publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/isso-service
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

14 lines
No EOL
306 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>ISSO As A Service | CMS Information Security &amp; Privacy Group</title><meta name="description" content="ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support"/><link rel="canonical" href="https://security.cms.gov/learn/isso-service"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="ISSO As A Service | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support"/><meta property="og:url" content="https://security.cms.gov/learn/isso-service"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/isso-service/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="ISSO As A Service | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/isso-service/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">ISSO As A Service</h1><p class="hero__description">ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISSO Support Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:ISSO@cms.hhs.gov">ISSO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#isso-as-a-service</li><li class="line-height-sans-5 margin-top-0">#cms-isso</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is ISSO As A Service (ISSOaaS)?</h2><p>Information System Security Officers (ISSO) serve as the front line of information security and privacy for CMS systems. Their role is critical for keeping CMS data safe throughout a systems life cycle. But sometimes, there is not a trained CMS ISSO available within a component to perform key security tasks.</p><p>To address this need, the CMS Information Security and Privacy Group (ISPG) provides the ISSO As A Service (ISSOaas) program to deploy skilled ISSOs where they are most needed to support CMS Business Owners in maintaining information security and privacy for their system(s).</p><p>ISPG works with a contractor organization to onboard and train professional ISSOs in CMS-specific policies and frameworks so they are equipped to provide industry-certified security and compliance support, allowing Business Owners to focus on their business mission.</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Request a Service ISSO</h1><p>To get started with ISSO As A Service, you can talk to your Cyber Risk Advisor (CRA) or send an email to ISSO@cms.hhs.gov. The ISSOaaS team will work with you to assess requirements and find an ISSO that can support the needs of your system(s).</p></section><div class="text-block text-block--theme-explainer"><h2>Why does CMS need ISSOaaS?</h2><p>For all CMS components, the safety of information and systems should be a top priority as we are entrusted with the personal and health data of millions of Americans. Every CMS component must take a strategic and proactive approach to security compliance and risk management. It should not be an afterthought. This means employing a <strong>suitably skilled and experienced person</strong> who is responsible for these things.</p><p>Sometimes, a CMS component assigns ISSO duties to someone who has other primary responsibilities and is not adequately trained in CMS requirements for cybersecurity. This leads to a hazardous situation for the components information and systems, including:</p><ul><li>Conflict of interest between that persons ISSO role and their other responsibilities</li><li>Insufficient skills, time, and knowledge for that person to properly manage ISSO tasks</li><li>False sense of complacency in the component that security and privacy is being fully addressed by this shared role, while in fact there are gaps in compliance and appropriate risk management</li></ul><h3>Evolving and modernizing information security</h3><p>Beyond ensuring security and privacy compliance, the ISSO role at CMS has grown <strong>increasingly complex and technical</strong> in response to the evolving threat landscape and the modernized approach to cybersecurity that is being implemented across the federal government. For example:</p><ul><li>Agile processes and rapid development cycles result in the need for continuous security and privacy monitoring / assessments</li><li>Business Owners and senior leadership depend on ISSOs for insights about potential security risks and mitigation strategies</li><li>Federal guidance and requirements are constantly evolving (<a href="https://security.cms.gov/learn/national-institute-standards-and-technology-nist">NIST</a>, <a href="https://security.cms.gov/learn/federal-information-systems-management-act-fisma">FISMA</a>, <a href="https://security.cms.gov/learn/health-insurance-portability-and-accountability-act-1996-hipaa">HIPAA</a>, DHS, HITECH, IRS)</li><li>CMS is modernizing risk management with programs like <a href="https://security.cms.gov/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a>, <a href="https://security.cms.gov/learn/adaptive-capabilities-testing-act">Cybersecurity and Risk Assessment Program (CSRAP)</a>, and <a href="https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a></li></ul><p>ISSO As A Service connects CMS components with knowledgeable professionals who can help ensure adequate information security across all CMS components and systems.</p><h2>Who are the Service ISSOs?</h2><p>Within the ISSOaaS program, a Service ISSO is a professional ISSO who is trained in CMS cybersecurity practices and onboarded to support specific systems or tasks for a CMS component that otherwise would not have a qualified ISSO available. CMS works with a contractor organization to engage Service ISSOs for an agreed-upon length of time.</p><p>Service ISSOs operate in direct liaison with ISPG as well as their assigned system teams and Business Owner. This ensures consistency and shared visibility into system security throughout the engagement.</p><h3>What tasks can Service ISSOs do?</h3><p>Service ISSOs do the same tasks and have the same skills as <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#introduction">CMS ISSOs</a> although Service ISSO qualifications and duties may be adjusted to fit the specific needs of the component and system. Responsibilities may include:</p><ul><li>Provide overall professional ISSO support for CMS systems</li><li>Collaborate with system stakeholders and Cyber Risk Advisors</li><li>Evaluate security categorization</li><li>Review compliance assurance and reporting</li><li>Perform risk assessment</li><li>Identify and document security and privacy controls</li><li>Provide guidance for PII, PHI, and FTI compliance</li><li>Perform tasks that support system assessment and authorization</li><li>Review information security and privacy compliance within the <a href="https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc">Target Life Cycle (TLC)</a></li><li>Review and analyze POA&amp;Ms</li><li>Perform CMS Security Control Assessment (or coordinate Cybersecurity and Risk Assessment Program)</li><li>Coordinate Contingency Planning</li><li>Utilize <a href="https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf">CMS Risk Management Framework</a> (as recommended by NIST)</li></ul><h3>Why use a Service ISSO?</h3><p>ISSOaaS makes it easier for CMS Business Owners to get accurate and insightful information from an experienced professional to manage their systems risk. The Service ISSO can deliver a set of proactive, scheduled, planned services for a defined timeframe or on a continuous basis. Engaging a Service ISSO will ensure:</p><ul><li>Information systems and information risks and vulnerabilities are identified, their impact to the organization are quantified, communicated, and understood by all relevant stakeholders</li><li>Appropriate information systems control and risk mitigation are in place to ensure the confidentiality, integrity and availability of the information systems</li><li>Proper coordination of appropriate training and communication of information security policies, controls, and best practices to all stakeholders</li><li>Organizational compliance with policies as well as any external regulatory or legal compliance obligations</li><li>Management is provided with advice concerning cybersecurity strategy and can serve as the organizations contact point for auditors and agencies</li><li>Any necessary coordination of information systems security incident response</li><li>Cybersecurity and privacy practices for their assigned organization are in keeping with CMS policies, latest privacy legislation, security advisories, alerts, and vulnerabilities</li></ul><h3>When to use Service ISSOs</h3><p>Engaging a Service ISSO could be beneficial for your component if:</p><ul><li>ISSO tasks need to be performed and there is no trained CMS ISSO available</li><li>A new ISSO needs help getting started</li><li>A surge period is causing an unmanageable amount of work for existing ISSOs</li></ul><h3>How to request a Service ISSO</h3><p>If you as a Business Owner need ISSO support from the ISSOaaS program, you can work with your CRA to start the process or you can send an email to <a href="mailto:ISSO@cms.hhs.gov">ISSO@cms.hhs.gov</a>.</p><h2>How it works</h2><p>ISSO As A Service requires coordination among multiple stakeholders. Everyone involved has a role in making sure the selected ISSO can meet the requirements for the specific component and system(s). The steps for starting an ISSOaaS engagement are described below.</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Initial request</h4><div class="margin-top-05 usa-process-list__description"><p>A request by a Business Owner initiates the process for a Service ISSO. The Business Owner should talk to their CRA or email <a href="mailto:ISSO@cms.hhs.gov">ISSO@cms.hhs.gov</a> to let ISPG know that ISSOaaS support is needed.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Kickoff discussion</h4><div class="margin-top-05 usa-process-list__description"><p>A meeting to discuss the requirements of the engagement will be scheduled with the Business Owner, ISPG, the ISSOaaS contractor, and any other stakeholders. Topics of the meeting will include cybersecurity requirements, level of effort, cost and funding activities, and onboarding. All factors will be evaluated by ISPG and the ISSOaaS contractor.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">ISSOaaS Request Form</h4><div class="margin-top-05 usa-process-list__description"><p>After the meeting, ISPG will complete an ISSOaaS Request Form, which helps ISPG and the contractor during their search for a Service ISSO.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Context assessment</h4><div class="margin-top-05 usa-process-list__description"><p>As ISPG and the contractor work to determine the best match for a Service ISSO, they will consider the context for the engagement, including factors such as:</p>
<ul>
<li>System complexity</li>
<li>Data sensitivity</li>
<li>Whether the system supports a Mission Essential Function</li>
<li>Whether the system is a High Value Asset (HVA)</li>
</ul></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Skillset categorization</h4><div class="margin-top-05 usa-process-list__description"><p>The ISSOaaS contractor will categorize the workforce skillset needed for the assignment using:</p>
<ul>
<li><a href="https://www.nist.gov/itl/applied-cybersecurity/nice">NICE Framework</a> as applicable to the CMS ISSO role</li>
<li>Role duties and responsibilities as outlined in policy</li>
<li>Required experience, certifications, and areas of expertise</li>
</ul></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Service ISSO onboarding</h4><div class="margin-top-05 usa-process-list__description"><p>Once a Service ISSO has been identified, onboarding and training will begin so the ISSO can be embedded in their assigned team. Onboarding requires collaboration among the Business Owner, ISPG, the ISSOaaS contractor, and the ISSO. (More details below).</p></div></li></ol></div><div class="text-block text-block--theme-explainer"><h2>Service ISSO onboarding</h2><p>The established process at CMS for onboarding new Service ISSOs ensures that the ISSO completes the orientation, logistics, and training needed to start providing value to the organization quickly. We want all new ISSOs to feel welcome and have access to the resources needed to become productive and confident in their new role. The goal is for new Service ISSOs to be onboarded and trained within a time period of 60 days.</p><h3>Business Owner responsibilities</h3><p>The Business Owner or component representatives should prepare their organization for the arrival of the ISSO. Data Guardians, CRAs, and existing ISSOs (if applicable) should also prepare. ISPG will coordinate with the component for an initial meeting with the new ISSO. The goals of this meeting are for the new ISSO to:</p><ul><li>Meet the Business Owner and other key stakeholders in the components organization, including contract developers and contract security staff</li><li>Understand the components business and cybersecurity environment</li><li>Learn about the components business model and logic</li></ul><h3>Contractor responsibilities</h3><p>The ISSOaaS contractor oversees the logistics of onboarding and keeps ISPG continually updated on the progress of Service ISSO onboarding and training. Much of this is managed through the ISSO Information Card, which tracks items such as:</p><ul><li>CMS security clearance</li><li>Fingerprinting</li><li>PIV card</li><li>EUA ID</li><li>eQIP</li></ul><p>The full list of items is managed by the ISSOaaS contractor throughout the engagement and is also used as a checklist for off-boarding when the engagement is over. Additionally, the contractor keeps track of the Service ISSOs progress through workforce training activities. All of this is relayed to ISPG through a weekly status report to the CMS Government Task Lead (GTL) and/or the Contracting Officer Representative (COR) for the ISSOaaS program.</p><h3>ISPG responsibilities</h3><p>The CMS GTL for the ISSOaaS program is within ISPG and serves as the go-to person for program communications and problem resolution as necessary. They can help remove blockers or provide support at any point in the ISSOs onboarding process (and subsequent engagement). ISPG also coordinates with the ISSOaaS contractor for onboarding needs such as scheduling meetings or providing necessary equipment.</p><h3>ISSO responsibilities</h3><p>The new Service ISSO is expected to take a proactive role during onboarding especially in keeping their leadership informed about progress through security clearances, obtaining EUA access, and other onboarding activities. The ISSO should respond quickly to inquiries or requests from CMS or others in the ISSOaaS program, and let someone know if there are problems or questions. In addition to onboarding logistics, the Service ISSO needs to complete as much CMS-specific training as possible (described below).</p><h2>Service ISSO training</h2><p>Service ISSOs joining CMS should receive the same training and support as CMS employee ISSOs (to the greatest extent possible). Details will depend on the workload and duration of services required. Service ISSOs should refer to the <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook">CMS Information System Security Officer (ISSO) Handbook</a> as a go-to resource for ISSO responsibilities, activities, policy and guidance, training, and community support.</p><p>The ISSOaaS contractor collaborates with ISPG and the Business Owner to determine what formal ISSO training is most suitable for the components specific needs. Training activities can often happen in tandem with other onboarding activities. In general, Service ISSOs should expect to utilize the following:</p><p><strong>Getting started as a CMS ISSO</strong></p><ul><li>Review <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#role-and-responsibilities">CMS ISSO role and responsibilities</a></li><li>Use the <a href="https://cmsgov.typeform.com/to/c67nf2Wr?typeform-source=cmsgov-ispg.typeform.com">ISSO Scorecard</a> as a quick self-assessment to help you identify areas of training focus</li><li>Watch the <a href="https://www.cms.gov/cbt/login/default.aspx">CMS ISSO video training series</a> (overview of essential job functions)</li><li>Get an <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities">overview of ISSO activities at CMS</a></li><li>Bookmark the <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit">ISSO toolkit</a> as a handy reference for key points of contact, acronyms, important reference documents, and CMS platforms you will use in your daily work</li><li>Consider the <a href="https://security.cms.gov/learn/isso-mentorship-program">ISSO Mentorship Program</a> as a way to get extra support from an experienced CMS ISSO</li></ul><p><strong>Role Based Training (RBT)</strong></p><p>You will coordinate with your leadership to learn what kind of <a href="https://security.cms.gov/learn/role-based-training-rbt">Role Based Training</a> is required for your position.</p><p><strong>Federal policies and guidance</strong></p><p>Get familiar with cybersecurity policies and guidance from CMS, HHS, NIST, and other authorities. You can see information about the most important federal guidance in the <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit">ISSO Toolkit</a>.</p><p><strong>CMS and HHS cybersecurity training</strong></p><p>If you need specialized training for your assigned role, there are many offerings available from CMS and HHS that you can access for free. Learn about <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#training">training opportunities here</a>.</p><p><strong>ISSO meetings and community</strong></p><p>You will have a regular monthly check-in with ISPG, the Service ISSO team, and ISSOaaS contract leadership. Additionally, you should plan to attend the monthly CMS Cybersecurity Community Forum, an important source of current information for all CMS staff and contractors with security and privacy responsibilities.</p><p><strong>Collaboration and relationships</strong></p><p>Its essential that you build relationships with your Business Owner, your Cyber Risk Advisor (CRA), and other security and developer staff. Collaboration with your portfolio team both CMS staff and contractors is key to a successful engagement as a Service ISSO.</p><h2>Service ISSO engagement</h2><p>The success of a Service ISSO engagement depends on frequent communication among all stakeholders. <strong>ISPG schedules recurring meetings</strong> to gauge satisfaction and determine if any areas need improvement. Regular meetings during the engagement include:</p><ul><li>Satisfaction sessions with Business Owners (as needed)</li><li>Meetings with Service ISSO Lead(s) for check-in and support (weekly)</li><li>Meetings with Service ISSOs for check-in and support (monthly)</li><li>Meetings with contract leads to ensure Role Based Training (RBT) requirements are satisfied (as needed)</li></ul><p>ISPG also ensures that Service ISSOs (along with CMS employee ISSOs) have access to supportive resources such as the <strong>CMS Cybersecurity Community Forum</strong> and the <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook"><strong>CMS Information System Security Officer (ISSO) Handbook</strong></a>.</p><h2>Service ISSO off-boarding</h2><p>At the conclusion of an engagement, ISPG coordinates with the Business Owner for transition activities where appropriate. The ISSOaaS contractor ensures that a smooth off-boarding process occurs, including recovery of government property such as computer, badge, and any other equipment. The contractor updates the<strong> ISSO Information Card</strong> constructed during onboarding, and retains the completed form.</p><h2>Service ISSO qualifications</h2><p>When ISPG and the ISSOaaS contractor are seeking a Service ISSO suitable for the needs of a CMS component, the following qualifications serve as a guide. (Specific skills and level of experience will be driven by the extent and duration of ISSO services required.) In general, an ISSO should have proven skills and knowledge in the following areas:</p><h3>Cybersecurity federal standards and best practices</h3><ul><li>Comprehensive and expert knowledge of FISMA/NIST/RMF methodology, professional standards, policies, directives, guidance, concepts, procedures, principles, practices, and assessment and evaluation criteria, as related to Federal information systems security controls and auditing requirements.</li><li>Thorough knowledge of Federal legislation related to information technology, computer security, government performance measurement, fiscal management and contracting.</li></ul><h3>Information technology (IT)</h3><p>Expert knowledge of information technology architecture, hardware, software, networking, communications, data collection/dissemination, and security of data practices.</p><h3>Information security disciplines</h3><p>Thorough knowledge of information security disciplines including threats to and vulnerabilities of computer and data communications systems, safeguards (counter measures) which can be utilized to protect sensitive/critical information resources, and methodologies for developing and implementing contingency plans for disaster recovery. Extensive knowledge of the roles of various organization units for ensuring adequate security and safety of information resources.</p><h3>Information security program evaluation / testing / planning</h3><ul><li>Knowledge of information systems security concepts and methods, multiple IT disciplines, enterprise IT architecture, and project management principles and methods sufficient to:<ul><li>Review and evaluate programs security incident response policies</li><li>Identify need for changes based on new security technologies or threats</li><li>Test and implement new policies</li><li>Institute measures to ensure awareness and compliance</li></ul></li><li>Knowledge of, and ability to conduct, security program planning at higher organizational levels in terms of applying policy direction to specific operating requirements and the development of strategies and policy implementation guidance.</li><li>Ability to use knowledge in key decision-making and policy-developing responsibilities in difficult assignments such as planning for significantly new or far reaching security program requirements.</li></ul><h3>Risk assessment and mitigation for new or existing systems</h3><p>Knowledge of information systems security principles, concepts, and methods, the infrastructure protection environment, and interrelationships to multiple IT disciplines sufficient to:</p><ul><li>Review proposed new systems, networks, and software designs for potential security risks</li><li>Recommendations for mitigation or countermeasures</li><li>Resolve integration issues related to the implementation of new systems within the existing infrastructure.</li></ul><h3>Information security leadership and communication</h3><ul><li>Mastery of and skill in applying policy and planning concepts and practices, interrelationships of multiple IT disciplines; and project management methods sufficient to manage communities of interest involved in the development and implementation of workable approaches to IT architecture and other IT related legislative and policy initiatives.</li><li>Mastery and skills in applying the principles of management sufficient to develop long-range plans for IT security systems that anticipate, identify, evaluate, mitigate, and minimize risks associated with IT systems vulnerabilities.</li><li>Demonstrated ability to present clear and concise presentations (oral and written) and to communicate effectively with government, contractors, and applicable business entity representatives.</li></ul></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"isso-service\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"isso-service\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"isso-service\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"isso-service\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T1c28,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhy does CMS need ISSOaaS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor all CMS components, the safety of information and systems should be a top priority as we are entrusted with the personal and health data of millions of Americans. Every CMS component must take a strategic and proactive approach to security compliance and risk management. It should not be an afterthought. This means employing a \u003cstrong\u003esuitably skilled and experienced person\u003c/strong\u003e who is responsible for these things.\u003c/p\u003e\u003cp\u003eSometimes, a CMS component assigns ISSO duties to someone who has other primary responsibilities and is not adequately trained in CMS requirements for cybersecurity. This leads to a hazardous situation for the components information and systems, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConflict of interest between that persons ISSO role and their other responsibilities\u003c/li\u003e\u003cli\u003eInsufficient skills, time, and knowledge for that person to properly manage ISSO tasks\u003c/li\u003e\u003cli\u003eFalse sense of complacency in the component that security and privacy is being fully addressed by this shared role, while in fact there are gaps in compliance and appropriate risk management\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEvolving and modernizing information security\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBeyond ensuring security and privacy compliance, the ISSO role at CMS has grown \u003cstrong\u003eincreasingly complex and technical\u003c/strong\u003e in response to the evolving threat landscape and the modernized approach to cybersecurity that is being implemented across the federal government. For example:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAgile processes and rapid development cycles result in the need for continuous security and privacy monitoring / assessments\u003c/li\u003e\u003cli\u003eBusiness Owners and senior leadership depend on ISSOs for insights about potential security risks and mitigation strategies\u003c/li\u003e\u003cli\u003eFederal guidance and requirements are constantly evolving (\u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist\"\u003eNIST\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFISMA\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/health-insurance-portability-and-accountability-act-1996-hipaa\"\u003eHIPAA\u003c/a\u003e, DHS, HITECH, IRS)\u003c/li\u003e\u003cli\u003eCMS is modernizing risk management with programs like \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/adaptive-capabilities-testing-act\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e, and \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISSO As A Service connects CMS components with knowledgeable professionals who can help ensure adequate information security across all CMS components and systems.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho are the Service ISSOs?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWithin the ISSOaaS program, a Service ISSO is a professional ISSO who is trained in CMS cybersecurity practices and onboarded to support specific systems or tasks for a CMS component that otherwise would not have a qualified ISSO available. CMS works with a contractor organization to engage Service ISSOs for an agreed-upon length of time.\u003c/p\u003e\u003cp\u003eService ISSOs operate in direct liaison with ISPG as well as their assigned system teams and Business Owner. This ensures consistency and shared visibility into system security throughout the engagement.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat tasks can Service ISSOs do?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eService ISSOs do the same tasks and have the same skills as \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#introduction\"\u003eCMS ISSOs\u003c/a\u003e although Service ISSO qualifications and duties may be adjusted to fit the specific needs of the component and system. Responsibilities may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide overall professional ISSO support for CMS systems\u003c/li\u003e\u003cli\u003eCollaborate with system stakeholders and Cyber Risk Advisors\u003c/li\u003e\u003cli\u003eEvaluate security categorization\u003c/li\u003e\u003cli\u003eReview compliance assurance and reporting\u003c/li\u003e\u003cli\u003ePerform risk assessment\u003c/li\u003e\u003cli\u003eIdentify and document security and privacy controls\u003c/li\u003e\u003cli\u003eProvide guidance for PII, PHI, and FTI compliance\u003c/li\u003e\u003cli\u003ePerform tasks that support system assessment and authorization\u003c/li\u003e\u003cli\u003eReview information security and privacy compliance within the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eReview and analyze POA\u0026amp;Ms\u003c/li\u003e\u003cli\u003ePerform CMS Security Control Assessment (or coordinate Cybersecurity and Risk Assessment Program)\u003c/li\u003e\u003cli\u003eCoordinate Contingency Planning\u003c/li\u003e\u003cli\u003eUtilize \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eCMS Risk Management Framework\u003c/a\u003e (as recommended by NIST)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eWhy use a Service ISSO?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOaaS makes it easier for CMS Business Owners to get accurate and insightful information from an experienced professional to manage their systems risk. The Service ISSO can deliver a set of proactive, scheduled, planned services for a defined timeframe or on a continuous basis. Engaging a Service ISSO will ensure:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation systems and information risks and vulnerabilities are identified, their impact to the organization are quantified, communicated, and understood by all relevant stakeholders\u003c/li\u003e\u003cli\u003eAppropriate information systems control and risk mitigation are in place to ensure the confidentiality, integrity and availability of the information systems\u003c/li\u003e\u003cli\u003eProper coordination of appropriate training and communication of information security policies, controls, and best practices to all stakeholders\u003c/li\u003e\u003cli\u003eOrganizational compliance with policies as well as any external regulatory or legal compliance obligations\u003c/li\u003e\u003cli\u003eManagement is provided with advice concerning cybersecurity strategy and can serve as the organizations contact point for auditors and agencies\u003c/li\u003e\u003cli\u003eAny necessary coordination of information systems security incident response\u003c/li\u003e\u003cli\u003eCybersecurity and privacy practices for their assigned organization are in keeping with CMS policies, latest privacy legislation, security advisories, alerts, and vulnerabilities\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eWhen to use Service ISSOs\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEngaging a Service ISSO could be beneficial for your component if:\u003c/p\u003e\u003cul\u003e\u003cli\u003eISSO tasks need to be performed and there is no trained CMS ISSO available\u003c/li\u003e\u003cli\u003eA new ISSO needs help getting started\u003c/li\u003e\u003cli\u003eA surge period is causing an unmanageable amount of work for existing ISSOs\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eHow to request a Service ISSO\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf you as a Business Owner need ISSO support from the ISSOaaS program, you can work with your CRA to start the process or you can send an email to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow it works\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISSO As A Service requires coordination among multiple stakeholders. Everyone involved has a role in making sure the selected ISSO can meet the requirements for the specific component and system(s). The steps for starting an ISSOaaS engagement are described below.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T1c28,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhy does CMS need ISSOaaS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor all CMS components, the safety of information and systems should be a top priority as we are entrusted with the personal and health data of millions of Americans. Every CMS component must take a strategic and proactive approach to security compliance and risk management. It should not be an afterthought. This means employing a \u003cstrong\u003esuitably skilled and experienced person\u003c/strong\u003e who is responsible for these things.\u003c/p\u003e\u003cp\u003eSometimes, a CMS component assigns ISSO duties to someone who has other primary responsibilities and is not adequately trained in CMS requirements for cybersecurity. This leads to a hazardous situation for the components information and systems, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConflict of interest between that persons ISSO role and their other responsibilities\u003c/li\u003e\u003cli\u003eInsufficient skills, time, and knowledge for that person to properly manage ISSO tasks\u003c/li\u003e\u003cli\u003eFalse sense of complacency in the component that security and privacy is being fully addressed by this shared role, while in fact there are gaps in compliance and appropriate risk management\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEvolving and modernizing information security\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBeyond ensuring security and privacy compliance, the ISSO role at CMS has grown \u003cstrong\u003eincreasingly complex and technical\u003c/strong\u003e in response to the evolving threat landscape and the modernized approach to cybersecurity that is being implemented across the federal government. For example:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAgile processes and rapid development cycles result in the need for continuous security and privacy monitoring / assessments\u003c/li\u003e\u003cli\u003eBusiness Owners and senior leadership depend on ISSOs for insights about potential security risks and mitigation strategies\u003c/li\u003e\u003cli\u003eFederal guidance and requirements are constantly evolving (\u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist\"\u003eNIST\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFISMA\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/health-insurance-portability-and-accountability-act-1996-hipaa\"\u003eHIPAA\u003c/a\u003e, DHS, HITECH, IRS)\u003c/li\u003e\u003cli\u003eCMS is modernizing risk management with programs like \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/adaptive-capabilities-testing-act\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e, and \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISSO As A Service connects CMS components with knowledgeable professionals who can help ensure adequate information security across all CMS components and systems.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho are the Service ISSOs?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWithin the ISSOaaS program, a Service ISSO is a professional ISSO who is trained in CMS cybersecurity practices and onboarded to support specific systems or tasks for a CMS component that otherwise would not have a qualified ISSO available. CMS works with a contractor organization to engage Service ISSOs for an agreed-upon length of time.\u003c/p\u003e\u003cp\u003eService ISSOs operate in direct liaison with ISPG as well as their assigned system teams and Business Owner. This ensures consistency and shared visibility into system security throughout the engagement.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat tasks can Service ISSOs do?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eService ISSOs do the same tasks and have the same skills as \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#introduction\"\u003eCMS ISSOs\u003c/a\u003e although Service ISSO qualifications and duties may be adjusted to fit the specific needs of the component and system. Responsibilities may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide overall professional ISSO support for CMS systems\u003c/li\u003e\u003cli\u003eCollaborate with system stakeholders and Cyber Risk Advisors\u003c/li\u003e\u003cli\u003eEvaluate security categorization\u003c/li\u003e\u003cli\u003eReview compliance assurance and reporting\u003c/li\u003e\u003cli\u003ePerform risk assessment\u003c/li\u003e\u003cli\u003eIdentify and document security and privacy controls\u003c/li\u003e\u003cli\u003eProvide guidance for PII, PHI, and FTI compliance\u003c/li\u003e\u003cli\u003ePerform tasks that support system assessment and authorization\u003c/li\u003e\u003cli\u003eReview information security and privacy compliance within the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eReview and analyze POA\u0026amp;Ms\u003c/li\u003e\u003cli\u003ePerform CMS Security Control Assessment (or coordinate Cybersecurity and Risk Assessment Program)\u003c/li\u003e\u003cli\u003eCoordinate Contingency Planning\u003c/li\u003e\u003cli\u003eUtilize \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eCMS Risk Management Framework\u003c/a\u003e (as recommended by NIST)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eWhy use a Service ISSO?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOaaS makes it easier for CMS Business Owners to get accurate and insightful information from an experienced professional to manage their systems risk. The Service ISSO can deliver a set of proactive, scheduled, planned services for a defined timeframe or on a continuous basis. Engaging a Service ISSO will ensure:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation systems and information risks and vulnerabilities are identified, their impact to the organization are quantified, communicated, and understood by all relevant stakeholders\u003c/li\u003e\u003cli\u003eAppropriate information systems control and risk mitigation are in place to ensure the confidentiality, integrity and availability of the information systems\u003c/li\u003e\u003cli\u003eProper coordination of appropriate training and communication of information security policies, controls, and best practices to all stakeholders\u003c/li\u003e\u003cli\u003eOrganizational compliance with policies as well as any external regulatory or legal compliance obligations\u003c/li\u003e\u003cli\u003eManagement is provided with advice concerning cybersecurity strategy and can serve as the organizations contact point for auditors and agencies\u003c/li\u003e\u003cli\u003eAny necessary coordination of information systems security incident response\u003c/li\u003e\u003cli\u003eCybersecurity and privacy practices for their assigned organization are in keeping with CMS policies, latest privacy legislation, security advisories, alerts, and vulnerabilities\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eWhen to use Service ISSOs\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEngaging a Service ISSO could be beneficial for your component if:\u003c/p\u003e\u003cul\u003e\u003cli\u003eISSO tasks need to be performed and there is no trained CMS ISSO available\u003c/li\u003e\u003cli\u003eA new ISSO needs help getting started\u003c/li\u003e\u003cli\u003eA surge period is causing an unmanageable amount of work for existing ISSOs\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eHow to request a Service ISSO\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf you as a Business Owner need ISSO support from the ISSOaaS program, you can work with your CRA to start the process or you can send an email to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow it works\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISSO As A Service requires coordination among multiple stakeholders. Everyone involved has a role in making sure the selected ISSO can meet the requirements for the specific component and system(s). The steps for starting an ISSOaaS engagement are described below.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:T306e,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eService ISSO onboarding\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe established process at CMS for onboarding new Service ISSOs ensures that the ISSO completes the orientation, logistics, and training needed to start providing value to the organization quickly. We want all new ISSOs to feel welcome and have access to the resources needed to become productive and confident in their new role. The goal is for new Service ISSOs to be onboarded and trained within a time period of 60 days.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBusiness Owner responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Business Owner or component representatives should prepare their organization for the arrival of the ISSO. Data Guardians, CRAs, and existing ISSOs (if applicable) should also prepare. ISPG will coordinate with the component for an initial meeting with the new ISSO. The goals of this meeting are for the new ISSO to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMeet the Business Owner and other key stakeholders in the components organization, including contract developers and contract security staff\u003c/li\u003e\u003cli\u003eUnderstand the components business and cybersecurity environment\u003c/li\u003e\u003cli\u003eLearn about the components business model and logic\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eContractor responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSOaaS contractor oversees the logistics of onboarding and keeps ISPG continually updated on the progress of Service ISSO onboarding and training. Much of this is managed through the ISSO Information Card, which tracks items such as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS security clearance\u003c/li\u003e\u003cli\u003eFingerprinting\u003c/li\u003e\u003cli\u003ePIV card\u003c/li\u003e\u003cli\u003eEUA ID\u003c/li\u003e\u003cli\u003eeQIP\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe full list of items is managed by the ISSOaaS contractor throughout the engagement and is also used as a checklist for off-boarding when the engagement is over. Additionally, the contractor keeps track of the Service ISSOs progress through workforce training activities. All of this is relayed to ISPG through a weekly status report to the CMS Government Task Lead (GTL) and/or the Contracting Officer Representative (COR) for the ISSOaaS program.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISPG responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS GTL for the ISSOaaS program is within ISPG and serves as the go-to person for program communications and problem resolution as necessary. They can help remove blockers or provide support at any point in the ISSOs onboarding process (and subsequent engagement). ISPG also coordinates with the ISSOaaS contractor for onboarding needs such as scheduling meetings or providing necessary equipment.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe new Service ISSO is expected to take a proactive role during onboarding especially in keeping their leadership informed about progress through security clearances, obtaining EUA access, and other onboarding activities. The ISSO should respond quickly to inquiries or requests from CMS or others in the ISSOaaS program, and let someone know if there are problems or questions. In addition to onboarding logistics, the Service ISSO needs to complete as much CMS-specific training as possible (described below).\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO training\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eService ISSOs joining CMS should receive the same training and support as CMS employee ISSOs (to the greatest extent possible). Details will depend on the workload and duration of services required. Service ISSOs should refer to the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook\"\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/a\u003e as a go-to resource for ISSO responsibilities, activities, policy and guidance, training, and community support.\u003c/p\u003e\u003cp\u003eThe ISSOaaS contractor collaborates with ISPG and the Business Owner to determine what formal ISSO training is most suitable for the components specific needs. Training activities can often happen in tandem with other onboarding activities. In general, Service ISSOs should expect to utilize the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGetting started as a CMS ISSO\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#role-and-responsibilities\"\u003eCMS ISSO role and responsibilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUse the \u003ca href=\"https://cmsgov.typeform.com/to/c67nf2Wr?typeform-source=cmsgov-ispg.typeform.com\"\u003eISSO Scorecard\u003c/a\u003e as a quick self-assessment to help you identify areas of training focus\u003c/li\u003e\u003cli\u003eWatch the \u003ca href=\"https://www.cms.gov/cbt/login/default.aspx\"\u003eCMS ISSO video training series\u003c/a\u003e (overview of essential job functions)\u003c/li\u003e\u003cli\u003eGet an \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eoverview of ISSO activities at CMS\u003c/a\u003e\u003c/li\u003e\u003cli\u003eBookmark the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit\"\u003eISSO toolkit\u003c/a\u003e as a handy reference for key points of contact, acronyms, important reference documents, and CMS platforms you will use in your daily work\u003c/li\u003e\u003cli\u003eConsider the \u003ca href=\"https://security.cms.gov/learn/isso-mentorship-program\"\u003eISSO Mentorship Program\u003c/a\u003e as a way to get extra support from an experienced CMS ISSO\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eRole Based Training (RBT)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou will coordinate with your leadership to learn what kind of \u003ca href=\"https://security.cms.gov/learn/role-based-training-rbt\"\u003eRole Based Training\u003c/a\u003e is required for your position.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal policies and guidance\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eGet familiar with cybersecurity policies and guidance from CMS, HHS, NIST, and other authorities. You can see information about the most important federal guidance in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit\"\u003eISSO Toolkit\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS and HHS cybersecurity training\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf you need specialized training for your assigned role, there are many offerings available from CMS and HHS that you can access for free. Learn about \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#training\"\u003etraining opportunities here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eISSO meetings and community\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou will have a regular monthly check-in with ISPG, the Service ISSO team, and ISSOaaS contract leadership. Additionally, you should plan to attend the monthly CMS Cybersecurity Community Forum, an important source of current information for all CMS staff and contractors with security and privacy responsibilities.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCollaboration and relationships\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIts essential that you build relationships with your Business Owner, your Cyber Risk Advisor (CRA), and other security and developer staff. Collaboration with your portfolio team both CMS staff and contractors is key to a successful engagement as a Service ISSO.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO engagement\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe success of a Service ISSO engagement depends on frequent communication among all stakeholders. \u003cstrong\u003eISPG schedules recurring meetings\u003c/strong\u003e to gauge satisfaction and determine if any areas need improvement. Regular meetings during the engagement include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSatisfaction sessions with Business Owners (as needed)\u003c/li\u003e\u003cli\u003eMeetings with Service ISSO Lead(s) for check-in and support (weekly)\u003c/li\u003e\u003cli\u003eMeetings with Service ISSOs for check-in and support (monthly)\u003c/li\u003e\u003cli\u003eMeetings with contract leads to ensure Role Based Training (RBT) requirements are satisfied (as needed)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG also ensures that Service ISSOs (along with CMS employee ISSOs) have access to supportive resources such as the \u003cstrong\u003eCMS Cybersecurity Community Forum\u003c/strong\u003e and the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook\"\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/strong\u003e\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO off-boarding\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAt the conclusion of an engagement, ISPG coordinates with the Business Owner for transition activities where appropriate. The ISSOaaS contractor ensures that a smooth off-boarding process occurs, including recovery of government property such as computer, badge, and any other equipment. The contractor updates the\u003cstrong\u003e ISSO Information Card\u003c/strong\u003e constructed during onboarding, and retains the completed form.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO qualifications\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen ISPG and the ISSOaaS contractor are seeking a Service ISSO suitable for the needs of a CMS component, the following qualifications serve as a guide. (Specific skills and level of experience will be driven by the extent and duration of ISSO services required.) In general, an ISSO should have proven skills and knowledge in the following areas:\u003c/p\u003e\u003ch3\u003eCybersecurity federal standards and best practices\u003c/h3\u003e\u003cul\u003e\u003cli\u003eComprehensive and expert knowledge of FISMA/NIST/RMF methodology, professional standards, policies, directives, guidance, concepts, procedures, principles, practices, and assessment and evaluation criteria, as related to Federal information systems security controls and auditing requirements.\u003c/li\u003e\u003cli\u003eThorough knowledge of Federal legislation related to information technology, computer security, government performance measurement, fiscal management and contracting.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eInformation technology (IT)\u003c/h3\u003e\u003cp\u003eExpert knowledge of information technology architecture, hardware, software, networking, communications, data collection/dissemination, and security of data practices.\u003c/p\u003e\u003ch3\u003eInformation security disciplines\u003c/h3\u003e\u003cp\u003eThorough knowledge of information security disciplines including threats to and vulnerabilities of computer and data communications systems, safeguards (counter measures) which can be utilized to protect sensitive/critical information resources, and methodologies for developing and implementing contingency plans for disaster recovery. Extensive knowledge of the roles of various organization units for ensuring adequate security and safety of information resources.\u003c/p\u003e\u003ch3\u003eInformation security program evaluation / testing / planning\u003c/h3\u003e\u003cul\u003e\u003cli\u003eKnowledge of information systems security concepts and methods, multiple IT disciplines, enterprise IT architecture, and project management principles and methods sufficient to:\u003cul\u003e\u003cli\u003eReview and evaluate programs security incident response policies\u003c/li\u003e\u003cli\u003eIdentify need for changes based on new security technologies or threats\u003c/li\u003e\u003cli\u003eTest and implement new policies\u003c/li\u003e\u003cli\u003eInstitute measures to ensure awareness and compliance\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eKnowledge of, and ability to conduct, security program planning at higher organizational levels in terms of applying policy direction to specific operating requirements and the development of strategies and policy implementation guidance.\u003c/li\u003e\u003cli\u003eAbility to use knowledge in key decision-making and policy-developing responsibilities in difficult assignments such as planning for significantly new or far reaching security program requirements.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRisk assessment and mitigation for new or existing systems\u003c/h3\u003e\u003cp\u003eKnowledge of information systems security principles, concepts, and methods, the infrastructure protection environment, and interrelationships to multiple IT disciplines sufficient to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview proposed new systems, networks, and software designs for potential security risks\u003c/li\u003e\u003cli\u003eRecommendations for mitigation or countermeasures\u003c/li\u003e\u003cli\u003eResolve integration issues related to the implementation of new systems within the existing infrastructure.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eInformation security leadership and communication\u003c/h3\u003e\u003cul\u003e\u003cli\u003eMastery of and skill in applying policy and planning concepts and practices, interrelationships of multiple IT disciplines; and project management methods sufficient to manage communities of interest involved in the development and implementation of workable approaches to IT architecture and other IT related legislative and policy initiatives.\u003c/li\u003e\u003cli\u003eMastery and skills in applying the principles of management sufficient to develop long-range plans for IT security systems that anticipate, identify, evaluate, mitigate, and minimize risks associated with IT systems vulnerabilities.\u003c/li\u003e\u003cli\u003eDemonstrated ability to present clear and concise presentations (oral and written) and to communicate effectively with government, contractors, and applicable business entity representatives.\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1b:T306e,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eService ISSO onboarding\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe established process at CMS for onboarding new Service ISSOs ensures that the ISSO completes the orientation, logistics, and training needed to start providing value to the organization quickly. We want all new ISSOs to feel welcome and have access to the resources needed to become productive and confident in their new role. The goal is for new Service ISSOs to be onboarded and trained within a time period of 60 days.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBusiness Owner responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Business Owner or component representatives should prepare their organization for the arrival of the ISSO. Data Guardians, CRAs, and existing ISSOs (if applicable) should also prepare. ISPG will coordinate with the component for an initial meeting with the new ISSO. The goals of this meeting are for the new ISSO to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMeet the Business Owner and other key stakeholders in the components organization, including contract developers and contract security staff\u003c/li\u003e\u003cli\u003eUnderstand the components business and cybersecurity environment\u003c/li\u003e\u003cli\u003eLearn about the components business model and logic\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eContractor responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSOaaS contractor oversees the logistics of onboarding and keeps ISPG continually updated on the progress of Service ISSO onboarding and training. Much of this is managed through the ISSO Information Card, which tracks items such as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS security clearance\u003c/li\u003e\u003cli\u003eFingerprinting\u003c/li\u003e\u003cli\u003ePIV card\u003c/li\u003e\u003cli\u003eEUA ID\u003c/li\u003e\u003cli\u003eeQIP\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe full list of items is managed by the ISSOaaS contractor throughout the engagement and is also used as a checklist for off-boarding when the engagement is over. Additionally, the contractor keeps track of the Service ISSOs progress through workforce training activities. All of this is relayed to ISPG through a weekly status report to the CMS Government Task Lead (GTL) and/or the Contracting Officer Representative (COR) for the ISSOaaS program.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISPG responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS GTL for the ISSOaaS program is within ISPG and serves as the go-to person for program communications and problem resolution as necessary. They can help remove blockers or provide support at any point in the ISSOs onboarding process (and subsequent engagement). ISPG also coordinates with the ISSOaaS contractor for onboarding needs such as scheduling meetings or providing necessary equipment.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe new Service ISSO is expected to take a proactive role during onboarding especially in keeping their leadership informed about progress through security clearances, obtaining EUA access, and other onboarding activities. The ISSO should respond quickly to inquiries or requests from CMS or others in the ISSOaaS program, and let someone know if there are problems or questions. In addition to onboarding logistics, the Service ISSO needs to complete as much CMS-specific training as possible (described below).\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO training\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eService ISSOs joining CMS should receive the same training and support as CMS employee ISSOs (to the greatest extent possible). Details will depend on the workload and duration of services required. Service ISSOs should refer to the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook\"\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/a\u003e as a go-to resource for ISSO responsibilities, activities, policy and guidance, training, and community support.\u003c/p\u003e\u003cp\u003eThe ISSOaaS contractor collaborates with ISPG and the Business Owner to determine what formal ISSO training is most suitable for the components specific needs. Training activities can often happen in tandem with other onboarding activities. In general, Service ISSOs should expect to utilize the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGetting started as a CMS ISSO\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#role-and-responsibilities\"\u003eCMS ISSO role and responsibilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUse the \u003ca href=\"https://cmsgov.typeform.com/to/c67nf2Wr?typeform-source=cmsgov-ispg.typeform.com\"\u003eISSO Scorecard\u003c/a\u003e as a quick self-assessment to help you identify areas of training focus\u003c/li\u003e\u003cli\u003eWatch the \u003ca href=\"https://www.cms.gov/cbt/login/default.aspx\"\u003eCMS ISSO video training series\u003c/a\u003e (overview of essential job functions)\u003c/li\u003e\u003cli\u003eGet an \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eoverview of ISSO activities at CMS\u003c/a\u003e\u003c/li\u003e\u003cli\u003eBookmark the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit\"\u003eISSO toolkit\u003c/a\u003e as a handy reference for key points of contact, acronyms, important reference documents, and CMS platforms you will use in your daily work\u003c/li\u003e\u003cli\u003eConsider the \u003ca href=\"https://security.cms.gov/learn/isso-mentorship-program\"\u003eISSO Mentorship Program\u003c/a\u003e as a way to get extra support from an experienced CMS ISSO\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eRole Based Training (RBT)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou will coordinate with your leadership to learn what kind of \u003ca href=\"https://security.cms.gov/learn/role-based-training-rbt\"\u003eRole Based Training\u003c/a\u003e is required for your position.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal policies and guidance\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eGet familiar with cybersecurity policies and guidance from CMS, HHS, NIST, and other authorities. You can see information about the most important federal guidance in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit\"\u003eISSO Toolkit\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS and HHS cybersecurity training\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf you need specialized training for your assigned role, there are many offerings available from CMS and HHS that you can access for free. Learn about \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#training\"\u003etraining opportunities here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eISSO meetings and community\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou will have a regular monthly check-in with ISPG, the Service ISSO team, and ISSOaaS contract leadership. Additionally, you should plan to attend the monthly CMS Cybersecurity Community Forum, an important source of current information for all CMS staff and contractors with security and privacy responsibilities.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCollaboration and relationships\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIts essential that you build relationships with your Business Owner, your Cyber Risk Advisor (CRA), and other security and developer staff. Collaboration with your portfolio team both CMS staff and contractors is key to a successful engagement as a Service ISSO.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO engagement\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe success of a Service ISSO engagement depends on frequent communication among all stakeholders. \u003cstrong\u003eISPG schedules recurring meetings\u003c/strong\u003e to gauge satisfaction and determine if any areas need improvement. Regular meetings during the engagement include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSatisfaction sessions with Business Owners (as needed)\u003c/li\u003e\u003cli\u003eMeetings with Service ISSO Lead(s) for check-in and support (weekly)\u003c/li\u003e\u003cli\u003eMeetings with Service ISSOs for check-in and support (monthly)\u003c/li\u003e\u003cli\u003eMeetings with contract leads to ensure Role Based Training (RBT) requirements are satisfied (as needed)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG also ensures that Service ISSOs (along with CMS employee ISSOs) have access to supportive resources such as the \u003cstrong\u003eCMS Cybersecurity Community Forum\u003c/strong\u003e and the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook\"\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/strong\u003e\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO off-boarding\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAt the conclusion of an engagement, ISPG coordinates with the Business Owner for transition activities where appropriate. The ISSOaaS contractor ensures that a smooth off-boarding process occurs, including recovery of government property such as computer, badge, and any other equipment. The contractor updates the\u003cstrong\u003e ISSO Information Card\u003c/strong\u003e constructed during onboarding, and retains the completed form.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO qualifications\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen ISPG and the ISSOaaS contractor are seeking a Service ISSO suitable for the needs of a CMS component, the following qualifications serve as a guide. (Specific skills and level of experience will be driven by the extent and duration of ISSO services required.) In general, an ISSO should have proven skills and knowledge in the following areas:\u003c/p\u003e\u003ch3\u003eCybersecurity federal standards and best practices\u003c/h3\u003e\u003cul\u003e\u003cli\u003eComprehensive and expert knowledge of FISMA/NIST/RMF methodology, professional standards, policies, directives, guidance, concepts, procedures, principles, practices, and assessment and evaluation criteria, as related to Federal information systems security controls and auditing requirements.\u003c/li\u003e\u003cli\u003eThorough knowledge of Federal legislation related to information technology, computer security, government performance measurement, fiscal management and contracting.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eInformation technology (IT)\u003c/h3\u003e\u003cp\u003eExpert knowledge of information technology architecture, hardware, software, networking, communications, data collection/dissemination, and security of data practices.\u003c/p\u003e\u003ch3\u003eInformation security disciplines\u003c/h3\u003e\u003cp\u003eThorough knowledge of information security disciplines including threats to and vulnerabilities of computer and data communications systems, safeguards (counter measures) which can be utilized to protect sensitive/critical information resources, and methodologies for developing and implementing contingency plans for disaster recovery. Extensive knowledge of the roles of various organization units for ensuring adequate security and safety of information resources.\u003c/p\u003e\u003ch3\u003eInformation security program evaluation / testing / planning\u003c/h3\u003e\u003cul\u003e\u003cli\u003eKnowledge of information systems security concepts and methods, multiple IT disciplines, enterprise IT architecture, and project management principles and methods sufficient to:\u003cul\u003e\u003cli\u003eReview and evaluate programs security incident response policies\u003c/li\u003e\u003cli\u003eIdentify need for changes based on new security technologies or threats\u003c/li\u003e\u003cli\u003eTest and implement new policies\u003c/li\u003e\u003cli\u003eInstitute measures to ensure awareness and compliance\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eKnowledge of, and ability to conduct, security program planning at higher organizational levels in terms of applying policy direction to specific operating requirements and the development of strategies and policy implementation guidance.\u003c/li\u003e\u003cli\u003eAbility to use knowledge in key decision-making and policy-developing responsibilities in difficult assignments such as planning for significantly new or far reaching security program requirements.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRisk assessment and mitigation for new or existing systems\u003c/h3\u003e\u003cp\u003eKnowledge of information systems security principles, concepts, and methods, the infrastructure protection environment, and interrelationships to multiple IT disciplines sufficient to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview proposed new systems, networks, and software designs for potential security risks\u003c/li\u003e\u003cli\u003eRecommendations for mitigation or countermeasures\u003c/li\u003e\u003cli\u003eResolve integration issues related to the implementation of new systems within the existing infrastructure.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eInformation security leadership and communication\u003c/h3\u003e\u003cul\u003e\u003cli\u003eMastery of and skill in applying policy and planning concepts and practices, interrelationships of multiple IT disciplines; and project management methods sufficient to manage communities of interest involved in the development and implementation of workable approaches to IT architecture and other IT related legislative and policy initiatives.\u003c/li\u003e\u003cli\u003eMastery and skills in applying the principles of management sufficient to develop long-range plans for IT security systems that anticipate, identify, evaluate, mitigate, and minimize risks associated with IT systems vulnerabilities.\u003c/li\u003e\u003cli\u003eDemonstrated ability to present clear and concise presentations (oral and written) and to communicate effectively with government, contractors, and applicable business entity representatives.\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"1e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1d:{\"self\":\"$1e\"}\n21:[\"menu_ui\",\"scheduler\"]\n20:{\"module\":\"$21\"}\n24:[]\n23:{\"available_menus\":\"$24\",\"parent\":\"\"}\n25:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n22:{\"menu_ui\":\"$23\",\"scheduler\":\"$25\"}\n1f:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$20\",\"third_party_settings\":\"$22\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1d\",\"attributes\":\"$1f\"}\n28:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n27:{\"self\":\"$28\"}\n29:{\"display_name\":\"jcallan - retired\"}\n26:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$27\",\"attributes\":\"$29\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"mburgess\"}\n2a:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}\n2f:{\"self\":\"$30\"}\n32:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n31:{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:0"])</script><script>self.__next_f.push([1,"0\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$32\"}\n36:{\"drupal_internal__target_id\":\"resource_type\"}\n35:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$36\"}\n38:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"}\n39:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}\n37:{\"related\":\"$38\",\"self\":\"$39\"}\n34:{\"data\":\"$35\",\"links\":\"$37\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n3a:{\"data\":null,\"links\":\"$3b\"}\n44:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n43:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$44\"}\n42:{\"help\":\"$43\"}\n41:{\"links\":\"$42\"}\n40:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$41\"}\n3f:[\"$40\"]\n46:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"}\n47:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}\n45:{\"related\":\"$46\",\"self\":\"$47\"}\n3e:{\"data\":\"$3f\",\"links\":\"$45\"}\n33:{\"vid\":\"$34\",\"revision_user\":\"$3a\",\"parent\":\"$3e\"}\n2e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":\"$2f\",\"attributes\":\"$31\",\"relationships\":\"$33\"}\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n49:{\"self\":\"$4a\"}\n4c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4b:{\"drupal_inter"])</script><script>self.__next_f.push([1,"nal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4c\"}\n50:{\"drupal_internal__target_id\":\"roles\"}\n4f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$50\"}\n52:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n53:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n51:{\"related\":\"$52\",\"self\":\"$53\"}\n4e:{\"data\":\"$4f\",\"links\":\"$51\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n54:{\"data\":null,\"links\":\"$55\"}\n5e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5e\"}\n5c:{\"help\":\"$5d\"}\n5b:{\"links\":\"$5c\"}\n5a:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5b\"}\n59:[\"$5a\"]\n60:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n61:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5f:{\"related\":\"$60\",\"self\":\"$61\"}\n58:{\"data\":\"$59\",\"links\":\"$5f\"}\n4d:{\"vid\":\"$4e\",\"revision_user\":\"$54\",\"parent\":\"$58\"}\n48:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$49\",\"attributes\":\"$4b\",\"relationships\":\"$4d\"}\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/role"])</script><script>self.__next_f.push([1,"s/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n63:{\"self\":\"$64\"}\n66:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n65:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$66\"}\n6a:{\"drupal_internal__target_id\":\"roles\"}\n69:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6a\"}\n6c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6b:{\"related\":\"$6c\",\"self\":\"$6d\"}\n68:{\"data\":\"$69\",\"links\":\"$6b\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6e:{\"data\":null,\"links\":\"$6f\"}\n78:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n77:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$78\"}\n76:{\"help\":\"$77\"}\n75:{\"links\":\"$76\"}\n74:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$75\"}\n73:[\"$74\"]\n7a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n79:{\"related\":\"$7a\",\"self\":\"$7b\"}\n72:{\"data\":\"$73\",\"links\":\"$79\"}\n67:{\"vid\":\"$68\",\"revision_user\":\"$6e\",\"parent\":\"$72\"}\n62:{\"type\":\"taxonomy_term--roles\",\""])</script><script>self.__next_f.push([1,"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$63\",\"attributes\":\"$65\",\"relationships\":\"$67\"}\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7d:{\"self\":\"$7e\"}\n80:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7f:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$80\"}\n84:{\"drupal_internal__target_id\":\"roles\"}\n83:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$84\"}\n86:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n87:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n85:{\"related\":\"$86\",\"self\":\"$87\"}\n82:{\"data\":\"$83\",\"links\":\"$85\"}\n8a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n89:{\"related\":\"$8a\",\"self\":\"$8b\"}\n88:{\"data\":null,\"links\":\"$89\"}\n92:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n91:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$92\"}\n90:{\"help\":\"$91\"}\n8f:{\"links\":\"$90\"}\n8e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8f\"}\n8d:[\"$8e\"]\n94:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n95:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n93:{\"relate"])</script><script>self.__next_f.push([1,"d\":\"$94\",\"self\":\"$95\"}\n8c:{\"data\":\"$8d\",\"links\":\"$93\"}\n81:{\"vid\":\"$82\",\"revision_user\":\"$88\",\"parent\":\"$8c\"}\n7c:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7d\",\"attributes\":\"$7f\",\"relationships\":\"$81\"}\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}\n97:{\"self\":\"$98\"}\n9a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n99:{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9a\"}\n9e:{\"drupal_internal__target_id\":\"topics\"}\n9d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$9e\"}\na0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"}\na1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}\n9f:{\"related\":\"$a0\",\"self\":\"$a1\"}\n9c:{\"data\":\"$9d\",\"links\":\"$9f\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}\na3:{\"related\":\"$a4\",\"self\":\"$a5\"}\na2:{\"data\":null,\"links\":\"$a3\"}\nac:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nab:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ac\"}\naa:{\"help\":\"$ab\"}\na9:{\"links\":\"$aa\"}\na8:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$a9\"}\na7:[\"$a8\"]\nae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"}\naf:{\"href\":\""])</script><script>self.__next_f.push([1,"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}\nad:{\"related\":\"$ae\",\"self\":\"$af\"}\na6:{\"data\":\"$a7\",\"links\":\"$ad\"}\n9b:{\"vid\":\"$9c\",\"revision_user\":\"$a2\",\"parent\":\"$a6\"}\n96:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":\"$97\",\"attributes\":\"$99\",\"relationships\":\"$9b\"}\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2?resourceVersion=id%3A18790\"}\nb1:{\"self\":\"$b2\"}\nb4:[]\nb5:{\"value\":\"\u003ch2\u003e\u003cstrong\u003eWhat is ISSO As A Service (ISSOaaS)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eInformation System Security Officers (ISSO) serve as the front line of information security and privacy for CMS systems. Their role is critical for keeping CMS data safe throughout a systems life cycle. But sometimes, there is not a trained CMS ISSO available within a component to perform key security tasks.\u003c/p\u003e\u003cp\u003eTo address this need, the CMS Information Security and Privacy Group (ISPG) provides the ISSO As A Service (ISSOaas) program to deploy skilled ISSOs where they are most needed to support CMS Business Owners in maintaining information security and privacy for their system(s).\u003c/p\u003e\u003cp\u003eISPG works with a contractor organization to onboard and train professional ISSOs in CMS-specific policies and frameworks so they are equipped to provide industry-certified security and compliance support, allowing Business Owners to focus on their business mission.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003e\u003cstrong\u003eWhat is ISSO As A Service (ISSOaaS)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eInformation System Security Officers (ISSO) serve as the front line of information security and privacy for CMS systems. Their role is critical for keeping CMS data safe throughout a systems life cycle. But sometimes, there is not a trained CMS ISSO available within a component to perform key security tasks.\u003c/p\u003e\u003cp\u003eTo address this need, the CMS Information Security and Privacy Group (ISPG) provides the ISSO As A Service (ISSOaas) program t"])</script><script>self.__next_f.push([1,"o deploy skilled ISSOs where they are most needed to support CMS Business Owners in maintaining information security and privacy for their system(s).\u003c/p\u003e\u003cp\u003eISPG works with a contractor organization to onboard and train professional ISSOs in CMS-specific policies and frameworks so they are equipped to provide industry-certified security and compliance support, allowing Business Owners to focus on their business mission.\u003c/p\u003e\"}\nb3:{\"drupal_internal__id\":2301,\"drupal_internal__revision_id\":18790,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-01T16:21:34+00:00\",\"parent_id\":\"766\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$b4\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$b5\"}\nb9:{\"drupal_internal__target_id\":\"page_section\"}\nb8:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$b9\"}\nbb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2/paragraph_type?resourceVersion=id%3A18790\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2/relationships/paragraph_type?resourceVersion=id%3A18790\"}\nba:{\"related\":\"$bb\",\"self\":\"$bc\"}\nb7:{\"data\":\"$b8\",\"links\":\"$ba\"}\nbf:{\"target_revision_id\":18789,\"drupal_internal__target_id\":2816}\nbe:{\"type\":\"paragraph--call_out_box\",\"id\":\"9509616c-61cb-4029-b20d-98dd4a1768de\",\"meta\":\"$bf\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2/field_specialty_item?resourceVersion=id%3A18790\"}\nc2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2/relationships/field_specialty_item?resourceVersion=id%3A18790\"}\nc0:{\"related\":\"$c1\",\"self\":\"$c2\"}\nbd:{\"data\":\"$be\",\"links\":\"$c0\"}\nb6:{\"paragraph_type\":\"$b7\",\"field_specialty_item\":\"$bd\"}\nb0:{\"type\":\"paragraph--page_section\",\"id\":\"c5efb977-1db9-4584-85ad-9f10aa4794a2\",\"links\":\"$b1\",\"attributes\":\"$b3\",\"relationships\":\"$b6\"}\nc5:{\"href\""])</script><script>self.__next_f.push([1,":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5?resourceVersion=id%3A18798\"}\nc4:{\"self\":\"$c5\"}\nc7:[]\nc9:T1c28,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhy does CMS need ISSOaaS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor all CMS components, the safety of information and systems should be a top priority as we are entrusted with the personal and health data of millions of Americans. Every CMS component must take a strategic and proactive approach to security compliance and risk management. It should not be an afterthought. This means employing a \u003cstrong\u003esuitably skilled and experienced person\u003c/strong\u003e who is responsible for these things.\u003c/p\u003e\u003cp\u003eSometimes, a CMS component assigns ISSO duties to someone who has other primary responsibilities and is not adequately trained in CMS requirements for cybersecurity. This leads to a hazardous situation for the components information and systems, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConflict of interest between that persons ISSO role and their other responsibilities\u003c/li\u003e\u003cli\u003eInsufficient skills, time, and knowledge for that person to properly manage ISSO tasks\u003c/li\u003e\u003cli\u003eFalse sense of complacency in the component that security and privacy is being fully addressed by this shared role, while in fact there are gaps in compliance and appropriate risk management\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEvolving and modernizing information security\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBeyond ensuring security and privacy compliance, the ISSO role at CMS has grown \u003cstrong\u003eincreasingly complex and technical\u003c/strong\u003e in response to the evolving threat landscape and the modernized approach to cybersecurity that is being implemented across the federal government. For example:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAgile processes and rapid development cycles result in the need for continuous security and privacy monitoring / assessments\u003c/li\u003e\u003cli\u003eBusiness Owners and senior leadership depend on ISSOs for insights about potential security risks and mitigation strategies\u003c/li\u003e\u003cli\u003eFederal guidance and requirements are constantly evolving (\u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist\"\u003eNIST\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFISMA\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/health-insurance-portability-and-accountability-act-1996-hipaa\"\u003eHIPAA\u003c/a\u003e, DHS, HITECH, IRS)\u003c/li\u003e\u003cli\u003eCMS is modernizing risk management with programs like \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/adaptive-capabilities-testing-act\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e, and \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISSO As A Service connects CMS components with knowledgeable professionals who can help ensure adequate information security across all CMS components and systems.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho are the Service ISSOs?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWithin the ISSOaaS program, a Service ISSO is a professional ISSO who is trained in CMS cybersecurity practices and onboarded to support specific systems or tasks for a CMS component that otherwise would not have a qualified ISSO available. CMS works with a contractor organization to engage Service ISSOs for an agreed-upon length of time.\u003c/p\u003e\u003cp\u003eService ISSOs operate in direct liaison with ISPG as well as their assigned system teams and Business Owner. This ensures consistency and shared visibility into system security throughout the engagement.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat tasks can Service ISSOs do?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eService ISSOs do the same tasks and have the same skills as \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#introduction\"\u003eCMS ISSOs\u003c/a\u003e although Service ISSO qualifications and duties may be adjusted to fit the specific needs of the component and system. Responsibilities may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide overall professional ISSO support for CMS systems\u003c/li\u003e\u003cli\u003eCollaborate with system stakeholders and Cyber Risk Advisors\u003c/li\u003e\u003cli\u003eEvaluate security categorization\u003c/li\u003e\u003cli\u003eReview compliance assurance and reporting\u003c/li\u003e\u003cli\u003ePerform risk assessment\u003c/li\u003e\u003cli\u003eIdentify and document security and privacy controls\u003c/li\u003e\u003cli\u003eProvide guidance for PII, PHI, and FTI compliance\u003c/li\u003e\u003cli\u003ePerform tasks that support system assessment and authorization\u003c/li\u003e\u003cli\u003eReview information security and privacy compliance within the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eReview and analyze POA\u0026amp;Ms\u003c/li\u003e\u003cli\u003ePerform CMS Security Control Assessment (or coordinate Cybersecurity and Risk Assessment Program)\u003c/li\u003e\u003cli\u003eCoordinate Contingency Planning\u003c/li\u003e\u003cli\u003eUtilize \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eCMS Risk Management Framework\u003c/a\u003e (as recommended by NIST)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eWhy use a Service ISSO?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOaaS makes it easier for CMS Business Owners to get accurate and insightful information from an experienced professional to manage their systems risk. The Service ISSO can deliver a set of proactive, scheduled, planned services for a defined timeframe or on a continuous basis. Engaging a Service ISSO will ensure:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation systems and information risks and vulnerabilities are identified, their impact to the organization are quantified, communicated, and understood by all relevant stakeholders\u003c/li\u003e\u003cli\u003eAppropriate information systems control and risk mitigation are in place to ensure the confidentiality, integrity and availability of the information systems\u003c/li\u003e\u003cli\u003eProper coordination of appropriate training and communication of information security policies, controls, and best practices to all stakeholders\u003c/li\u003e\u003cli\u003eOrganizational compliance with policies as well as any external regulatory or legal compliance obligations\u003c/li\u003e\u003cli\u003eManagement is provided with advice concerning cybersecurity strategy and can serve as the organizations contact point for auditors and agencies\u003c/li\u003e\u003cli\u003eAny necessary coordination of information systems security incident response\u003c/li\u003e\u003cli\u003eCybersecurity and privacy practices for their assigned organization are in keeping with CMS policies, latest privacy legislation, security advisories, alerts, and vulnerabilities\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eWhen to use Service ISSOs\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEngaging a Service ISSO could be beneficial for your component if:\u003c/p\u003e\u003cul\u003e\u003cli\u003eISSO tasks need to be performed and there is no trained CMS ISSO available\u003c/li\u003e\u003cli\u003eA new ISSO needs help getting started\u003c/li\u003e\u003cli\u003eA surge period is causing an unmanageable amount of work for existing ISSOs\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eHow to request a Service ISSO\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf you as a Business Owner need ISSO support from the ISSOaaS program, you can work with your CRA to start the process or you can send an email to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow it works\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISSO As A Service requires coordination among multiple stakeholders. Everyone involved has a role in making sure the selected ISSO can meet the requirements for the specific component and system(s). The steps for starting an ISSOaaS engagement are described below.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"ca:T1c28,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhy does CMS need ISSOaaS?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eFor all CMS components, the safety of information and systems should be a top priority as we are entrusted with the personal and health data of millions of Americans. Every CMS component must take a strategic and proactive approach to security compliance and risk management. It should not be an afterthought. This means employing a \u003cstrong\u003esuitably skilled and experienced person\u003c/strong\u003e who is responsible for these things.\u003c/p\u003e\u003cp\u003eSometimes, a CMS component assigns ISSO duties to someone who has other primary responsibilities and is not adequately trained in CMS requirements for cybersecurity. This leads to a hazardous situation for the components information and systems, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eConflict of interest between that persons ISSO role and their other responsibilities\u003c/li\u003e\u003cli\u003eInsufficient skills, time, and knowledge for that person to properly manage ISSO tasks\u003c/li\u003e\u003cli\u003eFalse sense of complacency in the component that security and privacy is being fully addressed by this shared role, while in fact there are gaps in compliance and appropriate risk management\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eEvolving and modernizing information security\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBeyond ensuring security and privacy compliance, the ISSO role at CMS has grown \u003cstrong\u003eincreasingly complex and technical\u003c/strong\u003e in response to the evolving threat landscape and the modernized approach to cybersecurity that is being implemented across the federal government. For example:\u003c/p\u003e\u003cul\u003e\u003cli\u003eAgile processes and rapid development cycles result in the need for continuous security and privacy monitoring / assessments\u003c/li\u003e\u003cli\u003eBusiness Owners and senior leadership depend on ISSOs for insights about potential security risks and mitigation strategies\u003c/li\u003e\u003cli\u003eFederal guidance and requirements are constantly evolving (\u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist\"\u003eNIST\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/federal-information-systems-management-act-fisma\"\u003eFISMA\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/health-insurance-portability-and-accountability-act-1996-hipaa\"\u003eHIPAA\u003c/a\u003e, DHS, HITECH, IRS)\u003c/li\u003e\u003cli\u003eCMS is modernizing risk management with programs like \u003ca href=\"https://security.cms.gov/learn/ongoing-authorization-oa\"\u003eOngoing Authorization (OA)\u003c/a\u003e, \u003ca href=\"https://security.cms.gov/learn/adaptive-capabilities-testing-act\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e, and \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISSO As A Service connects CMS components with knowledgeable professionals who can help ensure adequate information security across all CMS components and systems.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWho are the Service ISSOs?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWithin the ISSOaaS program, a Service ISSO is a professional ISSO who is trained in CMS cybersecurity practices and onboarded to support specific systems or tasks for a CMS component that otherwise would not have a qualified ISSO available. CMS works with a contractor organization to engage Service ISSOs for an agreed-upon length of time.\u003c/p\u003e\u003cp\u003eService ISSOs operate in direct liaison with ISPG as well as their assigned system teams and Business Owner. This ensures consistency and shared visibility into system security throughout the engagement.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat tasks can Service ISSOs do?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eService ISSOs do the same tasks and have the same skills as \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#introduction\"\u003eCMS ISSOs\u003c/a\u003e although Service ISSO qualifications and duties may be adjusted to fit the specific needs of the component and system. Responsibilities may include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProvide overall professional ISSO support for CMS systems\u003c/li\u003e\u003cli\u003eCollaborate with system stakeholders and Cyber Risk Advisors\u003c/li\u003e\u003cli\u003eEvaluate security categorization\u003c/li\u003e\u003cli\u003eReview compliance assurance and reporting\u003c/li\u003e\u003cli\u003ePerform risk assessment\u003c/li\u003e\u003cli\u003eIdentify and document security and privacy controls\u003c/li\u003e\u003cli\u003eProvide guidance for PII, PHI, and FTI compliance\u003c/li\u003e\u003cli\u003ePerform tasks that support system assessment and authorization\u003c/li\u003e\u003cli\u003eReview information security and privacy compliance within the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eReview and analyze POA\u0026amp;Ms\u003c/li\u003e\u003cli\u003ePerform CMS Security Control Assessment (or coordinate Cybersecurity and Risk Assessment Program)\u003c/li\u003e\u003cli\u003eCoordinate Contingency Planning\u003c/li\u003e\u003cli\u003eUtilize \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eCMS Risk Management Framework\u003c/a\u003e (as recommended by NIST)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eWhy use a Service ISSO?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eISSOaaS makes it easier for CMS Business Owners to get accurate and insightful information from an experienced professional to manage their systems risk. The Service ISSO can deliver a set of proactive, scheduled, planned services for a defined timeframe or on a continuous basis. Engaging a Service ISSO will ensure:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation systems and information risks and vulnerabilities are identified, their impact to the organization are quantified, communicated, and understood by all relevant stakeholders\u003c/li\u003e\u003cli\u003eAppropriate information systems control and risk mitigation are in place to ensure the confidentiality, integrity and availability of the information systems\u003c/li\u003e\u003cli\u003eProper coordination of appropriate training and communication of information security policies, controls, and best practices to all stakeholders\u003c/li\u003e\u003cli\u003eOrganizational compliance with policies as well as any external regulatory or legal compliance obligations\u003c/li\u003e\u003cli\u003eManagement is provided with advice concerning cybersecurity strategy and can serve as the organizations contact point for auditors and agencies\u003c/li\u003e\u003cli\u003eAny necessary coordination of information systems security incident response\u003c/li\u003e\u003cli\u003eCybersecurity and privacy practices for their assigned organization are in keeping with CMS policies, latest privacy legislation, security advisories, alerts, and vulnerabilities\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eWhen to use Service ISSOs\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEngaging a Service ISSO could be beneficial for your component if:\u003c/p\u003e\u003cul\u003e\u003cli\u003eISSO tasks need to be performed and there is no trained CMS ISSO available\u003c/li\u003e\u003cli\u003eA new ISSO needs help getting started\u003c/li\u003e\u003cli\u003eA surge period is causing an unmanageable amount of work for existing ISSOs\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eHow to request a Service ISSO\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eIf you as a Business Owner need ISSO support from the ISSOaaS program, you can work with your CRA to start the process or you can send an email to \u003ca href=\"mailto:ISSO@cms.hhs.gov\"\u003eISSO@cms.hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow it works\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eISSO As A Service requires coordination among multiple stakeholders. Everyone involved has a role in making sure the selected ISSO can meet the requirements for the specific component and system(s). The steps for starting an ISSOaaS engagement are described below.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"c8:{\"value\":\"$c9\",\"format\":\"body_text\",\"processed\":\"$ca\"}\nc6:{\"drupal_internal__id\":2856,\"drupal_internal__revision_id\":18798,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:15:01+00:00\",\"parent_id\":\"766\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$c7\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$c8\"}\nce:{\"drupal_internal__target_id\":\"page_section\"}\ncd:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$ce\"}\nd0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5/paragraph_type?resourceVersion=id%3A18798\"}\nd1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5/relationships/paragraph_type?resourceVersion=id%3A18798\"}\ncf:{\"related\":\"$d0\",\"self\":\"$d1\"}\ncc:{\"data\":\"$cd\",\"links\":\"$cf\"}\nd4:{\"target_revision_id\":18797,\"drupal_internal__target_id\":2851}\nd3:{\"type\":\"paragraph--process_list\",\"id\":\"645cc37b-06c0-4447-ad2d-280c9c2aa7e3\",\"meta\":\"$d4\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5/field_specialty_item?resourceVersion=id%3A18798\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5/relationships/field_specialty_item?resourceVersion=id%3A18798\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd2:{\"data\":\"$d3\",\"links\":\"$d5\"}\ncb:{\"paragraph_type\":\"$cc\",\"field_specialty_item\":\"$d2\"}\nc3:{\"type\":\"paragraph--page_section\",\"id\":\"b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5\",\"links\":\"$c4\",\"attributes\":\"$c6\",\"relationships\":\"$cb\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a?resourceVersion=id%3A18799\"}\nd9:{\"self\":\"$da\"}\ndc:[]\nde:T306e,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eService ISSO onboarding\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe established process at CMS for onboarding new Service ISSOs ensures that the ISSO completes the orientation, logistics, and training needed to start providing value to the organization quickly. We want all new ISSOs to feel welcome and have access to the resources needed to become productive and confident in their new role. The goal is for new Service ISSOs to be onboarded and trained within a time period of 60 days.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBusiness Owner responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Business Owner or component representatives should prepare their organization for the arrival of the ISSO. Data Guardians, CRAs, and existing ISSOs (if applicable) should also prepare. ISPG will coordinate with the component for an initial meeting with the new ISSO. The goals of this meeting are for the new ISSO to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMeet the Business Owner and other key stakeholders in the components organization, including contract developers and contract security staff\u003c/li\u003e\u003cli\u003eUnderstand the components business and cybersecurity environment\u003c/li\u003e\u003cli\u003eLearn about the components business model and logic\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eContractor responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSOaaS contractor oversees the logistics of onboarding and keeps ISPG continually updated on the progress of Service ISSO onboarding and training. Much of this is managed through the ISSO Information Card, which tracks items such as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS security clearance\u003c/li\u003e\u003cli\u003eFingerprinting\u003c/li\u003e\u003cli\u003ePIV card\u003c/li\u003e\u003cli\u003eEUA ID\u003c/li\u003e\u003cli\u003eeQIP\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe full list of items is managed by the ISSOaaS contractor throughout the engagement and is also used as a checklist for off-boarding when the engagement is over. Additionally, the contractor keeps track of the Service ISSOs progress through workforce training activities. All of this is relayed to ISPG through a weekly status report to the CMS Government Task Lead (GTL) and/or the Contracting Officer Representative (COR) for the ISSOaaS program.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISPG responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS GTL for the ISSOaaS program is within ISPG and serves as the go-to person for program communications and problem resolution as necessary. They can help remove blockers or provide support at any point in the ISSOs onboarding process (and subsequent engagement). ISPG also coordinates with the ISSOaaS contractor for onboarding needs such as scheduling meetings or providing necessary equipment.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe new Service ISSO is expected to take a proactive role during onboarding especially in keeping their leadership informed about progress through security clearances, obtaining EUA access, and other onboarding activities. The ISSO should respond quickly to inquiries or requests from CMS or others in the ISSOaaS program, and let someone know if there are problems or questions. In addition to onboarding logistics, the Service ISSO needs to complete as much CMS-specific training as possible (described below).\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO training\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eService ISSOs joining CMS should receive the same training and support as CMS employee ISSOs (to the greatest extent possible). Details will depend on the workload and duration of services required. Service ISSOs should refer to the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook\"\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/a\u003e as a go-to resource for ISSO responsibilities, activities, policy and guidance, training, and community support.\u003c/p\u003e\u003cp\u003eThe ISSOaaS contractor collaborates with ISPG and the Business Owner to determine what formal ISSO training is most suitable for the components specific needs. Training activities can often happen in tandem with other onboarding activities. In general, Service ISSOs should expect to utilize the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGetting started as a CMS ISSO\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#role-and-responsibilities\"\u003eCMS ISSO role and responsibilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUse the \u003ca href=\"https://cmsgov.typeform.com/to/c67nf2Wr?typeform-source=cmsgov-ispg.typeform.com\"\u003eISSO Scorecard\u003c/a\u003e as a quick self-assessment to help you identify areas of training focus\u003c/li\u003e\u003cli\u003eWatch the \u003ca href=\"https://www.cms.gov/cbt/login/default.aspx\"\u003eCMS ISSO video training series\u003c/a\u003e (overview of essential job functions)\u003c/li\u003e\u003cli\u003eGet an \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eoverview of ISSO activities at CMS\u003c/a\u003e\u003c/li\u003e\u003cli\u003eBookmark the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit\"\u003eISSO toolkit\u003c/a\u003e as a handy reference for key points of contact, acronyms, important reference documents, and CMS platforms you will use in your daily work\u003c/li\u003e\u003cli\u003eConsider the \u003ca href=\"https://security.cms.gov/learn/isso-mentorship-program\"\u003eISSO Mentorship Program\u003c/a\u003e as a way to get extra support from an experienced CMS ISSO\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eRole Based Training (RBT)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou will coordinate with your leadership to learn what kind of \u003ca href=\"https://security.cms.gov/learn/role-based-training-rbt\"\u003eRole Based Training\u003c/a\u003e is required for your position.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal policies and guidance\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eGet familiar with cybersecurity policies and guidance from CMS, HHS, NIST, and other authorities. You can see information about the most important federal guidance in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit\"\u003eISSO Toolkit\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS and HHS cybersecurity training\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf you need specialized training for your assigned role, there are many offerings available from CMS and HHS that you can access for free. Learn about \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#training\"\u003etraining opportunities here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eISSO meetings and community\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou will have a regular monthly check-in with ISPG, the Service ISSO team, and ISSOaaS contract leadership. Additionally, you should plan to attend the monthly CMS Cybersecurity Community Forum, an important source of current information for all CMS staff and contractors with security and privacy responsibilities.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCollaboration and relationships\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIts essential that you build relationships with your Business Owner, your Cyber Risk Advisor (CRA), and other security and developer staff. Collaboration with your portfolio team both CMS staff and contractors is key to a successful engagement as a Service ISSO.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO engagement\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe success of a Service ISSO engagement depends on frequent communication among all stakeholders. \u003cstrong\u003eISPG schedules recurring meetings\u003c/strong\u003e to gauge satisfaction and determine if any areas need improvement. Regular meetings during the engagement include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSatisfaction sessions with Business Owners (as needed)\u003c/li\u003e\u003cli\u003eMeetings with Service ISSO Lead(s) for check-in and support (weekly)\u003c/li\u003e\u003cli\u003eMeetings with Service ISSOs for check-in and support (monthly)\u003c/li\u003e\u003cli\u003eMeetings with contract leads to ensure Role Based Training (RBT) requirements are satisfied (as needed)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG also ensures that Service ISSOs (along with CMS employee ISSOs) have access to supportive resources such as the \u003cstrong\u003eCMS Cybersecurity Community Forum\u003c/strong\u003e and the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook\"\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/strong\u003e\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO off-boarding\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAt the conclusion of an engagement, ISPG coordinates with the Business Owner for transition activities where appropriate. The ISSOaaS contractor ensures that a smooth off-boarding process occurs, including recovery of government property such as computer, badge, and any other equipment. The contractor updates the\u003cstrong\u003e ISSO Information Card\u003c/strong\u003e constructed during onboarding, and retains the completed form.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO qualifications\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen ISPG and the ISSOaaS contractor are seeking a Service ISSO suitable for the needs of a CMS component, the following qualifications serve as a guide. (Specific skills and level of experience will be driven by the extent and duration of ISSO services required.) In general, an ISSO should have proven skills and knowledge in the following areas:\u003c/p\u003e\u003ch3\u003eCybersecurity federal standards and best practices\u003c/h3\u003e\u003cul\u003e\u003cli\u003eComprehensive and expert knowledge of FISMA/NIST/RMF methodology, professional standards, policies, directives, guidance, concepts, procedures, principles, practices, and assessment and evaluation criteria, as related to Federal information systems security controls and auditing requirements.\u003c/li\u003e\u003cli\u003eThorough knowledge of Federal legislation related to information technology, computer security, government performance measurement, fiscal management and contracting.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eInformation technology (IT)\u003c/h3\u003e\u003cp\u003eExpert knowledge of information technology architecture, hardware, software, networking, communications, data collection/dissemination, and security of data practices.\u003c/p\u003e\u003ch3\u003eInformation security disciplines\u003c/h3\u003e\u003cp\u003eThorough knowledge of information security disciplines including threats to and vulnerabilities of computer and data communications systems, safeguards (counter measures) which can be utilized to protect sensitive/critical information resources, and methodologies for developing and implementing contingency plans for disaster recovery. Extensive knowledge of the roles of various organization units for ensuring adequate security and safety of information resources.\u003c/p\u003e\u003ch3\u003eInformation security program evaluation / testing / planning\u003c/h3\u003e\u003cul\u003e\u003cli\u003eKnowledge of information systems security concepts and methods, multiple IT disciplines, enterprise IT architecture, and project management principles and methods sufficient to:\u003cul\u003e\u003cli\u003eReview and evaluate programs security incident response policies\u003c/li\u003e\u003cli\u003eIdentify need for changes based on new security technologies or threats\u003c/li\u003e\u003cli\u003eTest and implement new policies\u003c/li\u003e\u003cli\u003eInstitute measures to ensure awareness and compliance\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eKnowledge of, and ability to conduct, security program planning at higher organizational levels in terms of applying policy direction to specific operating requirements and the development of strategies and policy implementation guidance.\u003c/li\u003e\u003cli\u003eAbility to use knowledge in key decision-making and policy-developing responsibilities in difficult assignments such as planning for significantly new or far reaching security program requirements.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRisk assessment and mitigation for new or existing systems\u003c/h3\u003e\u003cp\u003eKnowledge of information systems security principles, concepts, and methods, the infrastructure protection environment, and interrelationships to multiple IT disciplines sufficient to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview proposed new systems, networks, and software designs for potential security risks\u003c/li\u003e\u003cli\u003eRecommendations for mitigation or countermeasures\u003c/li\u003e\u003cli\u003eResolve integration issues related to the implementation of new systems within the existing infrastructure.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eInformation security leadership and communication\u003c/h3\u003e\u003cul\u003e\u003cli\u003eMastery of and skill in applying policy and planning concepts and practices, interrelationships of multiple IT disciplines; and project management methods sufficient to manage communities of interest involved in the development and implementation of workable approaches to IT architecture and other IT related legislative and policy initiatives.\u003c/li\u003e\u003cli\u003eMastery and skills in applying the principles of management sufficient to develop long-range plans for IT security systems that anticipate, identify, evaluate, mitigate, and minimize risks associated with IT systems vulnerabilities.\u003c/li\u003e\u003cli\u003eDemonstrated ability to present clear and concise presentations (oral and written) and to communicate effectively with government, contractors, and applicable business entity representatives.\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"df:T306e,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eService ISSO onboarding\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe established process at CMS for onboarding new Service ISSOs ensures that the ISSO completes the orientation, logistics, and training needed to start providing value to the organization quickly. We want all new ISSOs to feel welcome and have access to the resources needed to become productive and confident in their new role. The goal is for new Service ISSOs to be onboarded and trained within a time period of 60 days.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eBusiness Owner responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Business Owner or component representatives should prepare their organization for the arrival of the ISSO. Data Guardians, CRAs, and existing ISSOs (if applicable) should also prepare. ISPG will coordinate with the component for an initial meeting with the new ISSO. The goals of this meeting are for the new ISSO to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMeet the Business Owner and other key stakeholders in the components organization, including contract developers and contract security staff\u003c/li\u003e\u003cli\u003eUnderstand the components business and cybersecurity environment\u003c/li\u003e\u003cli\u003eLearn about the components business model and logic\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eContractor responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSOaaS contractor oversees the logistics of onboarding and keeps ISPG continually updated on the progress of Service ISSO onboarding and training. Much of this is managed through the ISSO Information Card, which tracks items such as:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCMS security clearance\u003c/li\u003e\u003cli\u003eFingerprinting\u003c/li\u003e\u003cli\u003ePIV card\u003c/li\u003e\u003cli\u003eEUA ID\u003c/li\u003e\u003cli\u003eeQIP\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe full list of items is managed by the ISSOaaS contractor throughout the engagement and is also used as a checklist for off-boarding when the engagement is over. Additionally, the contractor keeps track of the Service ISSOs progress through workforce training activities. All of this is relayed to ISPG through a weekly status report to the CMS Government Task Lead (GTL) and/or the Contracting Officer Representative (COR) for the ISSOaaS program.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISPG responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CMS GTL for the ISSOaaS program is within ISPG and serves as the go-to person for program communications and problem resolution as necessary. They can help remove blockers or provide support at any point in the ISSOs onboarding process (and subsequent engagement). ISPG also coordinates with the ISSOaaS contractor for onboarding needs such as scheduling meetings or providing necessary equipment.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eISSO responsibilities\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe new Service ISSO is expected to take a proactive role during onboarding especially in keeping their leadership informed about progress through security clearances, obtaining EUA access, and other onboarding activities. The ISSO should respond quickly to inquiries or requests from CMS or others in the ISSOaaS program, and let someone know if there are problems or questions. In addition to onboarding logistics, the Service ISSO needs to complete as much CMS-specific training as possible (described below).\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO training\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eService ISSOs joining CMS should receive the same training and support as CMS employee ISSOs (to the greatest extent possible). Details will depend on the workload and duration of services required. Service ISSOs should refer to the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook\"\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/a\u003e as a go-to resource for ISSO responsibilities, activities, policy and guidance, training, and community support.\u003c/p\u003e\u003cp\u003eThe ISSOaaS contractor collaborates with ISPG and the Business Owner to determine what formal ISSO training is most suitable for the components specific needs. Training activities can often happen in tandem with other onboarding activities. In general, Service ISSOs should expect to utilize the following:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGetting started as a CMS ISSO\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#role-and-responsibilities\"\u003eCMS ISSO role and responsibilities\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUse the \u003ca href=\"https://cmsgov.typeform.com/to/c67nf2Wr?typeform-source=cmsgov-ispg.typeform.com\"\u003eISSO Scorecard\u003c/a\u003e as a quick self-assessment to help you identify areas of training focus\u003c/li\u003e\u003cli\u003eWatch the \u003ca href=\"https://www.cms.gov/cbt/login/default.aspx\"\u003eCMS ISSO video training series\u003c/a\u003e (overview of essential job functions)\u003c/li\u003e\u003cli\u003eGet an \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eoverview of ISSO activities at CMS\u003c/a\u003e\u003c/li\u003e\u003cli\u003eBookmark the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit\"\u003eISSO toolkit\u003c/a\u003e as a handy reference for key points of contact, acronyms, important reference documents, and CMS platforms you will use in your daily work\u003c/li\u003e\u003cli\u003eConsider the \u003ca href=\"https://security.cms.gov/learn/isso-mentorship-program\"\u003eISSO Mentorship Program\u003c/a\u003e as a way to get extra support from an experienced CMS ISSO\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eRole Based Training (RBT)\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou will coordinate with your leadership to learn what kind of \u003ca href=\"https://security.cms.gov/learn/role-based-training-rbt\"\u003eRole Based Training\u003c/a\u003e is required for your position.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal policies and guidance\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eGet familiar with cybersecurity policies and guidance from CMS, HHS, NIST, and other authorities. You can see information about the most important federal guidance in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-toolkit\"\u003eISSO Toolkit\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCMS and HHS cybersecurity training\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIf you need specialized training for your assigned role, there are many offerings available from CMS and HHS that you can access for free. Learn about \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#training\"\u003etraining opportunities here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eISSO meetings and community\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eYou will have a regular monthly check-in with ISPG, the Service ISSO team, and ISSOaaS contract leadership. Additionally, you should plan to attend the monthly CMS Cybersecurity Community Forum, an important source of current information for all CMS staff and contractors with security and privacy responsibilities.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCollaboration and relationships\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIts essential that you build relationships with your Business Owner, your Cyber Risk Advisor (CRA), and other security and developer staff. Collaboration with your portfolio team both CMS staff and contractors is key to a successful engagement as a Service ISSO.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO engagement\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe success of a Service ISSO engagement depends on frequent communication among all stakeholders. \u003cstrong\u003eISPG schedules recurring meetings\u003c/strong\u003e to gauge satisfaction and determine if any areas need improvement. Regular meetings during the engagement include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSatisfaction sessions with Business Owners (as needed)\u003c/li\u003e\u003cli\u003eMeetings with Service ISSO Lead(s) for check-in and support (weekly)\u003c/li\u003e\u003cli\u003eMeetings with Service ISSOs for check-in and support (monthly)\u003c/li\u003e\u003cli\u003eMeetings with contract leads to ensure Role Based Training (RBT) requirements are satisfied (as needed)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eISPG also ensures that Service ISSOs (along with CMS employee ISSOs) have access to supportive resources such as the \u003cstrong\u003eCMS Cybersecurity Community Forum\u003c/strong\u003e and the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook\"\u003e\u003cstrong\u003eCMS Information System Security Officer (ISSO) Handbook\u003c/strong\u003e\u003c/a\u003e.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO off-boarding\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAt the conclusion of an engagement, ISPG coordinates with the Business Owner for transition activities where appropriate. The ISSOaaS contractor ensures that a smooth off-boarding process occurs, including recovery of government property such as computer, badge, and any other equipment. The contractor updates the\u003cstrong\u003e ISSO Information Card\u003c/strong\u003e constructed during onboarding, and retains the completed form.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eService ISSO qualifications\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen ISPG and the ISSOaaS contractor are seeking a Service ISSO suitable for the needs of a CMS component, the following qualifications serve as a guide. (Specific skills and level of experience will be driven by the extent and duration of ISSO services required.) In general, an ISSO should have proven skills and knowledge in the following areas:\u003c/p\u003e\u003ch3\u003eCybersecurity federal standards and best practices\u003c/h3\u003e\u003cul\u003e\u003cli\u003eComprehensive and expert knowledge of FISMA/NIST/RMF methodology, professional standards, policies, directives, guidance, concepts, procedures, principles, practices, and assessment and evaluation criteria, as related to Federal information systems security controls and auditing requirements.\u003c/li\u003e\u003cli\u003eThorough knowledge of Federal legislation related to information technology, computer security, government performance measurement, fiscal management and contracting.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eInformation technology (IT)\u003c/h3\u003e\u003cp\u003eExpert knowledge of information technology architecture, hardware, software, networking, communications, data collection/dissemination, and security of data practices.\u003c/p\u003e\u003ch3\u003eInformation security disciplines\u003c/h3\u003e\u003cp\u003eThorough knowledge of information security disciplines including threats to and vulnerabilities of computer and data communications systems, safeguards (counter measures) which can be utilized to protect sensitive/critical information resources, and methodologies for developing and implementing contingency plans for disaster recovery. Extensive knowledge of the roles of various organization units for ensuring adequate security and safety of information resources.\u003c/p\u003e\u003ch3\u003eInformation security program evaluation / testing / planning\u003c/h3\u003e\u003cul\u003e\u003cli\u003eKnowledge of information systems security concepts and methods, multiple IT disciplines, enterprise IT architecture, and project management principles and methods sufficient to:\u003cul\u003e\u003cli\u003eReview and evaluate programs security incident response policies\u003c/li\u003e\u003cli\u003eIdentify need for changes based on new security technologies or threats\u003c/li\u003e\u003cli\u003eTest and implement new policies\u003c/li\u003e\u003cli\u003eInstitute measures to ensure awareness and compliance\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eKnowledge of, and ability to conduct, security program planning at higher organizational levels in terms of applying policy direction to specific operating requirements and the development of strategies and policy implementation guidance.\u003c/li\u003e\u003cli\u003eAbility to use knowledge in key decision-making and policy-developing responsibilities in difficult assignments such as planning for significantly new or far reaching security program requirements.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRisk assessment and mitigation for new or existing systems\u003c/h3\u003e\u003cp\u003eKnowledge of information systems security principles, concepts, and methods, the infrastructure protection environment, and interrelationships to multiple IT disciplines sufficient to:\u003c/p\u003e\u003cul\u003e\u003cli\u003eReview proposed new systems, networks, and software designs for potential security risks\u003c/li\u003e\u003cli\u003eRecommendations for mitigation or countermeasures\u003c/li\u003e\u003cli\u003eResolve integration issues related to the implementation of new systems within the existing infrastructure.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eInformation security leadership and communication\u003c/h3\u003e\u003cul\u003e\u003cli\u003eMastery of and skill in applying policy and planning concepts and practices, interrelationships of multiple IT disciplines; and project management methods sufficient to manage communities of interest involved in the development and implementation of workable approaches to IT architecture and other IT related legislative and policy initiatives.\u003c/li\u003e\u003cli\u003eMastery and skills in applying the principles of management sufficient to develop long-range plans for IT security systems that anticipate, identify, evaluate, mitigate, and minimize risks associated with IT systems vulnerabilities.\u003c/li\u003e\u003cli\u003eDemonstrated ability to present clear and concise presentations (oral and written) and to communicate effectively with government, contractors, and applicable business entity representatives.\u003c/li\u003e\u003c/ul\u003e"])</script><script>self.__next_f.push([1,"dd:{\"value\":\"$de\",\"format\":\"body_text\",\"processed\":\"$df\"}\ndb:{\"drupal_internal__id\":2896,\"drupal_internal__revision_id\":18799,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:23:41+00:00\",\"parent_id\":\"766\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$dc\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$dd\"}\ne3:{\"drupal_internal__target_id\":\"page_section\"}\ne2:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$e3\"}\ne5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a/paragraph_type?resourceVersion=id%3A18799\"}\ne6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a/relationships/paragraph_type?resourceVersion=id%3A18799\"}\ne4:{\"related\":\"$e5\",\"self\":\"$e6\"}\ne1:{\"data\":\"$e2\",\"links\":\"$e4\"}\ne9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a/field_specialty_item?resourceVersion=id%3A18799\"}\nea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a/relationships/field_specialty_item?resourceVersion=id%3A18799\"}\ne8:{\"related\":\"$e9\",\"self\":\"$ea\"}\ne7:{\"data\":null,\"links\":\"$e8\"}\ne0:{\"paragraph_type\":\"$e1\",\"field_specialty_item\":\"$e7\"}\nd8:{\"type\":\"paragraph--page_section\",\"id\":\"c74f04af-8147-45ce-9add-6aa8c5f4c57a\",\"links\":\"$d9\",\"attributes\":\"$db\",\"relationships\":\"$e0\"}\ned:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9509616c-61cb-4029-b20d-98dd4a1768de?resourceVersion=id%3A18789\"}\nec:{\"self\":\"$ed\"}\nef:[]\nf0:{\"value\":\"To get started with ISSO As A Service, you can talk to your Cyber Risk Advisor (CRA) or send an email to ISSO@cms.hhs.gov. The ISSOaaS team will work with you to assess requirements and find an ISSO that can support the needs of your system(s).\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTo get started with ISSO As A Service, you can talk to your Cyber Risk Advisor (CRA) or"])</script><script>self.__next_f.push([1," send an email to \u003ca href=\\\"mailto:ISSO@cms.hhs.gov\\\"\u003eISSO@cms.hhs.gov\u003c/a\u003e. The ISSOaaS team will work with you to assess requirements and find an ISSO that can support the needs of your system(s).\u003c/p\u003e\\n\"}\nee:{\"drupal_internal__id\":2816,\"drupal_internal__revision_id\":18789,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:13:19+00:00\",\"parent_id\":\"2301\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$ef\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":null,\"field_call_out_link_text\":null,\"field_call_out_text\":\"$f0\",\"field_header\":\"Request a Service ISSO\"}\nf4:{\"drupal_internal__target_id\":\"call_out_box\"}\nf3:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$f4\"}\nf6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9509616c-61cb-4029-b20d-98dd4a1768de/paragraph_type?resourceVersion=id%3A18789\"}\nf7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9509616c-61cb-4029-b20d-98dd4a1768de/relationships/paragraph_type?resourceVersion=id%3A18789\"}\nf5:{\"related\":\"$f6\",\"self\":\"$f7\"}\nf2:{\"data\":\"$f3\",\"links\":\"$f5\"}\nf1:{\"paragraph_type\":\"$f2\"}\neb:{\"type\":\"paragraph--call_out_box\",\"id\":\"9509616c-61cb-4029-b20d-98dd4a1768de\",\"links\":\"$ec\",\"attributes\":\"$ee\",\"relationships\":\"$f1\"}\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3?resourceVersion=id%3A18797\"}\nf9:{\"self\":\"$fa\"}\nfc:[]\nfb:{\"drupal_internal__id\":2851,\"drupal_internal__revision_id\":18797,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:18:10+00:00\",\"parent_id\":\"2856\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$fc\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null}\n100:{\"drupal_internal__target_id\":\"process_list\"}\nff:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$100\"}\n102:{\"href\":\"https://cybergeek.cms.gov/jso"])</script><script>self.__next_f.push([1,"napi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3/paragraph_type?resourceVersion=id%3A18797\"}\n103:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3/relationships/paragraph_type?resourceVersion=id%3A18797\"}\n101:{\"related\":\"$102\",\"self\":\"$103\"}\nfe:{\"data\":\"$ff\",\"links\":\"$101\"}\n107:{\"target_revision_id\":18791,\"drupal_internal__target_id\":2821}\n106:{\"type\":\"paragraph--process_list_item\",\"id\":\"c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c\",\"meta\":\"$107\"}\n109:{\"target_revision_id\":18792,\"drupal_internal__target_id\":2826}\n108:{\"type\":\"paragraph--process_list_item\",\"id\":\"a66435a2-ab00-43b2-a92d-5c98c0b267a0\",\"meta\":\"$109\"}\n10b:{\"target_revision_id\":18793,\"drupal_internal__target_id\":2831}\n10a:{\"type\":\"paragraph--process_list_item\",\"id\":\"e785b314-6921-4f3d-853d-496fe3ff42fe\",\"meta\":\"$10b\"}\n10d:{\"target_revision_id\":18794,\"drupal_internal__target_id\":2836}\n10c:{\"type\":\"paragraph--process_list_item\",\"id\":\"6dd275cc-2128-4561-afa7-103647838f80\",\"meta\":\"$10d\"}\n10f:{\"target_revision_id\":18795,\"drupal_internal__target_id\":2841}\n10e:{\"type\":\"paragraph--process_list_item\",\"id\":\"13f6e917-a678-4913-955a-7e5ef8a2cad0\",\"meta\":\"$10f\"}\n111:{\"target_revision_id\":18796,\"drupal_internal__target_id\":2846}\n110:{\"type\":\"paragraph--process_list_item\",\"id\":\"773290cf-e4e1-4381-a801-0129f307d3f0\",\"meta\":\"$111\"}\n105:[\"$106\",\"$108\",\"$10a\",\"$10c\",\"$10e\",\"$110\"]\n113:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3/field_process_list_item?resourceVersion=id%3A18797\"}\n114:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3/relationships/field_process_list_item?resourceVersion=id%3A18797\"}\n112:{\"related\":\"$113\",\"self\":\"$114\"}\n104:{\"data\":\"$105\",\"links\":\"$112\"}\nfd:{\"paragraph_type\":\"$fe\",\"field_process_list_item\":\"$104\"}\nf8:{\"type\":\"paragraph--process_list\",\"id\":\"645cc37b-06c0-4447-ad2d-280c9c2aa7e3\",\"links\":\"$f9\",\"attributes\":\"$fb\",\"relationships\":\"$fd\"}\n117:{\"href\":\"https://cybergeek.cms.gov"])</script><script>self.__next_f.push([1,"/jsonapi/paragraph/process_list_item/c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c?resourceVersion=id%3A18791\"}\n116:{\"self\":\"$117\"}\n119:[]\n11a:{\"value\":\"\u003cp\u003eA request by a Business Owner initiates the process for a Service ISSO. The Business Owner should talk to their CRA or email \u003ca href=\\\"mailto:ISSO@cms.hhs.gov\\\"\u003eISSO@cms.hhs.gov\u003c/a\u003e to let ISPG know that ISSOaaS support is needed.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eA request by a Business Owner initiates the process for a Service ISSO. The Business Owner should talk to their CRA or email \u003ca href=\\\"mailto:ISSO@cms.hhs.gov\\\"\u003eISSO@cms.hhs.gov\u003c/a\u003e to let ISPG know that ISSOaaS support is needed.\u003c/p\u003e\"}\n118:{\"drupal_internal__id\":2821,\"drupal_internal__revision_id\":18791,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:18:10+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$119\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$11a\",\"field_list_item_title\":\"Initial request\"}\n11e:{\"drupal_internal__target_id\":\"process_list_item\"}\n11d:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$11e\"}\n120:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c/paragraph_type?resourceVersion=id%3A18791\"}\n121:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c/relationships/paragraph_type?resourceVersion=id%3A18791\"}\n11f:{\"related\":\"$120\",\"self\":\"$121\"}\n11c:{\"data\":\"$11d\",\"links\":\"$11f\"}\n11b:{\"paragraph_type\":\"$11c\"}\n115:{\"type\":\"paragraph--process_list_item\",\"id\":\"c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c\",\"links\":\"$116\",\"attributes\":\"$118\",\"relationships\":\"$11b\"}\n124:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/a66435a2-ab00-43b2-a92d-5c98c0b267a0?resourceVersion=id%3A18792\"}\n123:{\"self\":\"$124\"}\n126:[]\n127:{\"value\":\"\u003cp\u003eA meeting to discuss the requirements of the engagement will be s"])</script><script>self.__next_f.push([1,"cheduled with the Business Owner, ISPG, the ISSOaaS contractor, and any other stakeholders. Topics of the meeting will include cybersecurity requirements, level of effort, cost and funding activities, and onboarding. All factors will be evaluated by ISPG and the ISSOaaS contractor.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eA meeting to discuss the requirements of the engagement will be scheduled with the Business Owner, ISPG, the ISSOaaS contractor, and any other stakeholders. Topics of the meeting will include cybersecurity requirements, level of effort, cost and funding activities, and onboarding. All factors will be evaluated by ISPG and the ISSOaaS contractor.\u003c/p\u003e\"}\n125:{\"drupal_internal__id\":2826,\"drupal_internal__revision_id\":18792,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:18:36+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$126\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$127\",\"field_list_item_title\":\"Kickoff discussion\"}\n12b:{\"drupal_internal__target_id\":\"process_list_item\"}\n12a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$12b\"}\n12d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/a66435a2-ab00-43b2-a92d-5c98c0b267a0/paragraph_type?resourceVersion=id%3A18792\"}\n12e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/a66435a2-ab00-43b2-a92d-5c98c0b267a0/relationships/paragraph_type?resourceVersion=id%3A18792\"}\n12c:{\"related\":\"$12d\",\"self\":\"$12e\"}\n129:{\"data\":\"$12a\",\"links\":\"$12c\"}\n128:{\"paragraph_type\":\"$129\"}\n122:{\"type\":\"paragraph--process_list_item\",\"id\":\"a66435a2-ab00-43b2-a92d-5c98c0b267a0\",\"links\":\"$123\",\"attributes\":\"$125\",\"relationships\":\"$128\"}\n131:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e785b314-6921-4f3d-853d-496fe3ff42fe?resourceVersion=id%3A18793\"}\n130:{\"self\":\"$131\"}\n133:[]\n134:{\"value\":\"\u003cp\u003eAfter the meeting, ISPG will complete an"])</script><script>self.__next_f.push([1," ISSOaaS Request Form, which helps ISPG and the contractor during their search for a Service ISSO.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eAfter the meeting, ISPG will complete an ISSOaaS Request Form, which helps ISPG and the contractor during their search for a Service ISSO.\u003c/p\u003e\"}\n132:{\"drupal_internal__id\":2831,\"drupal_internal__revision_id\":18793,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:19:02+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$133\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$134\",\"field_list_item_title\":\"ISSOaaS Request Form\"}\n138:{\"drupal_internal__target_id\":\"process_list_item\"}\n137:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$138\"}\n13a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e785b314-6921-4f3d-853d-496fe3ff42fe/paragraph_type?resourceVersion=id%3A18793\"}\n13b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e785b314-6921-4f3d-853d-496fe3ff42fe/relationships/paragraph_type?resourceVersion=id%3A18793\"}\n139:{\"related\":\"$13a\",\"self\":\"$13b\"}\n136:{\"data\":\"$137\",\"links\":\"$139\"}\n135:{\"paragraph_type\":\"$136\"}\n12f:{\"type\":\"paragraph--process_list_item\",\"id\":\"e785b314-6921-4f3d-853d-496fe3ff42fe\",\"links\":\"$130\",\"attributes\":\"$132\",\"relationships\":\"$135\"}\n13e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/6dd275cc-2128-4561-afa7-103647838f80?resourceVersion=id%3A18794\"}\n13d:{\"self\":\"$13e\"}\n140:[]\n141:{\"value\":\"\u003cp\u003eAs ISPG and the contractor work to determine the best match for a Service ISSO, they will consider the context for the engagement, including factors such as:\u003c/p\u003e\\r\\n\\r\\n\u003cul\u003e\\r\\n\\t\u003cli\u003eSystem complexity\u003c/li\u003e\\r\\n\\t\u003cli\u003eData sensitivity\u003c/li\u003e\\r\\n\\t\u003cli\u003eWhether the system supports a Mission Essential Function\u003c/li\u003e\\r\\n\\t\u003cli\u003eWhether the system is a High Value Asset (HVA)\u003c/li\u003e\\r\\n\u003c/ul\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eAs IS"])</script><script>self.__next_f.push([1,"PG and the contractor work to determine the best match for a Service ISSO, they will consider the context for the engagement, including factors such as:\u003c/p\u003e\\n\\n\u003cul\u003e\\n\\t\u003cli\u003eSystem complexity\u003c/li\u003e\\n\\t\u003cli\u003eData sensitivity\u003c/li\u003e\\n\\t\u003cli\u003eWhether the system supports a Mission Essential Function\u003c/li\u003e\\n\\t\u003cli\u003eWhether the system is a High Value Asset (HVA)\u003c/li\u003e\\n\u003c/ul\u003e\"}\n13f:{\"drupal_internal__id\":2836,\"drupal_internal__revision_id\":18794,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:21:53+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$140\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$141\",\"field_list_item_title\":\"Context assessment\"}\n145:{\"drupal_internal__target_id\":\"process_list_item\"}\n144:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$145\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/6dd275cc-2128-4561-afa7-103647838f80/paragraph_type?resourceVersion=id%3A18794\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/6dd275cc-2128-4561-afa7-103647838f80/relationships/paragraph_type?resourceVersion=id%3A18794\"}\n146:{\"related\":\"$147\",\"self\":\"$148\"}\n143:{\"data\":\"$144\",\"links\":\"$146\"}\n142:{\"paragraph_type\":\"$143\"}\n13c:{\"type\":\"paragraph--process_list_item\",\"id\":\"6dd275cc-2128-4561-afa7-103647838f80\",\"links\":\"$13d\",\"attributes\":\"$13f\",\"relationships\":\"$142\"}\n14b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/13f6e917-a678-4913-955a-7e5ef8a2cad0?resourceVersion=id%3A18795\"}\n14a:{\"self\":\"$14b\"}\n14d:[]\n14e:{\"value\":\"\u003cp\u003eThe ISSOaaS contractor will categorize the workforce skillset needed for the assignment using:\u003c/p\u003e\\r\\n\\r\\n\u003cul\u003e\\r\\n\\t\u003cli\u003e\u003ca href=\\\"https://www.nist.gov/itl/applied-cybersecurity/nice\\\"\u003eNICE Framework\u003c/a\u003e as applicable to the CMS ISSO role\u003c/li\u003e\\r\\n\\t\u003cli\u003eRole duties and responsibilities as outlined in policy\u003c/li\u003e\\r\\n\\t\u003cli\u003eRequired experience, certifications, and areas "])</script><script>self.__next_f.push([1,"of expertise\u003c/li\u003e\\r\\n\u003c/ul\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe ISSOaaS contractor will categorize the workforce skillset needed for the assignment using:\u003c/p\u003e\\n\\n\u003cul\u003e\\n\\t\u003cli\u003e\u003ca href=\\\"https://www.nist.gov/itl/applied-cybersecurity/nice\\\"\u003eNICE Framework\u003c/a\u003e as applicable to the CMS ISSO role\u003c/li\u003e\\n\\t\u003cli\u003eRole duties and responsibilities as outlined in policy\u003c/li\u003e\\n\\t\u003cli\u003eRequired experience, certifications, and areas of expertise\u003c/li\u003e\\n\u003c/ul\u003e\"}\n14c:{\"drupal_internal__id\":2841,\"drupal_internal__revision_id\":18795,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:22:28+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$14d\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$14e\",\"field_list_item_title\":\"Skillset categorization\"}\n152:{\"drupal_internal__target_id\":\"process_list_item\"}\n151:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$152\"}\n154:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/13f6e917-a678-4913-955a-7e5ef8a2cad0/paragraph_type?resourceVersion=id%3A18795\"}\n155:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/13f6e917-a678-4913-955a-7e5ef8a2cad0/relationships/paragraph_type?resourceVersion=id%3A18795\"}\n153:{\"related\":\"$154\",\"self\":\"$155\"}\n150:{\"data\":\"$151\",\"links\":\"$153\"}\n14f:{\"paragraph_type\":\"$150\"}\n149:{\"type\":\"paragraph--process_list_item\",\"id\":\"13f6e917-a678-4913-955a-7e5ef8a2cad0\",\"links\":\"$14a\",\"attributes\":\"$14c\",\"relationships\":\"$14f\"}\n158:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/773290cf-e4e1-4381-a801-0129f307d3f0?resourceVersion=id%3A18796\"}\n157:{\"self\":\"$158\"}\n15a:[]\n15b:{\"value\":\"\u003cp\u003eOnce a Service ISSO has been identified, onboarding and training will begin so the ISSO can be embedded in their assigned team. Onboarding requires collaboration among the Business Owner, ISPG, the ISSOaaS contractor, and the ISSO. (More details below).\u003c/p\u003e\\r\\n\",\""])</script><script>self.__next_f.push([1,"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eOnce a Service ISSO has been identified, onboarding and training will begin so the ISSO can be embedded in their assigned team. Onboarding requires collaboration among the Business Owner, ISPG, the ISSOaaS contractor, and the ISSO. (More details below).\u003c/p\u003e\"}\n159:{\"drupal_internal__id\":2846,\"drupal_internal__revision_id\":18796,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:23:18+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$15a\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$15b\",\"field_list_item_title\":\"Service ISSO onboarding\"}\n15f:{\"drupal_internal__target_id\":\"process_list_item\"}\n15e:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$15f\"}\n161:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/773290cf-e4e1-4381-a801-0129f307d3f0/paragraph_type?resourceVersion=id%3A18796\"}\n162:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/773290cf-e4e1-4381-a801-0129f307d3f0/relationships/paragraph_type?resourceVersion=id%3A18796\"}\n160:{\"related\":\"$161\",\"self\":\"$162\"}\n15d:{\"data\":\"$15e\",\"links\":\"$160\"}\n15c:{\"paragraph_type\":\"$15d\"}\n156:{\"type\":\"paragraph--process_list_item\",\"id\":\"773290cf-e4e1-4381-a801-0129f307d3f0\",\"links\":\"$157\",\"attributes\":\"$159\",\"relationships\":\"$15c\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"1d9ebea4-c62b-42aa-9363-2fd5fd87db32\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32?resourceVersion=id%3A5723\"}},\"attributes\":{\"drupal_internal__nid\":766,\"drupal_internal__vid\":5723,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-29T18:58:25+00:00\",\"status\":true,\"title\":\"ISSO As A Service\",\"created\":\"2023-03-01T16:19:53+00:00\",\"changed\":\"2024-07-29T18:58:25+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/isso-service\",\"pid\":746,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ISSO@cms.hhs.gov\",\"field_contact_name\":\"ISSO Support Team\",\"field_short_description\":{\"value\":\"ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#isso-as-a-service\",\"#cms-isso\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/node_type?resourceVersion=id%3A5723\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/relationships/node_type?resourceVersion=id%3A5723\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/revision_uid?resourceVersion=id%3A5723\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/relationships/revision_uid?resourceVersion=id%3A5723\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/uid?resourceVersion=id%3A5723\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/relationships/uid?resourceVersion=id%3A5723\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"c5efb977-1db9-4584-85ad-9f10aa4794a2\",\"meta\":{\"target_revision_id\":18790,\"drupal_internal__target_id\":2301}},{\"type\":\"paragraph--page_section\",\"id\":\"b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5\",\"meta\":{\"target_revision_id\":18798,\"drupal_internal__target_id\":2856}},{\"type\":\"paragraph--page_section\",\"id\":\"c74f04af-8147-45ce-9add-6aa8c5f4c57a\",\"meta\":{\"target_revision_id\":18799,\"drupal_internal__target_id\":2896}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/field_page_section?resourceVersion=id%3A5723\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/relationships/field_page_section?resourceVersion=id%3A5723\"}}},\"field_related_collection\":{\"data\":[],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/field_related_collection?resourceVersion=id%3A5723\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/relationships/field_related_collection?resourceVersion=id%3A5723\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/field_resource_type?resourceVersion=id%3A5723\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/relationships/field_resource_type?resourceVersion=id%3A5723\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/field_roles?resourceVersion=id%3A5723\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/relationships/field_roles?resourceVersion=id%3A5723\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/field_topics?resourceVersion=id%3A5723\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/1d9ebea4-c62b-42aa-9363-2fd5fd87db32/relationships/field_topics?resourceVersion=id%3A5723\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}},\"attributes\":{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}},\"attributes\":{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"c5efb977-1db9-4584-85ad-9f10aa4794a2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2?resourceVersion=id%3A18790\"}},\"attributes\":{\"drupal_internal__id\":2301,\"drupal_internal__revision_id\":18790,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-01T16:21:34+00:00\",\"parent_id\":\"766\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"\u003ch2\u003e\u003cstrong\u003eWhat is ISSO As A Service (ISSOaaS)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eInformation System Security Officers (ISSO) serve as the front line of information security and privacy for CMS systems. Their role is critical for keeping CMS data safe throughout a systems life cycle. But sometimes, there is not a trained CMS ISSO available within a component to perform key security tasks.\u003c/p\u003e\u003cp\u003eTo address this need, the CMS Information Security and Privacy Group (ISPG) provides the ISSO As A Service (ISSOaas) program to deploy skilled ISSOs where they are most needed to support CMS Business Owners in maintaining information security and privacy for their system(s).\u003c/p\u003e\u003cp\u003eISPG works with a contractor organization to onboard and train professional ISSOs in CMS-specific policies and frameworks so they are equipped to provide industry-certified security and compliance support, allowing Business Owners to focus on their business mission.\u003c/p\u003e\",\"format\":\"body_text\",\"processed\":\"\u003ch2\u003e\u003cstrong\u003eWhat is ISSO As A Service (ISSOaaS)?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eInformation System Security Officers (ISSO) serve as the front line of information security and privacy for CMS systems. Their role is critical for keeping CMS data safe throughout a systems life cycle. But sometimes, there is not a trained CMS ISSO available within a component to perform key security tasks.\u003c/p\u003e\u003cp\u003eTo address this need, the CMS Information Security and Privacy Group (ISPG) provides the ISSO As A Service (ISSOaas) program to deploy skilled ISSOs where they are most needed to support CMS Business Owners in maintaining information security and privacy for their system(s).\u003c/p\u003e\u003cp\u003eISPG works with a contractor organization to onboard and train professional ISSOs in CMS-specific policies and frameworks so they are equipped to provide industry-certified security and compliance support, allowing Business Owners to focus on their business mission.\u003c/p\u003e\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2/paragraph_type?resourceVersion=id%3A18790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2/relationships/paragraph_type?resourceVersion=id%3A18790\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"9509616c-61cb-4029-b20d-98dd4a1768de\",\"meta\":{\"target_revision_id\":18789,\"drupal_internal__target_id\":2816}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2/field_specialty_item?resourceVersion=id%3A18790\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c5efb977-1db9-4584-85ad-9f10aa4794a2/relationships/field_specialty_item?resourceVersion=id%3A18790\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5?resourceVersion=id%3A18798\"}},\"attributes\":{\"drupal_internal__id\":2856,\"drupal_internal__revision_id\":18798,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:15:01+00:00\",\"parent_id\":\"766\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5/paragraph_type?resourceVersion=id%3A18798\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5/relationships/paragraph_type?resourceVersion=id%3A18798\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"645cc37b-06c0-4447-ad2d-280c9c2aa7e3\",\"meta\":{\"target_revision_id\":18797,\"drupal_internal__target_id\":2851}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5/field_specialty_item?resourceVersion=id%3A18798\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5/relationships/field_specialty_item?resourceVersion=id%3A18798\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"c74f04af-8147-45ce-9add-6aa8c5f4c57a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a?resourceVersion=id%3A18799\"}},\"attributes\":{\"drupal_internal__id\":2896,\"drupal_internal__revision_id\":18799,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:23:41+00:00\",\"parent_id\":\"766\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a/paragraph_type?resourceVersion=id%3A18799\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a/relationships/paragraph_type?resourceVersion=id%3A18799\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a/field_specialty_item?resourceVersion=id%3A18799\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/c74f04af-8147-45ce-9add-6aa8c5f4c57a/relationships/field_specialty_item?resourceVersion=id%3A18799\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"9509616c-61cb-4029-b20d-98dd4a1768de\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9509616c-61cb-4029-b20d-98dd4a1768de?resourceVersion=id%3A18789\"}},\"attributes\":{\"drupal_internal__id\":2816,\"drupal_internal__revision_id\":18789,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:13:19+00:00\",\"parent_id\":\"2301\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":null,\"field_call_out_link_text\":null,\"field_call_out_text\":{\"value\":\"To get started with ISSO As A Service, you can talk to your Cyber Risk Advisor (CRA) or send an email to ISSO@cms.hhs.gov. The ISSOaaS team will work with you to assess requirements and find an ISSO that can support the needs of your system(s).\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTo get started with ISSO As A Service, you can talk to your Cyber Risk Advisor (CRA) or send an email to \u003ca href=\\\"mailto:ISSO@cms.hhs.gov\\\"\u003eISSO@cms.hhs.gov\u003c/a\u003e. The ISSOaaS team will work with you to assess requirements and find an ISSO that can support the needs of your system(s).\u003c/p\u003e\\n\"},\"field_header\":\"Request a Service ISSO\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9509616c-61cb-4029-b20d-98dd4a1768de/paragraph_type?resourceVersion=id%3A18789\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/9509616c-61cb-4029-b20d-98dd4a1768de/relationships/paragraph_type?resourceVersion=id%3A18789\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"645cc37b-06c0-4447-ad2d-280c9c2aa7e3\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3?resourceVersion=id%3A18797\"}},\"attributes\":{\"drupal_internal__id\":2851,\"drupal_internal__revision_id\":18797,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:18:10+00:00\",\"parent_id\":\"2856\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3/paragraph_type?resourceVersion=id%3A18797\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3/relationships/paragraph_type?resourceVersion=id%3A18797\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c\",\"meta\":{\"target_revision_id\":18791,\"drupal_internal__target_id\":2821}},{\"type\":\"paragraph--process_list_item\",\"id\":\"a66435a2-ab00-43b2-a92d-5c98c0b267a0\",\"meta\":{\"target_revision_id\":18792,\"drupal_internal__target_id\":2826}},{\"type\":\"paragraph--process_list_item\",\"id\":\"e785b314-6921-4f3d-853d-496fe3ff42fe\",\"meta\":{\"target_revision_id\":18793,\"drupal_internal__target_id\":2831}},{\"type\":\"paragraph--process_list_item\",\"id\":\"6dd275cc-2128-4561-afa7-103647838f80\",\"meta\":{\"target_revision_id\":18794,\"drupal_internal__target_id\":2836}},{\"type\":\"paragraph--process_list_item\",\"id\":\"13f6e917-a678-4913-955a-7e5ef8a2cad0\",\"meta\":{\"target_revision_id\":18795,\"drupal_internal__target_id\":2841}},{\"type\":\"paragraph--process_list_item\",\"id\":\"773290cf-e4e1-4381-a801-0129f307d3f0\",\"meta\":{\"target_revision_id\":18796,\"drupal_internal__target_id\":2846}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3/field_process_list_item?resourceVersion=id%3A18797\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/645cc37b-06c0-4447-ad2d-280c9c2aa7e3/relationships/field_process_list_item?resourceVersion=id%3A18797\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c?resourceVersion=id%3A18791\"}},\"attributes\":{\"drupal_internal__id\":2821,\"drupal_internal__revision_id\":18791,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:18:10+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eA request by a Business Owner initiates the process for a Service ISSO. The Business Owner should talk to their CRA or email \u003ca href=\\\"mailto:ISSO@cms.hhs.gov\\\"\u003eISSO@cms.hhs.gov\u003c/a\u003e to let ISPG know that ISSOaaS support is needed.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eA request by a Business Owner initiates the process for a Service ISSO. The Business Owner should talk to their CRA or email \u003ca href=\\\"mailto:ISSO@cms.hhs.gov\\\"\u003eISSO@cms.hhs.gov\u003c/a\u003e to let ISPG know that ISSOaaS support is needed.\u003c/p\u003e\"},\"field_list_item_title\":\"Initial request\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c/paragraph_type?resourceVersion=id%3A18791\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c/relationships/paragraph_type?resourceVersion=id%3A18791\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"a66435a2-ab00-43b2-a92d-5c98c0b267a0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/a66435a2-ab00-43b2-a92d-5c98c0b267a0?resourceVersion=id%3A18792\"}},\"attributes\":{\"drupal_internal__id\":2826,\"drupal_internal__revision_id\":18792,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:18:36+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eA meeting to discuss the requirements of the engagement will be scheduled with the Business Owner, ISPG, the ISSOaaS contractor, and any other stakeholders. Topics of the meeting will include cybersecurity requirements, level of effort, cost and funding activities, and onboarding. All factors will be evaluated by ISPG and the ISSOaaS contractor.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eA meeting to discuss the requirements of the engagement will be scheduled with the Business Owner, ISPG, the ISSOaaS contractor, and any other stakeholders. Topics of the meeting will include cybersecurity requirements, level of effort, cost and funding activities, and onboarding. All factors will be evaluated by ISPG and the ISSOaaS contractor.\u003c/p\u003e\"},\"field_list_item_title\":\"Kickoff discussion\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/a66435a2-ab00-43b2-a92d-5c98c0b267a0/paragraph_type?resourceVersion=id%3A18792\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/a66435a2-ab00-43b2-a92d-5c98c0b267a0/relationships/paragraph_type?resourceVersion=id%3A18792\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"e785b314-6921-4f3d-853d-496fe3ff42fe\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e785b314-6921-4f3d-853d-496fe3ff42fe?resourceVersion=id%3A18793\"}},\"attributes\":{\"drupal_internal__id\":2831,\"drupal_internal__revision_id\":18793,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:19:02+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eAfter the meeting, ISPG will complete an ISSOaaS Request Form, which helps ISPG and the contractor during their search for a Service ISSO.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eAfter the meeting, ISPG will complete an ISSOaaS Request Form, which helps ISPG and the contractor during their search for a Service ISSO.\u003c/p\u003e\"},\"field_list_item_title\":\"ISSOaaS Request Form\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e785b314-6921-4f3d-853d-496fe3ff42fe/paragraph_type?resourceVersion=id%3A18793\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/e785b314-6921-4f3d-853d-496fe3ff42fe/relationships/paragraph_type?resourceVersion=id%3A18793\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"6dd275cc-2128-4561-afa7-103647838f80\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/6dd275cc-2128-4561-afa7-103647838f80?resourceVersion=id%3A18794\"}},\"attributes\":{\"drupal_internal__id\":2836,\"drupal_internal__revision_id\":18794,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:21:53+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eAs ISPG and the contractor work to determine the best match for a Service ISSO, they will consider the context for the engagement, including factors such as:\u003c/p\u003e\\r\\n\\r\\n\u003cul\u003e\\r\\n\\t\u003cli\u003eSystem complexity\u003c/li\u003e\\r\\n\\t\u003cli\u003eData sensitivity\u003c/li\u003e\\r\\n\\t\u003cli\u003eWhether the system supports a Mission Essential Function\u003c/li\u003e\\r\\n\\t\u003cli\u003eWhether the system is a High Value Asset (HVA)\u003c/li\u003e\\r\\n\u003c/ul\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eAs ISPG and the contractor work to determine the best match for a Service ISSO, they will consider the context for the engagement, including factors such as:\u003c/p\u003e\\n\\n\u003cul\u003e\\n\\t\u003cli\u003eSystem complexity\u003c/li\u003e\\n\\t\u003cli\u003eData sensitivity\u003c/li\u003e\\n\\t\u003cli\u003eWhether the system supports a Mission Essential Function\u003c/li\u003e\\n\\t\u003cli\u003eWhether the system is a High Value Asset (HVA)\u003c/li\u003e\\n\u003c/ul\u003e\"},\"field_list_item_title\":\"Context assessment\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/6dd275cc-2128-4561-afa7-103647838f80/paragraph_type?resourceVersion=id%3A18794\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/6dd275cc-2128-4561-afa7-103647838f80/relationships/paragraph_type?resourceVersion=id%3A18794\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"13f6e917-a678-4913-955a-7e5ef8a2cad0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/13f6e917-a678-4913-955a-7e5ef8a2cad0?resourceVersion=id%3A18795\"}},\"attributes\":{\"drupal_internal__id\":2841,\"drupal_internal__revision_id\":18795,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:22:28+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eThe ISSOaaS contractor will categorize the workforce skillset needed for the assignment using:\u003c/p\u003e\\r\\n\\r\\n\u003cul\u003e\\r\\n\\t\u003cli\u003e\u003ca href=\\\"https://www.nist.gov/itl/applied-cybersecurity/nice\\\"\u003eNICE Framework\u003c/a\u003e as applicable to the CMS ISSO role\u003c/li\u003e\\r\\n\\t\u003cli\u003eRole duties and responsibilities as outlined in policy\u003c/li\u003e\\r\\n\\t\u003cli\u003eRequired experience, certifications, and areas of expertise\u003c/li\u003e\\r\\n\u003c/ul\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eThe ISSOaaS contractor will categorize the workforce skillset needed for the assignment using:\u003c/p\u003e\\n\\n\u003cul\u003e\\n\\t\u003cli\u003e\u003ca href=\\\"https://www.nist.gov/itl/applied-cybersecurity/nice\\\"\u003eNICE Framework\u003c/a\u003e as applicable to the CMS ISSO role\u003c/li\u003e\\n\\t\u003cli\u003eRole duties and responsibilities as outlined in policy\u003c/li\u003e\\n\\t\u003cli\u003eRequired experience, certifications, and areas of expertise\u003c/li\u003e\\n\u003c/ul\u003e\"},\"field_list_item_title\":\"Skillset categorization\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/13f6e917-a678-4913-955a-7e5ef8a2cad0/paragraph_type?resourceVersion=id%3A18795\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/13f6e917-a678-4913-955a-7e5ef8a2cad0/relationships/paragraph_type?resourceVersion=id%3A18795\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"773290cf-e4e1-4381-a801-0129f307d3f0\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/773290cf-e4e1-4381-a801-0129f307d3f0?resourceVersion=id%3A18796\"}},\"attributes\":{\"drupal_internal__id\":2846,\"drupal_internal__revision_id\":18796,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-04-24T15:23:18+00:00\",\"parent_id\":\"2851\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eOnce a Service ISSO has been identified, onboarding and training will begin so the ISSO can be embedded in their assigned team. Onboarding requires collaboration among the Business Owner, ISPG, the ISSOaaS contractor, and the ISSO. (More details below).\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eOnce a Service ISSO has been identified, onboarding and training will begin so the ISSO can be embedded in their assigned team. Onboarding requires collaboration among the Business Owner, ISPG, the ISSOaaS contractor, and the ISSO. (More details below).\u003c/p\u003e\"},\"field_list_item_title\":\"Service ISSO onboarding\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/773290cf-e4e1-4381-a801-0129f307d3f0/paragraph_type?resourceVersion=id%3A18796\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/773290cf-e4e1-4381-a801-0129f307d3f0/relationships/paragraph_type?resourceVersion=id%3A18796\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1c\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$26\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$2a\",\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\":\"$2e\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$48\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$62\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7c\",\"0bc7c1d0-b569-4514-b66c-367457dead7e\":\"$96\",\"c5efb977-1db9-4584-85ad-9f10aa4794a2\":\"$b0\",\"b5eca2e1-cb7d-472a-ab8a-03e21c0a0cc5\":\"$c3\",\"c74f04af-8147-45ce-9add-6aa8c5f4c57a\":\"$d8\",\"9509616c-61cb-4029-b20d-98dd4a1768de\":\"$eb\",\"645cc37b-06c0-4447-ad2d-280c9c2aa7e3\":\"$f8\",\"c1bf99a6-fc22-4fdf-9ed9-3c8bd04bc87c\":\"$115\",\"a66435a2-ab00-43b2-a92d-5c98c0b267a0\":\"$122\",\"e785b314-6921-4f3d-853d-496fe3ff42fe\":\"$12f\",\"6dd275cc-2128-4561-afa7-103647838f80\":\"$13c\",\"13f6e917-a678-4913-955a-7e5ef8a2cad0\":\"$149\",\"773290cf-e4e1-4381-a801-0129f307d3f0\":\"$156\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"ISSO As A Service | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/isso-service\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"ISSO As A Service | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/isso-service\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/isso-service/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"ISSO As A Service | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/isso-service/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink