\u003c/em\u003e Develop a Security Assessment and Authorization Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCA-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Security Assessment and Authorization Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eConfiguration Management (CM)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCM-1 \u003c/strong\u003eThe CMS Configuration Management Executive must coordinate with the CMS CISO and the Program to document the configuration management processes and procedures to define configuration items at the system and component level (e.g., hardware, software, workstation); monitor configurations; and track and approve changes prior to implementation, including but not limited to flaw remediation, security patches, and emergency changes (e.g., unscheduled changes such as mitigating newly discovered security vulnerabilities, system crashes, replacement of critical hardware components). Baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) must be established and maintained throughout the respective system life cycles, and security configuration settings for information products employed in information systems must be established and enforced. In coordination with the CMS Configuration Management Executive, the Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Configuration Management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eCM-1.1.1 Ensure configuration management procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eCM-1.1.2 Ensure scheduled changes to networks or systems are authorized prior to implementation and are not permitted outside of the configuration management process.\u003c/p\u003e\u003cp\u003eCM-1.1.3 Monitor system configurations and changes to ensure configuration management processes and procedures are followed.\u003c/p\u003e\u003cp\u003eCM-1.1.4 Evaluate the configuration management process periodically, as specified in the ARS, as part of the required FISMA reporting process to verify adequacy and effectiveness.\u003c/p\u003e\u003cp\u003eThrough the Program the CMS CISO, in coordination with the CMS Configuration Management Executive, defines and develops policies to ensure CMS Business Owner/ISOs:\u003c/p\u003e\u003cp\u003eCM-1.1.5 Implement and enforce configuration management controls for all CMS systems and networks.\u003c/p\u003e\u003cp\u003eCM-1.1.6 Develop, document, and maintain a current baseline configuration of each system and the systems constituent components.\u003c/p\u003e\u003cp\u003eCM-1.1.7 Develop, document, and maintain an inventory of the components, both hardware and software, that includes relevant ownership information.\u003c/p\u003e\u003cp\u003eCM-1.1.8 Test, validate, and document proposed changes prior to implementation to assess the impact to the information security and privacy of data.\u003c/p\u003e\u003cp\u003eCM-1.1.9 Ensure systems categorized as “Moderate” or “High” under FIPS 199:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRetain older versions of baseline configurations as deemed necessary to support rollback\u003c/li\u003e\u003cli\u003eMaintain a baseline configuration for development and test environments to ensure development and test environments are managed separately from the operational environment\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThrough the program, the CMS CISO must ensure:\u003c/p\u003e\u003cp\u003eCM-1.1.10 Current (up-to-date) anti-virus (AV)/anti-malware and host-based intrusion detection system (HIDS) applications are included, as appropriate, on systems connected to the CMS network.\u003c/p\u003e\u003cp\u003eCM-1.1.11 AV software is configured to automatically perform periodic virus scanning. CM-1.1.12 HIDS software is configured to automatically scan all inbound and outbound network traffic.\u003c/p\u003e\u003cp\u003eThe CMS Configuration Management Executive must ensure:\u003c/p\u003e\u003cp\u003eCM-1.1.13 All systems and system components adhere to \u003cem\u003eHHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eCM-1.1.14 Appropriate CCBs are created and managed for the review and approval of changes.\u003c/p\u003e\u003cp\u003eCM-1.1.15 Configuration management includes a representative from the system as a member of the CCB. Participation on the CCB is at the Security Control Assessors discretion. If the Security and Privacy Officer or Security Control Assessor acts as a voting member of the CCB, they must be a federal employee.\u003c/p\u003e\u003cp\u003eCM-1.1.16 Personnel with configuration management responsibilities are trained on CMS configuration management processes.\u003c/p\u003e\u003cp\u003eCM-1.1.17 Change documentation is maintained for no less than 12 months after a change is made.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.2\u003c/em\u003e Develop a Configuration Management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.3\u003c/em\u003e For systems categorized as “High” under FIPS 199, ensure detection of unauthorized information security and privacy relevant configuration changes is incorporated into the incident response capability to ensure events are tracked, monitored, corrected, and available for historical purposes.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCM-1.4 \u003c/em\u003eReview and update policies, procedures, and standards for the Configuration Management Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eContingency Planning (CP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eCP-1\u003c/strong\u003e The Program must develop and maintain the Contingency Planning family of controls to ensure contingency plans for emergency response, backup operations, and disaster recovery for organizational information systems are established, maintained, and effectively implemented. IT Contingency Plans ensure the availability of critical information resources and continuity of operations in emergency situations. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Contingency Planning family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eCP-1.1.1 Work with Business Owners/ISOs to develop and document an IT contingency plan for all information systems in accordance with NIST SP 800-34 rev 1, \u003cem\u003eContingency Planning Guide for Information Technology Systems, \u003c/em\u003eand all other relevant CP documentations defined in the ARS.\u003c/p\u003e\u003cp\u003eIT contingency plans must support:\u003c/p\u003e\u003cp\u003eCP-1.1.1.1 Applicable CMS continuity of operations plans (COOP), particularly for information systems supporting the continuity of CMSs essential business functions.\u003c/p\u003e\u003cp\u003eCP-1.1.1.2 Recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.\u003c/p\u003e\u003cp\u003eCP-1.1.1.3 Implementation of privacy-applicable requirements to reduce the risk of avoidable information security and privacy incidents and breaches while executing contingency measures.\u003c/p\u003e\u003cp\u003eIT contingency plans, as part of the required FISMA reporting process, must be:\u003c/p\u003e\u003cp\u003eCP-1.1.1.4 Reviewed and updated periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003eCP-1.1.1.5 Tested periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003eCP-1.1.2 Ensure systems categorized as “High” or “Moderate” under FIPS 199:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement a transaction recovery system for transaction-based systems\u003c/li\u003e\u003cli\u003ePerform coordinated contingency testing and/or exercises with organizational elements responsible for related plans.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCP-1.1.3 Ensure systems categorized as “High” under FIPS 199 develop an IT contingency plan in coordination with organizational elements responsible for related plans (e.g., incident response).\u003c/p\u003e\u003cp\u003eCP-1.1.3.1 Business Owners/ISOs must develop and document a comprehensive system backup strategy for each system.\u003c/p\u003e\u003cp\u003eCP-1.1.3.1.1 The system backup strategy must document processes to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSupport the information system recovery\u003c/li\u003e\u003cli\u003eStore backup copies of the operating system and other critical information system software, as well as copies of the information system inventory, ina physically separate facility or in a fire-rated container not co-located with the operational system\u003c/li\u003e\u003cli\u003eMeet business continuity needs, including the identified RTO and RPO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCP-1.1.3.1.2 Applicable alternate processing sites must be established that are compliant with FIPS 199 system categorization requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.2 \u003c/em\u003eDevelop a Contingency Planning Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eCP-1.3 \u003c/em\u003eFor systems categorized as “High” (or as “Moderate” and supporting essential CMS mission or business functions) under FIPS 199, ensure the CMS Business Owner/ISO establishes and maintains appropriate alternate processing and storage site agreements that require:\u003c/p\u003e\u003cp\u003eCP-1.3.1 Alternate processing sites:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBe separated from the primary storage site(s) and primary processing site(s)\u003c/li\u003e\u003cli\u003eIdentify potential accessibility problems to the alternate processing site(s) and outline explicit mitigation actions\u003c/li\u003e\u003cli\u003eEnsure information security measures equivalent to those of the primary processing site(s) are provided\u003c/li\u003e\u003cli\u003eBe configurable for use as an operational site. CP-1.3.2 Alternate storage sites:\u003c/li\u003e\u003cli\u003eBe separated from the primary storage site(s)\u003c/li\u003e\u003cli\u003eIdentify potential accessibility problems to the alternate storage site(s) and outline explicit mitigation actions\u003c/li\u003e\u003cli\u003eEnsure information security measures equivalent to those of the primary storage site(s) are provided.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eCP-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Contingency Planning Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003eI\u003cstrong\u003edentification and Authentication (IA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIA-1 \u003c/strong\u003eThe Program must develop and maintain the Identification and Authentication family of controls to ensure information system users, processes acting on behalf of users, and devices are identified, and the identities authenticated (or verified) as a prerequisite to allowing access to information systems. Through the Program, the CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials manage the development, documentation, and dissemination of the System and Information Integrity family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eIA-1.1.1 Establish policy and procedures for the effective implementation of selected security controls and control enhancements in the IA control family.\u003c/p\u003e\u003cp\u003eIA-1.1.2 Ensure policy and procedures reflect applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eIA-1.1.3 Ensure the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users) and the organizations meet all the requirements specified by HHS policy and applicable implementation standard(s).\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.2 \u003c/em\u003eDevelop an Identification and Authentication Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.3 \u003c/em\u003eEnsure all users, including federal employees, contractors, and entities with network access to systems, use multi-factor authentication. External facing applications must offer consumers multi-factor authentication as an option.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIA-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Identity and Authentication Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIncident Response (IR)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eIR-1 \u003c/strong\u003eThe Program must develop and maintain the Incident Response family of controls to establish an operational incident handling capability for information systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Incidents must be tracked, documented, and reported. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Incident Response family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eIR-1.1.1 Document, maintain, and communicate policies and procedures in accordance with the \u003cem\u003eHHS Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response \u003c/em\u003eand the \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of PII\u003c/em\u003e, including roles and responsibilities for information security and PII incidents and violation handling.\u003c/p\u003e\u003cp\u003eIR-1.1.2 Ensure CMS employees and contractors situational awareness through:\u003c/p\u003e\u003cp\u003eIR-1.1.2.1 Receipt of information system security and privacy alerts, advisories, and directives from designated external organizations on an ongoing basis.\u003c/p\u003e\u003cp\u003eIR-1.1.2.2 Generation of internal information security and privacy alerts, advisories, and directives as deemed necessary.\u003c/p\u003e\u003cp\u003eIR-1.1.2.3 Dissemination of information security and privacy alerts, advisories, and directives to personnel (see the ARS for a complementary, CMS-defined process).\u003c/p\u003e\u003cp\u003eIR-1.1.3 Ensure CMS employees and contractors awareness of privacy-related incidents through:\u003c/p\u003e\u003cp\u003eIR-1.1.3.1 Development and implementation of privacy breach notification and response policies, processes, and standards.\u003c/p\u003e\u003cp\u003eIR-1.1.3.2 Appropriate notification of the SOP for all incidents involving PII or PHI. IR-1.1.4 Ensure CMS employees and contractors maintain incident response processes and procedures by:\u003c/p\u003e\u003cp\u003eIR-1.1.4.1 Reviewing and updating Incident Response Plans periodically as defined in the ARS.\u003c/p\u003e\u003cp\u003eIR-1.1.4.2 Testing Incident Response Plans periodically as defined in the ARS.\u003c/p\u003e\u003cp\u003eIR-1.1.4.3 Incorporating lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.\u003c/p\u003e\u003cp\u003eIR-1.1.5 Ensure CMS employees and contractors maintain familiarity with incident response processes and procedures through periodic training, as defined in the ARS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.2 \u003c/em\u003eThe CMS CISO, in coordination with the CMS Director of CCIC and Business Owners/ISOs, must establish and maintain an information security and privacy incident and breach response capability that includes preparation, identification, containment, eradication, recovery, and follow-up capabilities to ensure effective recovery from information security and privacy incidents and breaches.\u003c/p\u003e\u003cp\u003eIR-1.2.1 For systems categorized as “Moderate” or “High” under FIPS 199, incident handling activities must be coordinated with contingency planning activities.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.3 \u003c/em\u003eDevelop an Incident Response Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eIR-1.4\u003c/em\u003e Review and update policies, procedures, and standards for the Incident Response Control family of controls and following defined events in ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMaintenance (MA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eMA-1\u003c/strong\u003e The Program must develop and maintain the System Maintenance family of controls to ensure (i) periodic and timely maintenance on organizational information systems is performed and (ii) effective controls are established for the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. The Program must:\u003c/p\u003e\u003cp\u003eMA-1.1 Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Maintenance family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eMA-1.1.1 Ensure privacy considerations are included in system maintenance policy and procedures, especially when the system contains information subject to the \u003cem\u003ePrivacy Act \u003c/em\u003eand/or HIPAA.\u003c/p\u003e\u003cp\u003eMA-1.1.2 Ensure routine preventative and regular maintenance (including repairs) on the components of all CMS information systems, supporting utilities, and ancillary equipment (e.g., within the data center, used for testing) are scheduled, performed, documented, and reviewed.\u003c/p\u003e\u003cp\u003eMA-1.1.2.1 Maintenance processes and procedures must be compliant with CMS processes and procedures.\u003c/p\u003e\u003cp\u003eMA-1.1.2.2 Maintenance processes and procedures may reference manufacturer or vendor specifications.\u003c/p\u003e\u003cp\u003eMA-1.1.3 Ensure information system maintenance tools are approved, controlled, maintained, and monitored as required.\u003c/p\u003e\u003cp\u003eMA-1.1.4 Ensure only authorized personnel are allowed to perform maintenance on the information system through established processes and procedures.\u003c/p\u003e\u003cp\u003eMA-1.1.4.1 Personnel authorized to perform maintenance must be compliant with requirements defined under the Awareness and Training and Personnel Security sections of this document.\u003c/p\u003e\u003cp\u003eMA-1.1.5 For non-local (e.g., remote) maintenance and diagnostic services ensure:\u003c/p\u003e\u003cp\u003eMA-1.1.5.1 Services are authorized, monitored, and controlled.\u003c/p\u003e\u003cp\u003eMA-1.1.5.2 Tools are consistent with organizational policy and documented in the security plan for the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.5.3 Strong identification and authentication techniques are employed in the establishment of sessions.\u003c/p\u003e\u003cp\u003eMA-1.1.5.4 Activity records are maintained.\u003c/p\u003e\u003cp\u003eMA-1.1.5.5 All sessions and network connections are terminated when non-local maintenance is completed.\u003c/p\u003e\u003cp\u003eMA-1.1.6 Ensure appropriate protection of information systems and/or components being removed:\u003c/p\u003e\u003cp\u003eMA-1.1.6.1 The CMS Business Owner/ISO or designated federal employee must approve the removal of information systems and/or system components for offsite maintenance/repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.6.2 The equipment/media must be sanitized in a manner compliant with \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\"\u003eNIST sanitization standards\u003c/a\u003e prior to removal from organizational facilities for offsite maintenance or repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.7 For systems categorized as “Moderate” or “High” under FIPS 199, maintenance records must include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDate and time of maintenance\u003c/li\u003e\u003cli\u003eName of the individual performing the maintenance\u003c/li\u003e\u003cli\u003eName of escort, if necessary\u003c/li\u003e\u003cli\u003eDescription of the maintenance performed\u003c/li\u003e\u003cli\u003eList of equipment (including components and parts), including the removal and/or replacement of applicable identification numbers\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eCMS Business Owners/ISOs must:\u003c/p\u003e\u003cp\u003eMA-1.1.7.1 Inspect all maintenance tools carried into a facility by maintenance personnel for improper modifications.\u003c/p\u003e\u003cp\u003eMA-1.1.7.2 Check all media containing diagnostic and test applications and programs for malicious code before the media is used in the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.7.3 Ensure non-local maintenance and diagnostic sessions, including review of the maintenance records of the sessions, are audited by the Security and Privacy Officer.\u003c/p\u003e\u003cp\u003eMA-1.1.7.4 Ensure installation and use of non-local maintenance and diagnostic connections are documented in the security plan for the information system.\u003c/p\u003e\u003cp\u003eMA-1.1.8 For systems categorized as “High” under FIPS 199, CMS Business Owners/ISOs must:\u003c/p\u003e\u003cp\u003eMA-1.1.8.1 Employ automated mechanisms to schedule, conduct, and document any required maintenance and repairs.\u003c/p\u003e\u003cp\u003eMA-1.1.8.2 Produce and maintain up-to-date, accurate, complete, and available records of all maintenance and repair actions that are needed, in process, and completed.\u003c/p\u003e\u003cp\u003eMA-1.1.8.3 Prevent the unauthorized removal of maintenance equipment/media by performing one of the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerifying there is no CMS sensitive information contained on the equipment/media\u003c/li\u003e\u003cli\u003eSanitizing or destroying the equipment/media in a manner compliant with NIST or DoD guidance\u003c/li\u003e\u003cli\u003eRetaining the equipment/media within the facility\u003c/li\u003e\u003cli\u003eDocumenting the removal of the equipment/media from the facility with an exemption signed by the Business Owner/ISO or designated federal employee\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cem\u003eMA-1.2 \u003c/em\u003eDevelop a Maintenance Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMA-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Maintenance Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMedia Protection (MP)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eMP-1 \u003c/strong\u003eThe Program must develop and maintain the Media Protection family of controls to ensure information system media containing sensitive information, both digital and non-digital, is protected by (i) limiting access to authorized users and (ii) sanitizing or destroying information system media before disposal or release for reuse. The program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Media Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eMP-1.1.1 Inform all employees and contractors with potential access to sensitive information, such as PII or PHI, about all policies and procedures to protect any sensitive information residing on the various media types used by CMS.\u003c/p\u003e\u003cp\u003eMP-1.1.2 Ensure procedures exist for protecting information system media during transport, specifically through the use of cryptography and restricting the transport of such media to authorized personnel commensurate with the sensitivity level of the data.\u003c/p\u003e\u003cp\u003eMP-1.1.3 Develop and maintain processes, procedures, and standards to ensure information system media, both digital and non-digital, are properly sanitized and/or disposed of.\u003c/p\u003e\u003cp\u003eMP-1.1.3.1 Ensure sanitization and disposal techniques (i.e., clear, purge, destroy) for digital and non-digital media are in compliance with NIST SP 800-88 Revision 1, \u003cem\u003eGuidelines for Media Sanitization, \u003c/em\u003eincluding the media sanitization decision matrix, prior to disposal, release, and transfer of custody for re-use.\u003c/p\u003e\u003cp\u003eMP-1.1.4 Ensure all confidential or classified information is sanitized and disposed of in accordance with policy, procedures, and standards established by the National Security Agency (NSA) and DoD.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.2 \u003c/em\u003eDevelop a Media Protection Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eMP-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Media Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePhysical and Environmental Protection (PE)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePhysical controls are important for protecting FTI, PII and PHI against unauthorized access, use, and disclosure. Environmental controls can be critical when FTI and PII have high availability requirements (e.g., core mission capabilities of an organization rely on consistent and frequent access to PII/FTI)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePE-1\u003c/strong\u003e The Program must develop and maintain the Physical and Environmental Protection family of controls to ensure physical access to information systems, equipment, and the respective operating environments is limited to authorized individuals. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Physical and Environmental Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePE-1.1.1 Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals.\u003c/p\u003e\u003cp\u003ePE-1.1.2 Protect the physical plant and support infrastructure for information systems.\u003c/p\u003e\u003cp\u003ePE-1.1.3 Provide supporting utilities for information systems.\u003c/p\u003e\u003cp\u003ePE-1.1.4 Protect against environmental hazards.\u003c/p\u003e\u003cp\u003ePE-1.1.5 Consider the data sensitivity when defining physical and environmental controls for systems.\u003c/p\u003e\u003cp\u003ePE-1.1.6 Maintain an understanding that the sensitivity of information impacts the necessary physical and environmental controls.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.2 \u003c/em\u003eDevelop a Physical and Environmental Protection Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePE-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Physical and Environmental Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePlanning (PL)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePL-1\u003c/strong\u003e The Program must develop and maintain the Planning family of controls to ensure information security and privacy planning for FISMA systems are performed within the CMS enterprise environment and on any systems storing, processing, or transmitting CMS information on behalf of CMS. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.1 \u003c/em\u003eDesignate CMS Enterprise-level defined officials to manage the development, documentation, and dissemination of the Planning family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePL-1.1.1 Develop, document, and maintain information security and privacy plans for each CMS system and network:\u003c/p\u003e\u003cp\u003ePL-1.1.1.1 Security plans must be in accordance with NIST SP 800-18 Revision 1,\u003c/p\u003e\u003cp\u003e\u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e.\u003c/p\u003e\u003cp\u003ePL-1.1.1.2 Privacy plans must address the privacy requirements for confidentiality, availability, and integrity for the organization and individual information system(s). PL-1.1.1.3 Business Owners/ISOs must review and update the information security and privacy plans periodically as defined in the ARS, and following defined events in the ARS and \u003cstrong\u003ea\u003c/strong\u003epplicable control implementation statements of the associated PL controls.\u003c/p\u003e\u003cp\u003ePL-1.1.2 Develop, document, and maintain an Information Security Architecture to: PL-1.1.2.1 Document the information security segments of the CMS enterprise architecture in accordance with OMB Circular A-130.\u003c/p\u003e\u003cp\u003ePL-1.1.2.2 Fully integrate information security and privacy into the CMS architecture framework.\u003c/p\u003e\u003cp\u003ePL-1.1.3 Review and update the security segments of the CMS enterprise architecture periodically, as defined in the ARS.\u003c/p\u003e\u003cp\u003ePL-1.1.4 Develop, document, and maintain the CMS Acceptable Use standards within the \u003cem\u003eHHS Rules of Behavior For Use of HHS Information and IT Resources Policy.\u003c/em\u003e\u003c/p\u003e\u003cp\u003ePL-1.1.4.1 Privacy requirements must be identified in contracts and acquisition- related documents.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2 CMS employees and contractors (users) must:\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.1 Be informed that the use of CMS IT resources, other than for authorized purposes, is a violation of the \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resource Policy \u003c/em\u003eand is grounds for disciplinary action, up to and including removal from federal service, monetary fines, and/or criminal charges, which could result in imprisonment.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.2 Be prohibited from transmitting sensitive CMS information using any non-CMS approved Internet-based mechanism, including but not limited to personal email, file-sharing, file transfer, and backup services.\u003c/p\u003e\u003cp\u003ePL-1.1.4.2.3 Read and sign the HHS RoB periodically, as defined in the ARS. PL-1.1.4.3 Personal use of CMS IT resources must comply with \u003cem\u003eHHS Rules of Behavior for Use of HHS Information and IT Resource Policy\u003c/em\u003e, which governs the appropriate use of CMS IT resources to ensure personal use of those resources does not put CMS data at risk of unauthorized disclosure or dissemination.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.2\u003c/em\u003e Develop a Planning Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePL-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Planning Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProgram Management (PM)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePM-1 \u003c/strong\u003eThe Program must develop and maintain the Program Management family of controls to ensure CMS develops an organization-wide information security and privacy program. The Program Management (PM) controls are typically implemented at the organization level and not specifically directed at individual information systems. Through the PM implementation of the controls, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePM-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Program Management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePM-1.1.1 Periodic review and update of the Program Plan following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003ePM-1.1.2 CMS develops, maintains and reviews:\u003c/p\u003e\u003cp\u003ePM-1.1.2.1 Information security and privacy policy as an overview of the information security and privacy management controls and common controls.\u003c/p\u003e\u003cp\u003ePM-1.1.2.2 Policy and procedures to ensure requirements for protecting controlled unclassified information processed, stored, or transmitted on external systems are implemented.\u003c/p\u003e\u003cp\u003ePM-1.1.2.3 An accurate accounting of disclosures of personally identifiable information as specified in the ARS.\u003c/p\u003e\u003cp\u003ePM-1.1.2.4 Policies and procedures for reviewing the accuracy, relevance, timeliness, and completeness of PII across the information life cycle as specified in the ARS. PM-1.1.2.5 The process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices.\u003c/p\u003e\u003cp\u003ePM-1.1.2.6 A privacy program structured to inform the information security program of all privacy-related requirements.\u003c/p\u003e\u003cp\u003ePM-1.1.3 CMS identifies roles, responsibilities, and compliance requirements.\u003c/p\u003e\u003cp\u003ePM-1.1.3.1 CMS must appoint the CISO as the Senior Information Security Officer. PM-1.1.3.2 CMS must appoint individuals with specific roles and responsibilities.\u003c/p\u003e\u003cp\u003ePM-1.1.4 CMS holds the approved AO accountable for the risk to the operations within CMS, organizational assets, individuals, and the nation.\u003c/p\u003e\u003cp\u003ePM-1.1.5 CMS develops, implements, and maintains a Risk Management Strategy to: PM-1.1.5.1 Document remediation actions responding to identified risk.\u003c/p\u003e\u003cp\u003ePM-1.1.5.2 Develop and implement a POA\u0026amp;M process to address information security and privacy risks identified in its information systems.\u003c/p\u003e\u003cp\u003ePM-1.1.5.3 Develop and maintain inventory listings of its information systems.\u003c/p\u003e\u003cp\u003ePM-1.1.5.4 Measure the effectiveness of the Program, information security controls, and privacy controls.\u003c/p\u003e\u003cp\u003ePM-1.1.6 CMS develops, implements, and maintains a testing, training, and monitoring program.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePM-1.2 \u003c/em\u003eDevelop a Program Management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePersonnel Security (PS)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePS-1 \u003c/strong\u003eThe Program must develop and maintain the Personnel Security family of controls to ensure (i) CMS information systems employ personnel security controls consistent with applicable laws, executive orders, policies, directives, regulations, standards, and guidelines and (ii) procedures are developed to guide the implementation of personnel security controls. The Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Personnel Security family of controls in the ARS to:\u003c/p\u003e\u003cp\u003ePS-1.1.1 CMS information systems employ personnel security controls consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003ePS-1.1.2 Processes and procedures are developed to guide the implementation of personnel security controls.\u003c/p\u003e\u003cp\u003ePS-1.1.2.1 Where appropriate, roles that require access to sensitive information (such as PII and PHI) must apply additional personnel security measures.\u003c/p\u003e\u003cp\u003ePS-1.1.3 Individuals occupying positions of responsibility within organizations (i.e., including third-party service providers) are trustworthy and meet established security criteria for the positions of responsibility.\u003c/p\u003e\u003cp\u003ePS-1.1.4 Information and information systems are adequately protected when personnel actions occur such as initial employment, terminations, and transfers.\u003c/p\u003e\u003cp\u003ePS-1.1.5 Formal sanctions for personnel failing to comply with organizational security policies and procedures are employed.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.2\u003c/em\u003e Develop a Personnel Security Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePS-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the Personnel Security Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePII Processing and Transparency (PT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003ePT-1\u003c/strong\u003e The Program must develop and maintain the Processing and Transparency family of controls to ensure the confidentiality of Personally Identifiable Information being processed and maintained by CMS organizational information systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Personally Identifiable Information Processing and Transparency family of controls in the ARS to. The Program Must:\u003c/p\u003e\u003cp\u003ePT-1-1-1 Coordinate with the SOP and the CISO in establishing the organizational authority for the use of Personally Identifiable Information being processed and developing processes to restrict the use of PII.\u003c/p\u003e\u003cp\u003ePT-1-1-2 Ensure public notices and policies are developed to describe the purpose for processing PII and monitoring changes.\u003c/p\u003e\u003cp\u003ePT-1-1-3 Ensure procedures are in place for individuals to consent to the processing of their personally identifiable information prior to its collection to allow for them to make informed decisions regarding the use of their personal information.\u003c/p\u003e\u003cp\u003ePT-1-1.4 Establish privacy risk assessments associated with the processing of personally identifiable information to help determine the appropriate elements to include in privacy notices.\u003c/p\u003e\u003cp\u003ePT-1-1-5 Develop, publish and maintain system of records notices in accordance with OMB guidance when systems are used to maintain a group of any record under the control of CMS from which information is retrieved by the name of an individual or some type of identifying number, symbol, or other identifier.\u003c/p\u003e\u003cp\u003ePT-1-1-5 Obtain approval from the Data Integrity Board when systems or organizations conduct computer matching programs.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-2 \u003c/em\u003eDevelop a Personally Identifiable Information Processing and Transparency Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003ePT-1-2\u003c/em\u003e Review and update policies, procedures, and standards for the Personally Identifiable Information Processing and Transparency Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRisk Assessment (RA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eRA-1 Designate CMS Enterprise-level defined officials to manage the development, documentation, and dissemination of the Risk Assessment family of controls to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEnsure the risk to organizational operations (e.g., mission, functions, image, reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information, is assessed.\u003c/li\u003e\u003cli\u003eDevelop, document, implement, and update a risk assessment at least every three years or whenever a significant change occurs to the information system, a change in the threat environment occurs, a significant data breach occurs, or the ATO has expired.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Program must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.1 \u003c/em\u003eDevelop and maintain effective implementation of selected information security and privacy controls and control enhancements in the Risk Assessment family of controls as described in the ARS to ensure formal risk assessment processes and policies provide the foundation for protecting sensitive information.\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.2 \u003c/em\u003eDevelop a Risk Assessment Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eRA-1.3\u003c/em\u003e Review and update policies, procedures, and standards for the Risk Assessment Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Services Acquisition (SA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSA-1 \u003c/strong\u003eThe Program must develop and maintain the System and Services Acquisition family of controls to ensure contracts, especially the Statement of Work (SOW) within the contract, are reviewed for appropriate information security and privacy contracting language specific to the technology or service being acquired. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Services Acquisition family of controls defined in the ARS to ensure:\u003c/p\u003e\u003cp\u003eSA-1.1.1 Appropriate information security and privacy documentation (i.e., information security and privacy functional requirements/specifications, information security-related and privacy-related documentation requirements, and developmental and evaluation- related assurance requirements) are contractually required for the development or acquisition of new systems.\u003c/p\u003e\u003cp\u003eSA-1.1.2 Appropriate information security and privacy language to protect sensitive information, such as PII and PHI, is contractually required for the development, acquisition, or operation of systems, when applicable.\u003c/p\u003e\u003cp\u003eSA-1.1.3 Documented processes and procedures are developed and implemented effectively to facilitate the acquisition of information security and privacy controls in all system and services acquisitions.\u003c/p\u003e\u003cp\u003eSA-1.1.4 Processes and procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eSA-1.1.5 Sufficient resources to adequately protect organizational information systems are allocated by the responsible organization.\u003c/p\u003e\u003cp\u003eSA-1.1.6 System development life cycle processes, as defined under the SDLC, incorporate required information security and privacy considerations.\u003c/p\u003e\u003cp\u003eSA-1.1.7 Software usage and installation restrictions are employed and compliant with CMS policy.\u003c/p\u003e\u003cp\u003eSA-1.1.8 Security specifications, either explicitly or by reference, are included in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal requirements and industry best practices.\u003c/p\u003e\u003cp\u003eSA-1.1.9 Security measures consistent with applicable federal requirements and industry best practices to protect information, applications, and/or services outsourced from the organization are required of third-party vendors and are verified as specified in the ARS.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.2 \u003c/em\u003eDevelop a System and Services Acquisition Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSA-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Services Acquisition Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Communications Protection (SC)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSC-1\u003c/strong\u003e The Program must develop and maintain the System and Communications Protection family of controls to ensure the organization develops, documents, and maintains system and communications protection policy, processes, and procedures. Through the Program the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Communications Protection family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eSC-1.1.1 Review and update the System and Communications Protection Policies and Procedures periodically and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003cp\u003eSC-1.1.2 Protect the systems assets and information while in transmission or at rest with technical controls based on:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe confidentiality, integrity, and availability of the system\u003c/li\u003e\u003cli\u003eThe sensitivity of information (e.g., PII and PHI) processed or stored by the system.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.3 Ensure the information system separates user functionality, including user interface services, from system management functionality. By applying the systems security engineering design principles within the TRA to:\u003c/p\u003e\u003cp\u003eSC-1.1.3.1 Isolate access and information flow control from non-security functions and from other security functions.\u003c/p\u003e\u003cp\u003eSC-1.1.3.2 Determine if the information system uses underlying hardware separation mechanisms to implement security function isolation.\u003c/p\u003e\u003cp\u003eSC-1.1.3.3 Minimize the number of non-security functions included within the isolation boundary containing security functions by implementing security and privacy functions as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLargely independent modules to maximize internal cohesiveness within modules and minimize coupling between modules\u003c/li\u003e\u003cli\u003eA layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.4 Implement information security and privacy controls throughout the SDLC of each system by:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplementing usage restrictions based on the potential risk of harm to an information system\u003c/li\u003e\u003cli\u003eAuthorizing, monitoring, and controlling the use of such components within the information system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSC-1.1.5 Operate websites that are within the restrictions stated in federal policies and directives.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.2\u003c/em\u003e Develop a System and Communications Protection Control Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSC-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Communications Protection Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem and Information Integrity (SI)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSI-1 \u003c/strong\u003eThe Program must develop and maintain the System and Information Integrity family of controls to establish and maintain policy and procedures for the effective implementation of selected information security controls and control enhancements. Through the Program, the CMS CISO must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.1\u003c/em\u003e Designate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the System and Information Integrity family of controls in the ARS to:\u003c/p\u003e\u003cp\u003eSI-1.1.1 Policy, processes, and procedures are consistent with applicable federal laws, executive orders, mandates, directives, regulations, and HHS and CMS policies and standards.\u003c/p\u003e\u003cp\u003eSI-1.1.2 Policy, processes, and procedures are implemented to protect the integrity of systems and information and to meet the \u003cem\u003ePrivacy Act \u003c/em\u003erequirements for protection against any anticipated threats or hazards to the security or integrity of records.\u003c/p\u003e\u003cp\u003eSI-1.1.3 Information and information system flaws are identified, reported, and corrected in a timely manner, as defined within the ARS.\u003c/p\u003e\u003cp\u003eSI-1.1.4 Protection from malicious code is provided at appropriate locations within organizational information systems.\u003c/p\u003e\u003cp\u003eSI-1.1.5 Information system security and privacy alerts and advisories issued are monitored and appropriate action taken in response.\u003c/p\u003e\u003cp\u003eSI-1.1.6 Minimum information security and privacy controls are supplemented, as warranted, based on an assessment of risk and local conditions, including organization- specific security requirements, specific threat information, cost-benefit analysis, and special circumstances.\u003c/p\u003e\u003cp\u003eSI-1.1.7 A monitoring strategy is developed to implement an ISCM program that is compliant with Federal Rules of Evidence Section 803(6).\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.2 \u003c/em\u003eDevelop a System and Information Integrity Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSI-1.3 \u003c/em\u003eReview and update policies, procedures, and standards for the System and Information Integrity Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSupply Chain Risk Management (SR)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003eSR-1\u003c/strong\u003e The Program must develop and maintain the Supply Chain Risk Management (SR) family of controls to establish and maintain policy and procedures for the effective implementation of the selected information security controls and control enhancements. In coordination with the CISO, the program, the organization must:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.1 \u003c/em\u003eDesignate CMS Enterprise level defined officials to manage the development, documentation, and dissemination of the Supply chain risk management family of controls in the ARS to:\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.2\u003c/em\u003e Develop a Supply chain risk management Policy which is consistent with the ARS and other federal requirements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.3\u003c/em\u003e Coordinate with the CMS CISO to establish a process to identify and address weaknesses or deficiencies in the supply chain elements.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.4 \u003c/em\u003eEstablish procedures and agreements with entities involved in the supply chain for systems, system components or system services to ensure notification of supply chain compromises that can potentially adversely affect organizational systems.\u003c/p\u003e\u003cp\u003e\u003cem\u003eSR-1.5\u003c/em\u003e Review and update policies, procedures, and standards for the Supply chain risk management Control family of controls and following defined events in the ARS or as defined within the SSPP.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eNon-Compliance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe HHS Rules of Behavior (RoB) for Use of Information IT Resources Policy cannot account for every possible situation. Therefore, where this \u003cem\u003ePolicy \u003c/em\u003edoes not provide explicit guidance, personnel shall use their best judgment to apply the principles set forth in the \u003ca href=\"https://cmsintranet.share.cms.gov/ER/Pages/EthicsManagementOffice.aspx\"\u003estandards\u003c/a\u003e for \u003ca href=\"https://www.ecfr.gov/current/title-5/chapter-XVI/subchapter-B/part-2635\"\u003eethical conduct\u003c/a\u003e to guide their actions and seek guidance when appropriate from the Chief Information Officer (CIO) or his/her designee.\u003c/p\u003e\u003cp\u003eNon-compliance with the requirements in this Policy may be cause for disciplinary and non- disciplinary actions. Depending on the severity of the violation and management discretion, consequences may include one or more of the following actions:\u003c/p\u003e\u003col\u003e\u003cli\u003eSuspension of access privileges;\u003c/li\u003e\u003cli\u003eRevocation of access to federal information, information systems, and/or facilities;\u003c/li\u003e\u003cli\u003eReprimand;\u003c/li\u003e\u003cli\u003eTermination of employment;\u003c/li\u003e\u003cli\u003eSuspension without pay;\u003c/li\u003e\u003cli\u003eRemoval or disbarment from work on federal contracts or projects;\u003c/li\u003e\u003cli\u003eMonetary fines;\u003c/li\u003e\u003cli\u003eCriminal charges that may result in imprisonment;\u003c/li\u003e\u003cli\u003eDeactivate the accounts.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eInformation and Assistance\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eCMS ISPG is responsible for the development and management of this policy. Questions, comments, suggestions, and requests for information about this \u003cem\u003ePolicy \u003c/em\u003eshould be directed to: \u003ca href=\"mailto:CISO@cms.hhs.gov\"\u003eCISO@cms.hhs.gov.\u003c/a\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eEffective Date and Implementation\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe effective date of this policy is the date on which the policy is approved. This policy must be reviewed, at a minimum, every three (3) years from the approval date.\u003c/p\u003e\u003cp\u003eThe CMS CIO has the authority to grant a one (1) year extension of the policy. To archive this policy, approval must be granted, in writing, by the CMS CIO.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eApproval\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eGeorge Hoffmann\u003c/p\u003e\u003cp\u003eCMS Chief Information Officer\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eConcurrence\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis document will be reviewed in accordance with the established review schedule located on the CMS website.\u003c/p\u003e\u003cp\u003eKeith Busby\u003c/p\u003e\u003cp\u003eCMS Chief Information Security Officer\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eAuthoritative References, Statutes, Orders, Directives, Policies, and Guidance\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eFederal Directives and Policies\u003c/strong\u003e\u003c/h3\u003e\u003cul\u003e\u003cli\u003eFederal Continuity Directive 1 (FCD 1): Federal Executive Branch National Continuity Program and Requirements, February 2008\u003c/li\u003e\u003cli\u003eHSPD-12, \u003cem\u003ePolicy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e, August 27, 2004\u003c/li\u003e\u003cli\u003eHSPD-7, \u003cem\u003eCritical Infrastructure Identification, Prioritization, and Protection\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOffice of Assistant Secretary for Administration and Management and Office of the Assistant Secretary for Resources and Technology: Statement of Organization, Functions, and Delegations of Authority, 74 Fed. Reg. 57679-57682 (2009)\u003c/li\u003e\u003cli\u003eOffice for Civil Rights: Delegation of Authority, 74 Fed. Reg. 38630 (2009) Office of Resources and Technology: Statement of Organization, Functions and Delegations of Authority, 73 Fed. Reg. 31486-31487 (2008)\u003c/li\u003e\u003cli\u003eOffice of the Secretary: Statement of Organization, Functions, and Delegations of Authority, 72 Fed. Reg. 19000-19001 (2007)\u003c/li\u003e\u003cli\u003eOffice of Personnel Management (OPM) Regulation 5 Code of Federal Regulations (CFR) 930.301\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eStatutes\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eThe Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009\u003c/li\u003e\u003cli\u003e\u003cem\u003ePublic Welfare\u003c/em\u003e, Title 45 Code of Federal Regulations, Pt. 160. 2009 ed.\u003c/li\u003e\u003cli\u003eFederal Acquisition Regulation (as amended)\u003c/li\u003e\u003cli\u003eE-Government Act of 2002\u003c/li\u003e\u003cli\u003eThe Federal Information Security Management Act (Pub. L. No. 107-347)\u003c/li\u003e\u003cli\u003eClinger-Cohen Act of 1996\u003c/li\u003e\u003cli\u003eThe Health Insurance Portability and Accountability Act of 1996\u003c/li\u003e\u003cli\u003ePaperwork Reduction Act of 1995\u003c/li\u003e\u003cli\u003eChildrens Online Privacy Protection Act of 1988\u003c/li\u003e\u003cli\u003eThe Computer Matching and Privacy Protection Act of 1988\u003c/li\u003e\u003cli\u003eThe Privacy Act of 1974 (as amended)\u003c/li\u003e\u003cli\u003eOffice of Federal Procurement Policy Act of 1974\u003c/li\u003e\u003cli\u003eFreedom of Information Act of 1966 (Public Law 89-554, 80 Stat. 383; Amended 1996,2002, 2007)\u003c/li\u003e\u003cli\u003eFederal Records Act of 1950\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eN.3. HHS Policy\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eHHS-OCIO-OIS-2021-11-006, \u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2021-03-001, \u003cem\u003eHHS Policy for Information Technology Procurements - Security and Privacy Language\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2020-01-001, \u003cem\u003eHHS Policy for Securing Wireless Local Area Networks\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-PIM-2020-05-003, \u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-PIM-2020-06-004, \u003cem\u003eHHS Policy for Records Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-OIS-2019-05-004, \u003cem\u003eHHS Rules of Behavior for the Use of HHS Information and IT Resources Policy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2018-0001.002S, \u003cem\u003eHHS System Inventory Management Standard\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2017-0001.001S\u003cem\u003e, HHS OCIO Minimum Security Configuration Standards Guidance\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2016-0005\u003cem\u003e, HHS Standard for Encryption of Computing Devices and Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2013-0004\u003cem\u003e, Policy for Personal Use of Information Technology Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2012-0001.001S, \u003cem\u003eStandard for Plans of Action and Milestones (POA\u0026amp;M) Management and Reporting\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2010-0002, \u003cem\u003eHHS-OCIO Policy for Capital Planning and Investment Control\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2008-0004.001, \u003cem\u003eHHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS-OCIO-2008-0001.003, \u003cem\u003eHHS Policy for Responding to Breaches of Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS CSIRC Concept of Operations\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Minimum Security Configuration Standards\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eContinued Implementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eResolving Security Audit Finding Disputes\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eSecurity of Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eOffice of Inspector General Management Implication Report Need for Departmental Security Enhancements for Information Technology Assets\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eUpdated Departmental Standard for the Definition of Sensitive Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eRole-Based Training (RBT) of Personnel with Significant Security Responsibilities\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eSecurity Related to Hosting Foreign Visitors and Foreign Travel by HHS Personnel\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS \u003cem\u003ePolicy for Information Technology (IT): Security and Privacy Incident Reporting and Response\u003c/em\u003e\u003c/li\u003e\u003cli\u003e48 CFR Chapter 3 \u003cem\u003eHealth and Human Services Acquisition Regulation (HHSAR)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFAC-2005-46, Federal Acquisition Regulation (FAR), amendments\u003c/li\u003e\u003cli\u003e\u003cem\u003eDepartment Information Security Policy/Standard Waiver\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Information Security Program \u003cem\u003ePrivacy in the System Development Life Cycle\u003c/em\u003e\u003c/li\u003e\u003cli\u003eHHS Memorandum, \u003cem\u003eFederal Information Processing Standards (FIPS) 200 Implementation\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS National Security Information Manual\u003c/em\u003e\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Personnel Security/Suitability Handbook\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eOMB Policy and Memoranda\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eOMB Circular A-108,\u003cem\u003e Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-127, \u003cem\u003eFinancial Management Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-130, \u003cem\u003eManagement of Federal Information Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB Circular A-123, \u003cem\u003eManagement Accountability and Control\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-14-03, \u003cem\u003eEnhancing the Security of Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-13-13, \u003cem\u003eOpen Data Policy Managing Information as an Asset\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-12-20, \u003cem\u003eFY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-33, \u003cem\u003eFY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-29, \u003cem\u003eChief Information Officer Authorities\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-16, \u003cem\u003e2011 Issuance of Revised Parts I and II to Appendix C of OMB Circular A- 123\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-11, \u003cem\u003eContinued Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-11-02, \u003cem\u003eSharing Data While Protecting Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-22, \u003cem\u003eGuidance for Online Use of Web Measurement and Customization Technologies\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-23, \u003cem\u003eGuidance for Agency Use of Third-Party Websites and Applications\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-15, \u003cem\u003eFY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-10-06, \u003cem\u003eOpen Government Directive\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-09-29, \u003cem\u003eFY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-21, \u003cem\u003eFY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-23, \u003cem\u003eSecuring the Federal Governments Domain Name System Infrastructure\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-09, \u003cem\u003eNew FISMA Privacy Reporting Requirements for FY 2008\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-08-10, \u003cem\u003eUse of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-20, \u003cem\u003eFY 2007 E-Government Act Reporting Instructions\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-19, \u003cem\u003eFY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-07-16, \u003cem\u003eSafeguarding Against and Responding to the Breach of Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-20, \u003cem\u003eFY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-19, \u003cem\u003eReporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-16, \u003cem\u003eProtection of Sensitive Agency Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-06-15, \u003cem\u003eSafeguarding Personally Identifiable Information\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-24, \u003cem\u003eImplementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-15, \u003cem\u003eFY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-08, \u003cem\u003eDesignation of Senior Agency Officials for Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-05-04, \u003cem\u003ePolicies for Federal Agency Public Websites\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-04-26, \u003cem\u003ePersonal Use Policies and File Sharing Technology\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-03-22, \u003cem\u003eOMB Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002 (as amended)\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-04-04, \u003cem\u003eE-Authentication Guidance for Federal Agencies\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-01-24, \u003cem\u003eReporting Instructions for the Government Information Security Reform Act\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-01-05, \u003cem\u003eGuidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-99-20, \u003cem\u003eSecurity of Federal Automated Information Resources\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-99-05, \u003cem\u003eInstructions on Complying with President's Memorandum of May 14, 1998, \"Privacy and Personal Information in Federal Records\"\u003c/em\u003e\u003c/li\u003e\u003cli\u003eOMB M-96-20, \u003cem\u003eImplementation of the Information Technology Management Reform Act of 1996\u003c/em\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eNIST Guidance\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eNIST SP 800-122, \u003cem\u003eGuide to Protecting Confidentiality of PII\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-81, \u003cem\u003eSecure Domain Name System (DNS) Deployment Guide\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-65, \u003cem\u003eIntegrating IT Security into the Capital Planning and Investment Control Process\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-64, \u003cem\u003eSecurity Considerations in the System Development Lifecycle\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-63, \u003cem\u003eElectronic Authentication Guideline\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-61, \u003cem\u003eComputer Security Incident Handling Guide\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-60, \u003cem\u003eGuide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-58, \u003cem\u003eSecurity Considerations for Voice Over IP Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-53A, \u003cem\u003eGuide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-53, \u003cem\u003eRecommended Security Controls for Federal Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-37, \u003cem\u003eGuide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-34, \u003cem\u003eContingency Planning Guide for Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-30, \u003cem\u003eRisk Management Guide for Information Technology Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-18, \u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST SP 800-16, \u003cem\u003eInformation Technology Security Training Requirements: A Role- and Performance-Based Model\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST \u003cem\u003eUnited States Government Configuration Baseline for Windows XP \u0026amp; Vista\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 200, \u003cem\u003eMinimum Security Requirements for Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 199, \u003cem\u003eStandards for Security Categorization of Federal Information and Information Systems\u003c/em\u003e\u003c/li\u003e\u003cli\u003eFIPS 140-3, \u003cem\u003eSecurity Requirements for Cryptographic Modules\u003c/em\u003e\u003c/li\u003e\u003cli\u003eNIST United States Government Configuration Baseline (USGCB)\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eCMS Policy and Directives\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eCMS Information Security Acceptable Risk Safeguards, CMS ARS Version 5.0\u003c/li\u003e\u003cli\u003eCMS Vulnerability Disclosure Policy Program\u003c/li\u003e\u003cli\u003eCMS Supply Chain Risk Management Policy\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003e\u003cstrong\u003eAssociated CMS Resources\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eThe CMS ISPG Library is available at: \u003ca href=\"https://security.cms.gov/\"\u003ehttps://security.cms.gov.\u003c/a\u003e It contains up-to-date policies, procedures, and directives, including those approved after release of this Policy.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"])</script><script>self.__next_f.push([1,"18d:{\"value\":\"$18e\",\"format\":\"body_text\",\"processed\":\"$18f\",\"summary\":\"\"}\n192:[]\n191:{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS) \",\"options\":\"$192\",\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"}\n194:[]\n193:{\"uri\":\"https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p\",\"title\":\"HHS IS2P\",\"options\":\"$194\",\"url\":\"https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p\"}\n196:[]\n195:{\"uri\":\"entity:node/381\",\"title\":\"National Institute of Standards and Technology (NIST)\",\"options\":\"$196\",\"url\":\"/learn/national-institute-standards-and-technology-nist\"}\n190:[\"$191\",\"$193\",\"$195\"]\n197:{\"value\":\"The IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.\u003c/p\u003e\\n\"}\n18b:{\"drupal_internal__nid\":601,\"drupal_internal__vid\":5865,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-13T19:40:37+00:00\",\"status\":true,\"title\":\"CMS Information Systems Security \u0026 Privacy Policy (IS2P2)\",\"created\":\"2023-03-01T23:31:37+00:00\",\"changed\":\"2024-08-13T19:40:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$18c\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$18d\",\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2024-06-21\",\"field_related_resources\":\"$190\",\"field_short_description\":\"$197\"}\n19b:{\"drupal_internal__target_id\":\"library\"}\n19a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$19b\"}\n19d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de"])</script><script>self.__next_f.push([1,"-8aa4-a901b33bc95b/node_type?resourceVersion=id%3A5865\"}\n19e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/node_type?resourceVersion=id%3A5865\"}\n19c:{\"related\":\"$19d\",\"self\":\"$19e\"}\n199:{\"data\":\"$19a\",\"links\":\"$19c\"}\n1a1:{\"drupal_internal__target_id\":110}\n1a0:{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":\"$1a1\"}\n1a3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/revision_uid?resourceVersion=id%3A5865\"}\n1a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/revision_uid?resourceVersion=id%3A5865\"}\n1a2:{\"related\":\"$1a3\",\"self\":\"$1a4\"}\n19f:{\"data\":\"$1a0\",\"links\":\"$1a2\"}\n1a7:{\"drupal_internal__target_id\":26}\n1a6:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1a7\"}\n1a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/uid?resourceVersion=id%3A5865\"}\n1aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/uid?resourceVersion=id%3A5865\"}\n1a8:{\"related\":\"$1a9\",\"self\":\"$1aa\"}\n1a5:{\"data\":\"$1a6\",\"links\":\"$1a8\"}\n1ad:{\"drupal_internal__target_id\":96}\n1ac:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":\"$1ad\"}\n1af:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/field_resource_type?resourceVersion=id%3A5865\"}\n1b0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/field_resource_type?resourceVersion=id%3A5865\"}\n1ae:{\"related\":\"$1af\",\"self\":\"$1b0\"}\n1ab:{\"data\":\"$1ac\",\"links\":\"$1ae\"}\n1b4:{\"drupal_internal__target_id\":66}\n1b3:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1b4\"}\n1b6:{\"drupal_internal__target_id\":81}\n1b5:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":\"$1b6\"}\n1b8:{\"drupal_internal__target_id\":61}\n1"])</script><script>self.__next_f.push([1,"b7:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1b8\"}\n1ba:{\"drupal_internal__target_id\":76}\n1b9:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1ba\"}\n1bc:{\"drupal_internal__target_id\":71}\n1bb:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$1bc\"}\n1b2:[\"$1b3\",\"$1b5\",\"$1b7\",\"$1b9\",\"$1bb\"]\n1be:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/field_roles?resourceVersion=id%3A5865\"}\n1bf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/field_roles?resourceVersion=id%3A5865\"}\n1bd:{\"related\":\"$1be\",\"self\":\"$1bf\"}\n1b1:{\"data\":\"$1b2\",\"links\":\"$1bd\"}\n1c3:{\"drupal_internal__target_id\":16}\n1c2:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$1c3\"}\n1c1:[\"$1c2\"]\n1c5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/field_topics?resourceVersion=id%3A5865\"}\n1c6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/field_topics?resourceVersion=id%3A5865\"}\n1c4:{\"related\":\"$1c5\",\"self\":\"$1c6\"}\n1c0:{\"data\":\"$1c1\",\"links\":\"$1c4\"}\n198:{\"node_type\":\"$199\",\"revision_uid\":\"$19f\",\"uid\":\"$1a5\",\"field_resource_type\":\"$1ab\",\"field_roles\":\"$1b1\",\"field_topics\":\"$1c0\"}\n187:{\"type\":\"node--library\",\"id\":\"f8e23203-8567-43de-8aa4-a901b33bc95b\",\"links\":\"$188\",\"attributes\":\"$18b\",\"relationships\":\"$198\"}\n1c9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf?resourceVersion=id%3A6076\"}\n1c8:{\"self\":\"$1c9\"}\n1cb:{\"alias\":\"/learn/zero-trust\",\"pid\":661,\"langcode\":\"en\"}\n1cc:{\"value\":\"Security paradigm that requires the continuous verification of system users to promote system security\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSecurity paradigm that requires the continuous verification of system users to promote system security\u003c/p\u003e\\n\"}\n1cd:[\"#cms-zero-trust\"]\n1ca:{\"drupal_internal"])</script><script>self.__next_f.push([1,"__nid\":671,\"drupal_internal__vid\":6076,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T16:28:16+00:00\",\"status\":true,\"title\":\"Zero Trust \",\"created\":\"2023-02-02T19:12:26+00:00\",\"changed\":\"2025-01-15T16:28:16+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1cb\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPGZeroTrust@cms.hhs.gov\",\"field_contact_name\":\"Zero Trust Team\",\"field_short_description\":\"$1cc\",\"field_slack_channel\":\"$1cd\"}\n1d1:{\"drupal_internal__target_id\":\"explainer\"}\n1d0:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1d1\"}\n1d3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/node_type?resourceVersion=id%3A6076\"}\n1d4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/node_type?resourceVersion=id%3A6076\"}\n1d2:{\"related\":\"$1d3\",\"self\":\"$1d4\"}\n1cf:{\"data\":\"$1d0\",\"links\":\"$1d2\"}\n1d7:{\"drupal_internal__target_id\":138}\n1d6:{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":\"$1d7\"}\n1d9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/revision_uid?resourceVersion=id%3A6076\"}\n1da:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/revision_uid?resourceVersion=id%3A6076\"}\n1d8:{\"related\":\"$1d9\",\"self\":\"$1da\"}\n1d5:{\"data\":\"$1d6\",\"links\":\"$1d8\"}\n1dd:{\"drupal_internal__target_id\":26}\n1dc:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1dd\"}\n1df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/uid?resourceVersion=id%3A6076\"}\n1e0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/uid?resourceVersion=id%3A6076\"}\n1de:{\""])</script><script>self.__next_f.push([1,"related\":\"$1df\",\"self\":\"$1e0\"}\n1db:{\"data\":\"$1dc\",\"links\":\"$1de\"}\n1e4:{\"target_revision_id\":19936,\"drupal_internal__target_id\":536}\n1e3:{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"meta\":\"$1e4\"}\n1e2:[\"$1e3\"]\n1e6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_page_section?resourceVersion=id%3A6076\"}\n1e7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_page_section?resourceVersion=id%3A6076\"}\n1e5:{\"related\":\"$1e6\",\"self\":\"$1e7\"}\n1e1:{\"data\":\"$1e2\",\"links\":\"$1e5\"}\n1eb:{\"target_revision_id\":19941,\"drupal_internal__target_id\":3398}\n1ea:{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"meta\":\"$1eb\"}\n1ed:{\"target_revision_id\":19946,\"drupal_internal__target_id\":1616}\n1ec:{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"meta\":\"$1ed\"}\n1ef:{\"target_revision_id\":19951,\"drupal_internal__target_id\":3499}\n1ee:{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"meta\":\"$1ef\"}\n1f1:{\"target_revision_id\":19956,\"drupal_internal__target_id\":1611}\n1f0:{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\",\"meta\":\"$1f1\"}\n1f3:{\"target_revision_id\":19961,\"drupal_internal__target_id\":1621}\n1f2:{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"meta\":\"$1f3\"}\n1f5:{\"target_revision_id\":19966,\"drupal_internal__target_id\":1626}\n1f4:{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"meta\":\"$1f5\"}\n1e9:[\"$1ea\",\"$1ec\",\"$1ee\",\"$1f0\",\"$1f2\",\"$1f4\"]\n1f7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_related_collection?resourceVersion=id%3A6076\"}\n1f8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_related_collection?resourceVersion=id%3A6076\"}\n1f6:{\"related\":\"$1f7\",\"self\":\"$1f8\"}\n1e8:{\"data\":\"$1e9\",\"links\":\"$1f6\"}\n"])</script><script>self.__next_f.push([1,"1fb:{\"drupal_internal__target_id\":131}\n1fa:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$1fb\"}\n1fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_resource_type?resourceVersion=id%3A6076\"}\n1fe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_resource_type?resourceVersion=id%3A6076\"}\n1fc:{\"related\":\"$1fd\",\"self\":\"$1fe\"}\n1f9:{\"data\":\"$1fa\",\"links\":\"$1fc\"}\n202:{\"drupal_internal__target_id\":66}\n201:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$202\"}\n204:{\"drupal_internal__target_id\":61}\n203:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$204\"}\n206:{\"drupal_internal__target_id\":76}\n205:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$206\"}\n200:[\"$201\",\"$203\",\"$205\"]\n208:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_roles?resourceVersion=id%3A6076\"}\n209:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_roles?resourceVersion=id%3A6076\"}\n207:{\"related\":\"$208\",\"self\":\"$209\"}\n1ff:{\"data\":\"$200\",\"links\":\"$207\"}\n20d:{\"drupal_internal__target_id\":21}\n20c:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":\"$20d\"}\n20b:[\"$20c\"]\n20f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_topics?resourceVersion=id%3A6076\"}\n210:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_topics?resourceVersion=id%3A6076\"}\n20e:{\"related\":\"$20f\",\"self\":\"$210\"}\n20a:{\"data\":\"$20b\",\"links\":\"$20e\"}\n1ce:{\"node_type\":\"$1cf\",\"revision_uid\":\"$1d5\",\"uid\":\"$1db\",\"field_page_section\":\"$1e1\",\"field_related_collection\":\"$1e8\",\"field_resource_type\":\"$1f9\",\"field_roles\":\"$1ff\",\"field_topics\":\"$20a\"}\n1c7:{\"type\":\"node--explainer\",\"id\""])</script><script>self.__next_f.push([1,":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"links\":\"$1c8\",\"attributes\":\"$1ca\",\"relationships\":\"$1ce\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"4b38d646-68b6-48e3-a75e-3032b689d54e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e?resourceVersion=id%3A5756\"}},\"attributes\":{\"drupal_internal__nid\":716,\"drupal_internal__vid\":5756,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T15:54:43+00:00\",\"status\":true,\"title\":\"Email Encryption Requirements at CMS\",\"created\":\"2023-02-09T16:39:06+00:00\",\"changed\":\"2024-08-05T15:54:43+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/email-encryption-requirements-cms\",\"pid\":706,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSummary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/node_type?resourceVersion=id%3A5756\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/relationships/node_type?resourceVersion=id%3A5756\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/revision_uid?resourceVersion=id%3A5756\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/relationships/revision_uid?resourceVersion=id%3A5756\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/uid?resourceVersion=id%3A5756\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/relationships/uid?resourceVersion=id%3A5756\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"2a7eced9-d779-4ebd-869f-7edd2aa83b8a\",\"meta\":{\"target_revision_id\":19045,\"drupal_internal__target_id\":1106}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/field_page_section?resourceVersion=id%3A5756\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/relationships/field_page_section?resourceVersion=id%3A5756\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"5262afc3-2920-4b7e-b083-cec3ede07886\",\"meta\":{\"target_revision_id\":19046,\"drupal_internal__target_id\":1926}},{\"type\":\"paragraph--internal_link\",\"id\":\"d5fd9ffa-0508-4b94-85d9-d04727a36e76\",\"meta\":{\"target_revision_id\":19047,\"drupal_internal__target_id\":1931}},{\"type\":\"paragraph--internal_link\",\"id\":\"3f396b7c-369d-4927-9ed4-674b54a646ca\",\"meta\":{\"target_revision_id\":19048,\"drupal_internal__target_id\":1936}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/field_related_collection?resourceVersion=id%3A5756\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/relationships/field_related_collection?resourceVersion=id%3A5756\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/field_resource_type?resourceVersion=id%3A5756\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/relationships/field_resource_type?resourceVersion=id%3A5756\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/field_roles?resourceVersion=id%3A5756\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/relationships/field_roles?resourceVersion=id%3A5756\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"meta\":{\"drupal_internal__target_id\":31}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/field_topics?resourceVersion=id%3A5756\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/4b38d646-68b6-48e3-a75e-3032b689d54e/relationships/field_topics?resourceVersion=id%3A5756\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}},\"attributes\":{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0?resourceVersion=id%3A16\"}},\"attributes\":{\"drupal_internal__tid\":16,\"drupal_internal__revision_id\":16,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:20+00:00\",\"status\":true,\"name\":\"CMS Policy \u0026 Guidance\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/vid?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/vid?resourceVersion=id%3A16\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/revision_user?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/revision_user?resourceVersion=id%3A16\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/parent?resourceVersion=id%3A16\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/c12221c3-2c7e-4eb0-903f-0470aad63bf0/relationships/parent?resourceVersion=id%3A16\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf?resourceVersion=id%3A31\"}},\"attributes\":{\"drupal_internal__tid\":31,\"drupal_internal__revision_id\":31,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:48+00:00\",\"status\":true,\"name\":\"Privacy\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/vid?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/vid?resourceVersion=id%3A31\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/revision_user?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/revision_user?resourceVersion=id%3A31\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/parent?resourceVersion=id%3A31\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/d5e2c0ee-04cb-493b-9338-c97adf0e8adf/relationships/parent?resourceVersion=id%3A31\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"2a7eced9-d779-4ebd-869f-7edd2aa83b8a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a?resourceVersion=id%3A19045\"}},\"attributes\":{\"drupal_internal__id\":1106,\"drupal_internal__revision_id\":19045,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-09T16:42:34+00:00\",\"parent_id\":\"716\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a/paragraph_type?resourceVersion=id%3A19045\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a/relationships/paragraph_type?resourceVersion=id%3A19045\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a/field_specialty_item?resourceVersion=id%3A19045\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/2a7eced9-d779-4ebd-869f-7edd2aa83b8a/relationships/field_specialty_item?resourceVersion=id%3A19045\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"5262afc3-2920-4b7e-b083-cec3ede07886\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886?resourceVersion=id%3A19046\"}},\"attributes\":{\"drupal_internal__id\":1926,\"drupal_internal__revision_id\":19046,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:50:20+00:00\",\"parent_id\":\"716\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886/paragraph_type?resourceVersion=id%3A19046\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886/relationships/paragraph_type?resourceVersion=id%3A19046\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"adea5bd3-a6c3-4b20-a953-0673e8f5ac17\",\"meta\":{\"drupal_internal__target_id\":706}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886/field_link?resourceVersion=id%3A19046\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/5262afc3-2920-4b7e-b083-cec3ede07886/relationships/field_link?resourceVersion=id%3A19046\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"d5fd9ffa-0508-4b94-85d9-d04727a36e76\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76?resourceVersion=id%3A19047\"}},\"attributes\":{\"drupal_internal__id\":1931,\"drupal_internal__revision_id\":19047,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:49:44+00:00\",\"parent_id\":\"716\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76/paragraph_type?resourceVersion=id%3A19047\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76/relationships/paragraph_type?resourceVersion=id%3A19047\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"f8e23203-8567-43de-8aa4-a901b33bc95b\",\"meta\":{\"drupal_internal__target_id\":601}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76/field_link?resourceVersion=id%3A19047\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/d5fd9ffa-0508-4b94-85d9-d04727a36e76/relationships/field_link?resourceVersion=id%3A19047\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"3f396b7c-369d-4927-9ed4-674b54a646ca\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca?resourceVersion=id%3A19048\"}},\"attributes\":{\"drupal_internal__id\":1936,\"drupal_internal__revision_id\":19048,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-15T20:51:14+00:00\",\"parent_id\":\"716\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca/paragraph_type?resourceVersion=id%3A19048\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca/relationships/paragraph_type?resourceVersion=id%3A19048\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"meta\":{\"drupal_internal__target_id\":671}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca/field_link?resourceVersion=id%3A19048\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/3f396b7c-369d-4927-9ed4-674b54a646ca/relationships/field_link?resourceVersion=id%3A19048\"}}}}},{\"type\":\"node--explainer\",\"id\":\"adea5bd3-a6c3-4b20-a953-0673e8f5ac17\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17?resourceVersion=id%3A5740\"}},\"attributes\":{\"drupal_internal__nid\":706,\"drupal_internal__vid\":5740,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T23:05:04+00:00\",\"status\":true,\"title\":\"CMS Enterprise Data Encryption (CEDE)\",\"created\":\"2023-02-08T23:02:09+00:00\",\"changed\":\"2024-07-31T23:05:04+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-enterprise-data-encryption-cede\",\"pid\":696,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"How CMS satisfies federal requirements for the encryption of data to keep sensitive information safe\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eHow CMS satisfies federal requirements for the encryption of data to keep sensitive information safe\u003c/p\u003e\\n\"},\"field_slack_channel\":[\" #ispg-sec_privacy-policy\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/node_type?resourceVersion=id%3A5740\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/node_type?resourceVersion=id%3A5740\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/revision_uid?resourceVersion=id%3A5740\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/revision_uid?resourceVersion=id%3A5740\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/uid?resourceVersion=id%3A5740\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/uid?resourceVersion=id%3A5740\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"4b1d8d6e-a8a2-4e11-80a6-27a405215623\",\"meta\":{\"target_revision_id\":18947,\"drupal_internal__target_id\":991}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_page_section?resourceVersion=id%3A5740\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_page_section?resourceVersion=id%3A5740\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"fd0df184-c977-437e-a3cf-dca03ceb1ece\",\"meta\":{\"target_revision_id\":18948,\"drupal_internal__target_id\":1766}},{\"type\":\"paragraph--internal_link\",\"id\":\"30c05b72-b1c5-4a6c-8763-f01546196041\",\"meta\":{\"target_revision_id\":18949,\"drupal_internal__target_id\":1771}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_related_collection?resourceVersion=id%3A5740\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_related_collection?resourceVersion=id%3A5740\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_resource_type?resourceVersion=id%3A5740\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_resource_type?resourceVersion=id%3A5740\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_roles?resourceVersion=id%3A5740\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_roles?resourceVersion=id%3A5740\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/field_topics?resourceVersion=id%3A5740\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/adea5bd3-a6c3-4b20-a953-0673e8f5ac17/relationships/field_topics?resourceVersion=id%3A5740\"}}}}},{\"type\":\"node--library\",\"id\":\"f8e23203-8567-43de-8aa4-a901b33bc95b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b?resourceVersion=id%3A5865\"},\"working-copy\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b?resourceVersion=rel%3Aworking-copy\"}},\"attributes\":{\"drupal_internal__nid\":601,\"drupal_internal__vid\":5865,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-13T19:40:37+00:00\",\"status\":true,\"title\":\"CMS Information Systems Security \u0026 Privacy Policy (IS2P2)\",\"created\":\"2023-03-01T23:31:37+00:00\",\"changed\":\"2024-08-13T19:40:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"pid\":591,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2024-06-21\",\"field_related_resources\":[{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS) \",\"options\":[],\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"},{\"uri\":\"https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p\",\"title\":\"HHS IS2P\",\"options\":[],\"url\":\"https://intranet.hhs.gov/policy/hhs-policy-information-security-and-privacy-protection-is2p\"},{\"uri\":\"entity:node/381\",\"title\":\"National Institute of Standards and Technology (NIST)\",\"options\":[],\"url\":\"/learn/national-institute-standards-and-technology-nist\"}],\"field_short_description\":{\"value\":\"The IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/node_type?resourceVersion=id%3A5865\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/node_type?resourceVersion=id%3A5865\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"a54cc91d-d38c-4158-9cf3-d7bcda34fc84\",\"meta\":{\"drupal_internal__target_id\":110}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/revision_uid?resourceVersion=id%3A5865\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/revision_uid?resourceVersion=id%3A5865\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/uid?resourceVersion=id%3A5865\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/uid?resourceVersion=id%3A5865\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":{\"drupal_internal__target_id\":96}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/field_resource_type?resourceVersion=id%3A5865\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/field_resource_type?resourceVersion=id%3A5865\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/field_roles?resourceVersion=id%3A5865\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/field_roles?resourceVersion=id%3A5865\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/field_topics?resourceVersion=id%3A5865\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/f8e23203-8567-43de-8aa4-a901b33bc95b/relationships/field_topics?resourceVersion=id%3A5865\"}}}}},{\"type\":\"node--explainer\",\"id\":\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf?resourceVersion=id%3A6076\"}},\"attributes\":{\"drupal_internal__nid\":671,\"drupal_internal__vid\":6076,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-15T16:28:16+00:00\",\"status\":true,\"title\":\"Zero Trust \",\"created\":\"2023-02-02T19:12:26+00:00\",\"changed\":\"2025-01-15T16:28:16+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/zero-trust\",\"pid\":661,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISPGZeroTrust@cms.hhs.gov\",\"field_contact_name\":\"Zero Trust Team\",\"field_short_description\":{\"value\":\"Security paradigm that requires the continuous verification of system users to promote system security\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSecurity paradigm that requires the continuous verification of system users to promote system security\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-zero-trust\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/node_type?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/node_type?resourceVersion=id%3A6076\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"bebd6b4a-b250-4060-a68d-15e540df32b8\",\"meta\":{\"drupal_internal__target_id\":138}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/revision_uid?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/revision_uid?resourceVersion=id%3A6076\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/uid?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/uid?resourceVersion=id%3A6076\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9271f09e-6087-42ce-9b2a-2ddf6888888d\",\"meta\":{\"target_revision_id\":19936,\"drupal_internal__target_id\":536}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_page_section?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_page_section?resourceVersion=id%3A6076\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"c6911d3e-5198-4b35-ac2a-13d123aedee1\",\"meta\":{\"target_revision_id\":19941,\"drupal_internal__target_id\":3398}},{\"type\":\"paragraph--internal_link\",\"id\":\"2bcabaa5-d621-42c9-bdc8-e0b80b3869d3\",\"meta\":{\"target_revision_id\":19946,\"drupal_internal__target_id\":1616}},{\"type\":\"paragraph--internal_link\",\"id\":\"670741af-bf41-4d99-a21c-a24dc57f4424\",\"meta\":{\"target_revision_id\":19951,\"drupal_internal__target_id\":3499}},{\"type\":\"paragraph--internal_link\",\"id\":\"f7a739a6-3d16-4633-bfad-fd8f469ffb64\",\"meta\":{\"target_revision_id\":19956,\"drupal_internal__target_id\":1611}},{\"type\":\"paragraph--internal_link\",\"id\":\"80d01d00-9ecf-4254-8e6e-a9242e8289f1\",\"meta\":{\"target_revision_id\":19961,\"drupal_internal__target_id\":1621}},{\"type\":\"paragraph--internal_link\",\"id\":\"d576257b-f5ba-4ad4-a81b-7628a82e8dce\",\"meta\":{\"target_revision_id\":19966,\"drupal_internal__target_id\":1626}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_related_collection?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_related_collection?resourceVersion=id%3A6076\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_resource_type?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_resource_type?resourceVersion=id%3A6076\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_roles?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_roles?resourceVersion=id%3A6076\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/field_topics?resourceVersion=id%3A6076\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/630cad0d-24c7-44f0-8b25-b3ab2faf97cf/relationships/field_topics?resourceVersion=id%3A6076\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1c\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$26\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$2a\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$2e\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$48\",\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\":\"$62\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$7c\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$96\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$b0\",\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\":\"$ca\",\"d5e2c0ee-04cb-493b-9338-c97adf0e8adf\":\"$e4\",\"2a7eced9-d779-4ebd-869f-7edd2aa83b8a\":\"$fe\",\"5262afc3-2920-4b7e-b083-cec3ede07886\":\"$111\",\"d5fd9ffa-0508-4b94-85d9-d04727a36e76\":\"$123\",\"3f396b7c-369d-4927-9ed4-674b54a646ca\":\"$135\",\"adea5bd3-a6c3-4b20-a953-0673e8f5ac17\":\"$147\",\"f8e23203-8567-43de-8aa4-a901b33bc95b\":\"$187\",\"630cad0d-24c7-44f0-8b25-b3ab2faf97cf\":\"$1c7\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Email Encryption Requirements at CMS | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/email-encryption-requirements-cms\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Email Encryption Requirements at CMS | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/email-encryption-requirements-cms\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/email-encryption-requirements-cms/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Email Encryption Requirements at CMS | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Summary of email encryption practices required by federal policies and directives that help CMS employees keep sensitive information safe\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/email-encryption-requirements-cms/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink